Congress Aims to Improve Cybersecurity Standards in Healthcare

On the heels of a tumultuous year for the healthcare industry marked by high-profile data breaches, significant legislative reform could be on the horizon. Senators Ron Wyden and Mark Warner introduced a bill in Congress that would fundamentally alter the Health Insurance Portability and Accountability Act (HIPPA). Titled the Health Infrastructure Security and Accountability Act (HISAA), the bill instructs the Department of Health and Human Services (HHS) to establish minimum cybersecurity requirements for the healthcare industry and provide the Department with greater authority to enforce regulatory compliance.

A Long Time Coming

The federal government’s intent to amend HIPPA should come as no surprise. In fact, the last eighteen months have featured numerous signs that legislative updates were looming.

• On March 1, 2023, the Biden Administration released the National Cybersecurity Strategy, which outlined the government’s approach to improving the nation’s cyber defense and securing its digital infrastructure.

• Building off the National Cybersecurity Strategy, HHS proposed a new cybersecurity framework for the healthcare sector on December 6, 2023. With an aim to “enhance cyber resiliency in the healthcare sector,” the framework consisted of four pillars of action: (I) the establishment of voluntary cybersecurity goals; (II) the provisioning of resources that would incentivize and implement cybersecurity practices; (III) the implementation of a Department-wide strategy focused on greater enforcement and accountability; and (IV) the expansion and maturation of the Department’s ability to leverage federal government resources around cybersecurity preparedness and response efforts.

• On January 24, 2024, HHS published voluntary cybersecurity performance goals (CPGs) for healthcare sector organizations, with Deputy Secretary Andrea Palm stating that “the release [of such goals] is a step forward for the sector as we look to propose new enforceable cybersecurity standards across HHS policies and programs.” In February of 2024, UnitedHealthcare subsidiary Change Healthcare experienced a catastrophic ransomware that resulted in widespread disruption to healthcare provider operations around the country.

• Three months later, UnitedHealth CEO Andrew Witty provided testimony on the attack to the Senate Finance Committee. Senator Wyden, acting as chair of the Senate Finance Committee, pointed to the attack as the perfect example of why “tough cybersecurity standards are necessary to protect critical infrastructure and patients in this country.”  

• Following the Change hearing, Senator Wyden sent a letter to the Federal Trade Commission and Securities and Exchange Commission, urging both agencies to hold UnitedHealth accountable for negligent cybersecurity practices.

• On September 26, 2024, Senator Wyden and Senator Mark Warner unveiled the Health Infrastructure and Security and Accountability Act.

What’s in HISAA

The bill’s three primary objectives are to create cybersecurity standards for the industry, establish more clearly defined accountability measures, and equip the Department with greater authority to enforce compliance and provide necessary assistance.

Cybersecurity Standards

Within two years of the law having taken effect, the Secretary of HHS would create cybersecurity standards applicable to health care providers, health plans, clearinghouses and business associates. The bill differentiates between “minimum security requirements” and “enhanced security requirements,” with the latter coming into play for covered entities and business associates that are of systematic importance or important to national security. The bill defines systematic importance to mean an instance where a failure of or disruption to a covered entity or business associate would result in a debilitating impact on access to health care or the stability of the health care system (i.e., Change Healthcare). The Department would establish minimum and enhanced security requirements in conjunction with the Director of Cybersecurity and Infrastructure Security Agency (CISA) and the Director of National Intelligence (DNI), taking into account factors such as: the tools and strategies used to target health care entities; the potential harm to national security from the theft of patient health data; harm to patients; and access to care. The Department would review and update the minimum and enhanced security requirements every two years.

Accountability Measures

Between 2016 and 2017, the Department conducted a randomized audit of 207 covered entities and business associates to assess HIPAA compliance efforts. In the seven years since, HHS did not conduct a single audit. HISAA would change that. The bill mandates the Department to audit the data security practices of at least 20 covered entities/business associates per year. Further, the bill would require all covered entities/business associates to conduct both an annual audit via an independent auditor as well as a “stress test.” The annual third-party audit would assess whether an entity or associate complies with the security requirements. For those entities/associates subject to enhanced security requirements, the law directs these organizations to report their annual audit findings to HHS. The stress test, on other hand, would evaluate whether an entity or associate has the capabilities and planning processes in place to recover essential functions. The law would also require a company’s Chief Executive Officer and Chief Information Security Officer to provide written attestation of compliance with the security standards and requirements. Collectively, these practices reflect the Department’s new posture on security risk management.

