Health cybersecurity lapses could lead to big fines, CEO jail time under new legislation
Change Healthcare hack prompts senators to say new rules are needed because ‘megacorporations … are flunking Cybersecurity 101.’
© weerapat1003 - stock.adobe.com
Cybersecurity violations could come with a $250,000 penalty if health care organizations leave “willful neglect uncorrected” in their computer network defenses, according to new legislation.
Meanwhile, the federal government would pledge $1.3 billion to hospitals to bolster their cybersecurity measures.
The new Health Infrastructure Security and Accountability Act was introduced Sept. 26 by Sen. Ron Wyden (D-Oregon), chair of the Senate Finance Committee, and Sen. Mark Warner (D-Virginia). They said the bill would “improve cybersecurity in the American health care system amid a wave of increased cyberattacks that are breaching Americans’ privacy and causing major disruptions to care across the country.”
‘Flunking Cybersecurity 101’
The exact effects were unclear for physicians in private practice. But it aims to spur large health systems and their business partners to augment their cybersecurity.
In their news release, Wyden and Warner noted the Senate Finance Committee this year summoned UnitedHealth Group CEO Andrew Witty to explain this year’s cyberattack against business subsidiary Change Healthcare. The attack jammed payment systems across the nation’s health care system, lasting for weeks, and Wyden has called on the administration of President Joe Biden to hold the company accountable for allowing the attack to happen.
Sen. Ron Wyden (D-Oregon)
“Megacorporations like UnitedHealth are flunking Cybersecurity 101, and American families are suffering as a result,” Wyden said in the news release. “The health care industry has some of the worst cybersecurity practices in the nation despite its critical importance to Americans’ well-being and privacy.
“These commonsense reforms, which include jail time for CEOs that lie to the government about their cybersecurity, will set a course to beef up cybersecurity among health care companies across the nation and stem the tide of cyberattacks that threaten to cripple the American health care system,” he said.
‘A jumble of regulations’
Warner, a former tech industry executive, has been a longtime advocate and is co-founder of the Senate Cybersecurity Caucus. In November 2022 he published the policy options paper, “Cybersecurity Is Patient Safety: Policy Options in the Health Care Sector,” and he previously told Medical Economics that federal regulation of health care cybersecurity is a jumble of regulations and oversight.
Sen. Mark R. Warner (D-Virginia)
“Cyberattacks on our health care institutions threaten patients’ most private data and delay essential medical care, directly endangering Americans’ lives and long-term health,” Warner said in the news release. “With hacks already targeting institutions across the country, it’s time to go beyond voluntary standards and ensure health care providers and vendors get serious about cybersecurity and patient safety.
“I’m glad to introduce legislation that would mandate sensible cybersecurity protocols while also getting resources to rural and underserved hospitals to ensure they have the funding to meet these new standards,” he said.
What it does
The bill would remove caps on fines set by the federal Health Insurance Portability and Accountability Act. That scale prevents regulators from issuing fines large enough to deter the megacorporations from ignoring the government’s rules, the senators’ news release said.
The new legislation would increase federal oversight through the U.S. Department of Health and Human Services (HHS), according to the bill’s section by section summary. The department would have two years to adopt new minimum, enhanced security requirements for entities of systemic importance or important to national security. That could include any entity or business where a failure or disruption “would have debilitating impact on access to health care or the stability of the health care system.”
Covered entities would be required to conduct and document security risk analyses or stress tests to examine plans for rapid and orderly resolutions of incidents, according to the bill’s section by section summary.
New standards would be published every two years, and HHS would audit data security practices of at least 20 covered entities a year. New user fees would pay for HHS oversight, with at least $40 million a year dedicated to cybersecurity.
Learn more
Wyden’s office published the text of the bill and a one-page summary.
