In a significant move to enhance cybersecurity across the healthcare sector, Senators Ron Wyden (D-Ore.) and Mark Warner (D-Va.) have introduced the Health Infrastructure Security and Accountability Act. According to TechTarget, this new legislation seeks to establish essential minimum cybersecurity standards that healthcare providers, health plans, clearinghouses, and business associates must adhere to in order to strengthen security across the healthcare ecosystem.
A key aspect of the proposed bill is its aim to eliminate the current cap on fines under the Health Insurance Portability and Accountability Act (HIPAA). Lawmakers argue that this cap hinders the Department of Health and Human Services (HHS) from imposing substantial fines that could deter large corporations from neglecting robust cybersecurity practices.
The bill’s introduction follows the recent Change Healthcare cyberattack, which highlighted vulnerabilities in the U.S. healthcare system and placed providers in precarious financial situations. “Megacorporations like UnitedHealth are flunking Cybersecurity 101, and American families are suffering as a result,” Wyden stated in a press release.
Warner emphasized the dire state of cybersecurity in healthcare, asserting, “The health care industry has some of the worst cybersecurity practices in the nation despite its critical importance to Americans’ well-being and privacy.” He described the proposed reforms as “commonsense” measures that could not only strengthen cybersecurity among healthcare companies but also introduce penalties, including potential jail time for executives who mislead the government about their cybersecurity practices.
Read more: Mastercard to Acquire Cybersecurity Firm Recorded Future for $2.65 Billion
The Health Infrastructure Security and Accountability Act outlines several key provisions that address ongoing cybersecurity concerns in the healthcare sector. One of its central mandates requires the HHS secretary to develop and implement minimum and enhanced security requirements within two years. The minimum standards would apply to all healthcare entities nationwide, while enhanced standards would target organizations deemed critical to national security or of systemic importance.
In addition to establishing these standards, the bill mandates that covered entities and business associates conduct annual independent security audits and stress tests to evaluate their capacity to recover from cybersecurity incidents. Furthermore, it requires HHS to perform annual audits on at least 20 regulated entities to assess their data security practices, eliminating statutory caps on fines that HHS can levy.
The bill also promotes corporate accountability by requiring executives to certify their compliance with these standards annually. If enacted, it would give the HHS secretary the authority to provide accelerated Medicare payments in the event of disruptions to the healthcare system, similar to measures taken during the Change Healthcare cyberattack.
To further bolster cybersecurity efforts, the bill allocates $800 million in initial funding for rural and urban safety-net hospitals and an additional $500 million for hospitals nationwide to implement enhanced cybersecurity measures.
Both Wyden and Warner have been vocal proponents of increased cybersecurity standards in healthcare. Warner previously published a policy options paper in November 2022 that addressed prevailing cybersecurity threats in the sector. Following the Change Healthcare incident, Wyden urged investigations by the Federal Trade Commission and the Securities and Exchange Commission into UnitedHealth Group to determine if any federal laws had been violated.
“Cyberattacks on our healthcare institutions threaten patients’ most private data and delay essential medical care, directly endangering Americans’ lives and long-term health,” Warner stated. He underscored the urgency of moving beyond voluntary standards, insisting that healthcare providers and vendors must prioritize cybersecurity and patient safety.
Source: TechTarget
Featured News
Big Tech Braces for Potential Changes Under a Second Trump Presidency
Nov 6, 2024 by
CPI
Trump’s Potential Shift in US Antitrust Policy Raises Questions for Big Tech and Mergers
Nov 6, 2024 by
CPI
EU Set to Fine Apple in First Major Enforcement of Digital Markets Act
Nov 5, 2024 by
CPI
Six Indicted in Federal Bid-Rigging Schemes Involving Government IT Contracts
Nov 5, 2024 by
CPI
Ireland Secures First €3 Billion Apple Tax Payment, Boosting Exchequer Funds
Nov 5, 2024 by
CPI
Antitrust Mix by CPI
Antitrust Chronicle® – Remedies Revisited
Oct 30, 2024 by
CPI
Fixing the Fix: Updating Policy on Merger Remedies
Oct 30, 2024 by
CPI
Methodology Matters: The 2017 FTC Remedies Study
Oct 30, 2024 by
CPI
U.S. v. AT&T: Five Lessons for Vertical Merger Enforcement
Oct 30, 2024 by
CPI
The Search for Antitrust Remedies in Tech Leads Beyond Antitrust
Oct 30, 2024 by
CPI