Minimum healthcare cybersecurity standards might be on the way

As the healthcare industry starts to come to terms with the magnitude of the Change Healthcare cybersecurity breach, Congress is flexing its legislative muscles to try to ensure that a similar event doesn’t happen again. 

A few weeks after introducing bills in both the House and the Senate to reinforce security-focused collaboration at the federal level, lawmakers are once again using their pens to attempt to shepherd the industry in the right direction. 

Late last month, Senate Finance Committee Chair Ron Wyden, D-OR, and Senator Mark Warner, D-VA announced legislation that would establish minimum standards for cybersecurity among HIPAA-covered entities, including health care providers, health plans, clearinghouses, and business associates. 

The bill would also remove HIPAA’s existing cap on fines, which currently “prevent regulators from issuing fines large enough to deter mega-corporations from ignoring cybersecurity standards,” according to the lawmakers. 

“Mega-corporations like UnitedHealth are flunking Cybersecurity 101, and American families are suffering as a result,” Wyden said, taking a not-so-subtle jab at Change Healthcare’s parent organization. “The health care industry has some of the worst cybersecurity practices in the nation despite its critical importance to Americans’ well-being and privacy.”  

“These commonsense reforms, which include jail time for CEOs that lie to the government about their cybersecurity, will set a course to beef up cybersecurity among health care companies across the nation and stem the tide of cyberattacks that threaten to cripple the American health care system.” 

In addition to revamping the fine structure, the Health Infrastructure Security and Accountability Act would take the following steps to require covered entities to ramp up their cybersecurity defenses: 

• Modernize HIPAA security requirements by creating mandatory minimum cybersecurity standards, particularly for entities that are “of systemic importance or important to national security,” such as any “covered entity or business associate that the failure of or a disruption to such entity or associate would have a debilitating impact on access to health care or the stability of the health care system.”   

• Require covered entities and BAs to submit to annual independent cybersecurity audits and “stress tests” to gauge their ability to quickly restore service in the event of an attack. HHS would also be required to proactively audit the data security practices up at least 20 regulated entities per year, with a focus on providers of systemic importance. 

• Increase corporate accountability by requiring top executives to annual certify compliance with requirements. Inaccurate or false statements would be subject to existing laws that make it a felony to lie to the government. 

• Support HHS’s security oversight and enforcement work through a user fee on all regulated entities that is equal to the entity’s pro rata share of national health expenditures, not to exceed $40 million in fiscal year 2026 and $50 million in 2027. 

In addition, the bill would provide $800 million in up-front investment payments to rural and urban safety net hospitals, as well as an addition $500 for other types of hospitals, to adopt enhanced cybersecurity standards. 

Lastly, the proposed legislation would codify the HHS Secretary’s authority to provide advances and/or accelerated Medicare payments to providers in the event of another massively disruptive cybersecurity incident, as the government did during Change Healthcare’s lengthy downtime. 

“Cybersecurity remains an ever-evolving challenge in our health care ecosystem and more must be done to prevent cyberattacks and ensure patient safety,” said Andrea Palm, Deputy Secretary of the Department of Health and Human Services.  

“Clear accountability measures and mandatory cybersecurity requirements for all organizations that hold sensitive data are essential. We are grateful for Senator Wyden and Senator Warner’s leadership and look forward to continuing to work together on this legislation to strengthen cyber resiliency across our entire health care ecosystem.” 

Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry.  Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system.  She can be reached at jennifer@inklesscreative.com.