Senate Bill Targets Healthcare Cybersecurity Vulnerabilites

New legislation introduced in the U.S.  Senate would require the Department of Health and Human Services (HHS) to establish minimum cybersecurity standards for the healthcare sector – along with serious penalties for healthcare organizations if they fail to comply with the proposed rules.

Introduced by Sens. Ron Wyden, D-Ore. and Mark Warner, D-Va., The Health Infrastructure Security and Accountability Act would create “tough” standards for healthcare providers, health plans, clearinghouses, business associates, and “systematically important entities and entities important for national security.”

“Megacorporations like UnitedHealth are flunking Cybersecurity 101, and American families are suffering as a result,” Sen. Wyden said in a statement. “The health care industry has some of the worst cybersecurity practices in the nation despite its critical importance to Americans’ well-being and privacy.”

“These commonsense reforms, which include jail time for CEOs that lie to the government about their cybersecurity, will set a course to beef up cybersecurity among health care companies across the nation and stem the tide of cyberattacks that threaten to cripple the American health care system,” the senator said.

Healthcare entities would be required to file annual cybersecurity reports and stress tests under the legislation, and HHS would be directed to audit key entities yearly. Those healthcare entities could face up to $5,000 per day in fines if they fail to provide documentation and meet reporting and auditing requirements, according to the bill’s language.

In addition to setting forth new requirements, the legislation also would amend the Health Insurance Portability and Accountability Act by removing fine caps for large corporations so that “large enough fines” can be levied to “deter lax cybersecurity,” the senators said.

Additional stipulations include codifying the acceleration of Medicare payments by HHS secretary during cyber disruptions and providing $1.3 billion in funding for cybersecurity improvements in hospitals. The funding would focus on “low-resource hospitals in rural and urban areas.”

“Cybersecurity remains an ever-evolving challenge in our health care ecosystem and more must be done to prevent cyberattacks and ensure patient safety,” Andrea Palm, deputy secretary of HHS, said in a statement supporting the legislation. “Clear accountability measures and mandatory cybersecurity requirements for all organizations that hold sensitive data are essential.”