Lawmakers have introduced a new bill to strengthen cybersecurity standards and protect patient information in response to high-profile data breaches and ransomware attacks targeting the healthcare sector. The Health Infrastructure Security and Accountability Act (HISAA), sponsored by Senators Ron Wyden and Mark Warner, seeks to address the growing threat cybercriminals pose to the nation’s healthcare infrastructure.
“With hacks already targeting institutions across the country, it’s time to go beyond voluntary standards and ensure healthcare providers and vendors get serious about cybersecurity and patient safety,” Senator Warner said.
The bill will require the Department of Health and Human Services (HHS) to develop new mandatory cybersecurity standards for healthcare providers, health plans, clearinghouses, and business associates. These standards will focus on protecting critical healthcare operations and ensuring the security of sensitive patient data.
High-profile cyberattacks led to new bill
Cyberattacks on healthcare organizations are surging. A recent HIPAA Journal report revealed an 8.4% increase in data breaches in the first half of 2024 compared to last year.
In particular, the recent ransomware incidents in the Ascension hospital system and UnitedHealth’s Change Healthcare unit prompted HISAA’s filing.
Ascension, one of America’s largest hospital systems, reported a cyberattack in May 2024 that disrupted operations and delayed some non-emergency surgeries, appointments, and tests. The Catholic health system operates 140 hospitals and 40 senior centers across 19 states and Washington, D.C.
Meanwhile, the Change Healthcare attacks in February exposed millions to potential identity theft and disrupted critical services, forcing UnitedHealth CEO Andrew Witty to pay the cyberattackers a $22 million ransom.
These incidents highlighted the vulnerabilities in the sector and the need for more robust cybersecurity measures.
HISAA in detail
The new legislation mandates annual cybersecurity audits and stress tests for healthcare organizations, with waivers for small providers. HISAA also removes fine caps for large corporations and funds HHS oversight through user fees while allocating $800 million to rural and urban safety net hospitals and $500 million to all hospitals for cybersecurity improvements.
Additionally, the bill strengthens HHS’s authority to accelerate Medicare payments during disruptions caused by cyberattacks. Healthcare executives who knowingly file false security documentation can face jail time, emphasizing the need for accountability and transparency.
This legislation addresses the importance of robust cybersecurity by establishing mandatory standards, increasing accountability, and protecting patient information.
Ensuring data security in the meantime
While the full scope of the new standards remains to be seen, healthcare providers and BPO vendors can take proactive steps to strengthen their security posture. Here are a few key actions:
- Implement strong access controls and multi-factor authentication (MFA) for all user accounts.
- Encrypt all data in transit and stored in servers and databases to prevent unauthorized access.
- Regularly update and patch software and systems.
- Ensure compliance with data protection regulations such as the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
- Conduct regular security awareness training for employees.
- Develop and test a comprehensive incident response plan.
- Maintain a robust backup and disaster recovery plan to restore operations quickly in case of a breach or data loss.
By proactively addressing cybersecurity, healthcare providers and vendors can protect patient data and mitigate the risk of costly disruptions.
Read more Unity Communications and industry news on our main BPO News page.
DiMolfetta, D. (2024, September 26). New bill seeks to mandate healthcare cybersecurity standards. Nextgov.com. Retrieved October 2, 2024, from https://www.nextgov.com/cybersecurity/2024/09/new-bill-seeks-mandate-healthcare-cybersecurity-standards/399864/
