Bill aims to strengthen cybersecurity standards for healthcare providers

Editor's Note

The Health Infrastructure Security and Accountability Act, introduced by Senators Ron Wyden (D-Ore.) and Mark Warner (D-Va.), proposes new mandatory cybersecurity standards for the healthcare sector, with oversight from the Department of Health and Human Services (HHS), Nextgov/FCW reported September 26.

The bill, which amends the Health Insurance Portability and Accountability Act (HIPAA), targets healthcare providers, health plans, clearinghouses, and business associates, focusing on national security-related operations, the outlet reports. In response to the recent ransomware attack on UnitedHealth’s Change Healthcare unit—one of the largest cyberattacks in U.S. healthcare history that disrupted services for millions—it requires annual cybersecurity audits for healthcare entities. It also mandates stress tests and removes fine caps for large corporations while providing waivers for smaller providers.  

According to the article, the bill allocates $1.3 billion for hospital cybersecurity improvements and empowers HHS to accelerate Medicare payments during cyber disruptions. It further imposes potential jail time for executives found submitting false security information. Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) and the Director of National Intelligence would assist in crafting the new standards.

Cyberattacks on the healthcare sector surged by 128% in 2023, the article notes. HHS supports the legislation.