New Healthcare Cybersecurity Legislation Introduced: Understanding HISAA

Published:

The Growing Need for Cybersecurity in Healthcare: Understanding HISAA

In today’s digital age, Americans are increasingly aware of cybersecurity incidents, especially in critical sectors like healthcare. The adage that it is not a matter of “if” a breach will occur, but “when,” has never been more relevant. This reality was starkly illustrated earlier this year when Change Healthcare, a subsidiary of United Health Group, fell victim to a widespread ransomware attack. The incident highlighted vulnerabilities within the healthcare system and prompted investigations by the U.S. Department of Health & Human Services (HHS) and its Office for Civil Rights (OCR). In response to this alarming trend, Senators Ron Wyden (D-OR) and Mark Warner (R-VA) introduced the Health Infrastructure Security and Accountability Act (HISAA) on September 26, 2024, aiming to bolster cybersecurity measures across the healthcare industry.

The Current Landscape of Healthcare Cybersecurity

Historically, the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) have set the groundwork for protecting healthcare information. These regulations require covered entities and business associates to implement reasonable safeguards for electronic Protected Health Information (e-PHI). However, the existing framework lacks specific minimum requirements, leading to a patchwork of security measures that vary significantly across organizations. This inconsistency raises concerns, especially as the regulations have not been updated since 2013, leaving many healthcare organizations vulnerable to evolving cyber threats.

The Introduction of HISAA

Recognizing the inadequacies of the current regulatory framework, Senators Wyden and Warner proposed HISAA to establish mandatory cybersecurity standards for healthcare organizations. The act aims to create a unified approach to data security, ensuring that all entities handling sensitive health information adhere to a baseline of protective measures. HISAA seeks to address the shortcomings of HIPAA and HITECH by introducing specific requirements that organizations must meet to safeguard e-PHI effectively.

Key Provisions of HISAA

HISAA encompasses several critical components designed to enhance cybersecurity in healthcare:

  1. Mandatory Cybersecurity Standards: If enacted, HISAA will empower the Secretary of HHS, the Director of the Cybersecurity and Infrastructure Security Agency (CISA), and the Director of National Intelligence (DNI) to develop and enforce mandatory cybersecurity standards. These standards will be reviewed and updated biennially to adapt to the ever-changing threat landscape.

  2. Annual Audits and Stress Tests: HISAA will require healthcare organizations to conduct annual cybersecurity audits, which must be performed by independent entities. These audits will assess compliance, evaluate restoration capabilities, and conduct stress tests through real-world simulations. While smaller organizations may receive waivers from certain requirements, all entities will need to publicly disclose their compliance status.

  3. Increased Accountability and Penalties: The act proposes significant penalties for non-compliance, including criminal charges for executives who provide false certifications of compliance. Penalties could reach up to $1 million, with prison sentences of up to 10 years for serious violations. HISAA aims to eliminate fine caps, allowing HHS to impose penalties that reflect the severity of the breach.

  4. Financial Support for Enhancements: Recognizing the financial burden that new standards may impose, HISAA allocates $1.3 billion to assist healthcare organizations in upgrading their cybersecurity infrastructure. This funding includes $800 million specifically for rural and safety net hospitals in the first two years.

  5. Medicare Payment Adjustments: HISAA also allows the Secretary of HHS to provide accelerated Medicare payments to organizations affected by cybersecurity incidents, codifying similar measures that were implemented during the Change Healthcare attack.

Challenges Ahead

While HISAA aims to establish a robust cybersecurity framework, compliance will require substantial investments in technology, training, and personnel. Smaller and rural healthcare facilities may face significant challenges in meeting these new standards, even with the proposed financial support. Organizations will need to prioritize critical cybersecurity measures, including encryption, multi-factor authentication, real-time monitoring, and comprehensive response plans.

The Path Forward

As HISAA progresses through Congress, it is crucial for healthcare organizations to recognize their responsibilities in maintaining effective cybersecurity practices. Staying informed about potential changes to regulatory requirements will be essential as the landscape evolves. With the introduction of HISAA occurring during a tumultuous election season, stakeholders will need to monitor its development closely as the current Congress concludes in 2024 and a new administration takes office in 2025.

In conclusion, the introduction of HISAA represents a significant step toward enhancing cybersecurity in the healthcare sector. By establishing mandatory standards and increasing accountability, the act aims to protect sensitive health information and ensure that healthcare organizations are prepared to face the challenges posed by cyber threats. As the industry navigates this critical transition, the commitment to robust cybersecurity practices will be paramount in safeguarding the health information of millions of Americans.

Related articles

Recent articles