Senate Finance Committee Chairman Ron Wyden, D-Ore., and Sen. Mark Warner, D-Va., have teamed up to announce legislation with “common sense reforms” aimed at combating the wave of increasing cyber attacks that are violating Americans’ privacy and causing major disruptions. to be provided nationally.
The Health Infrastructure Security and Accountability Act would not only mandate cybersecurity protocols but also increase funding for rural and underserved hospitals to meet new cybersecurity standards, Warner said in a statement Thursday.
WHY IT’S IMPORTANT
If a law is passed, the proposed reforms in the account would result in better control of healthcare organizations. They would also pay higher user fees for the new regulatory services.
Warner, who has focused on improving the industry’s cybersecurity posture and urged U.S. Health and Human Services to end voluntary cybersecurity requirements, releasing a 2022 policy document is calling for a healthcare cybersecurity czar, said in a statement that he believes voluntary standards do not provide the right standards. teeth needed to protect patients’ most personal data and continuity of care.
The lawmakers made clear that they believe some of the largest healthcare organizations are “ignoring cybersecurity standards.”
“Mega-companies like UnitedHealth are failing Cybersecurity 101, and American families are suffering as a result,” Wyden said in the statement.
“The healthcare industry has some of the worst cybersecurity practices in the country, despite its critical importance to the well-being and privacy of Americans.”
The Health Infrastructure Security and Accountability Act, according to a fact sheet Under the proposed legislation, calls for “enhanced standards” applicable to “systemically important” entities and modernization of HIPAA’s mandatory minimum cybersecurity standards for healthcare providers, health insurance clearinghouses, and business associates.
The bill would also require covered entities and business associates to conduct annual independent cybersecurity audits and follow other measures that ensure they can promptly restore services after an incident — “which HHS may waive for small providers.”
Top executives would be required to certify compliance with the requirements each year, and HHS would be required to “proactively audit the data security practices of at least 20 regulated entities each year.”
The bill also proposes to eliminate statutory limits on HHS’s fine authority, so that mega-corporations, such as United Health Group, “face fines high enough to deter lax cybersecurity.”
While the additional security oversight and enforcement would be paid for through user fees for all regulated entities, the legislative proposal also provides $800 million for payments for improved cybersecurity standards in rural and urban safety net hospitals and $500 million for all hospitals.
“With hacks already targeting institutions across the country, it is time to go beyond voluntary standards and ensure that healthcare providers and suppliers are serious about cybersecurity and patient safety,” Warner said.
THE BIG TREND
Warner and Wyden’s announcement noted that after the Senate Finance Committee held a hearing in May with UnitedHealth Group CEO Andrew Witty on the February cyberattack against Change Healthcare, a subsidiary of UHG, Wyden informed the Biden administration had called for the mega-company to be investigated and detained. responsible for its “lax cybersecurity.”
Witty pledged to rebuild the stricken healthcare payment clearinghouse with cloud-based security. Change also did not have multi-factor authentication, making the organization vulnerable to the cyber attack.
In a strategy document released in December, HHS also called for new cybersecurity requirements for hospitals. It also outlined voluntary healthcare-specific cybersecurity performance goals.
“Funding and voluntary targets alone will not achieve the cyber-related behavior change needed in the healthcare sector,” the agency said in an announcement at the time.
Meanwhile, the American Hospital Association has rolled back proposed strategies that it said penalized hospitals for cyberattacks.
“No organization, including federal agencies, is or can be immune from cyberattacks,” Rick Pollack, president and CEO of AHA, had told Healthcare IT news.
“Imposing fines or reducing Medicare payments would reduce hospital resources needed to combat cybercrime and would be counterproductive to our shared goal of preventing cyberattacks.”
An example: the Centers for Medicare and Medicaid Services recently sent a written email notifications of data leaks to 946,801 people when it was caught, along with a large number of companies in various industries around the world, when a vulnerability was discovered in a third-party application used for file transfers earlier this year.
CMS said in the letter that protected health information or other personally identifiable information may have been compromised in a cyber breach related to MOVEit software.
ON THE RECORD
“Cybersecurity remains an ever-evolving challenge in our healthcare ecosystem and more must be done to prevent cyberattacks and ensure patient safety,” Andrea Palm, deputy secretary of HHS, said in a statement. “Clear accountability measures and mandatory cybersecurity requirements for all organizations holding sensitive data are essential.”
Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
The HIMSS Healthcare Cybersecurity Forum will take place from October 31 to November 1 in Washington, DC More information and registration.