To ensure there is bite to go with bark, HISAA would arm HHS with more punitive authority to levy civil and criminal penalties. Failure to comply with the previously discussed risk management requirements would subject a violating entity/associate to a fine no greater than $5,000 per day. For violations of all other security standards and requirements, HHS would have a new civil penalty structure as follows: a minimum of $500 for no knowledge, $5,000 for reasonable cause, $50,000 for willful neglect corrected, and $250,000 for willful neglect uncorrected. When assessing the appropriate penalty, the Department would consider factors like an entity’s size, compliance history, and good faith efforts to abide by the security requirements. Moreover, HISAA would provide HHS with the ability to criminally charge officers who knowingly submitted documentation containing false information with a felony. Upon conviction, defendants would face a fine of up to one million dollars and/or a prison sentence no greater than 10 years.

Greater Compliance and Assistance Authority

HISAA would authorize the Secretary to charge covered entities and business associates with a user fee to support the Department’s data security oversight and enforcement activities. The fee would equal the entity’s pro rata share of national health expenditures. In aggregate, fees collected from all entities could not exceed the lesser of the estimated cost to carry out oversight and enforcement activities or $40 million in fiscal year 2026, $50 million in 2027, and increase in subsequent years per the consumer price index. Lastly, the bill would provide HHS with Medicare assistance to address cybersecurity standards and incidents. More specifically, HHS would provide $800 million in up-front investment payments to rural and urban safety net hospitals and $500 million to all other hospitals in an effort to ease the financial burden providers would have when adopting the enhanced cybersecurity standards. The Secretary of HHS would also have the ability to provide advanced and accelerated Medicare payments in the event of a cybersecurity disruption, as became necessary when the Change Healthcare incident occurred.

Observations and Closing Thoughts

At this point, there are likely many more twists and turns to come between the bill’s introduction and its potential passage. For one thing, we expect industry trade group American Hospital Association (AHA) to vehemently oppose many of the core provisions. Just last year AHA President Rick Pollack stated, “AHA cannot support proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault for the success of hackers in perpetrating crime.” AHA reiterated this same approach in a letter to Congressional subcommittees prior to the Change Healthcare hearing, noting, ““Enforcing hospital adoption of [mandatory cybersecurity] practices would have done nothing to prevent the Change Healthcare cyberattack or most other cyberattacks on the sector to date.

Some additional observations and predictions to ponder prior to the next iteration of the bill include:

• What frameworks (e.g., NIST, ISO and HITRUST) will HHS, DHS, and CISA rely on to establish cybersecurity standards

Our suspicion is that any eventual cybersecurity requirements would largely predicate upon the NIST Cybersecurity Framework, as HHS has historically partnered with NIST when providing resources to healthcare entities. With that said, HHS has repeatedly emphasized the HIPAA Security Rule as “flexible, scalable, and technology-neutral.” The HITRUST CSF originated back in 2007 out of a consortium of healthcare leaders and now widely viewed as an industry best practice. Therefore, it would make sense for HISAA to draw upon many of the same security controls as those found in HITRUST when/if the time does come for HHS, DHS, and CISA to promulgate minimum and enhanced security requirements.

• HISAA notably refrains from amending HIPAA’s breach reporting requirements and steers clear of an attempt to harmonize with CIRCIA

In recent years, various agencies have either implemented or updated breach reporting requirements in their corresponding regulations. HISAA neither attempts to update HIPAA’s Breach Notification Rule nor harmonize with the reporting requirements found in CISA’s Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). CIRCIA requires covered entities to report covered cyber incidents to CISA within 72 hours, prompting healthcare groups to express concern that this will be overly burdensome and duplicative in lieu of HIPAA. HISAA’s directive that HHS work with CISA to establish cybersecurity standards bolsters the argument that the agencies should work together to streamline reporting requirements.

• HISAA’s proposed criminal penalties for healthcare executives will be vigorously debated and absent from the final version of the bill

In touting the bill, Wyden stressed the need for “commonsense reforms [that] include jail time for CEOs that lie to the government about their cybersecurity.” The one-page summary of the bill touts Sarbanes-Oxley as a law that inflicts criminal penalties on CEOS and CFOs who falsely certify corporate financial reports and reports on internal controls. We expect AHA and other industry members like the Healthcare Leadership Council (an association comprised of hospital CEOs and c-suite members from all sectors of healthcare) to significantly lobby against the prospect of healthcare executives facing significant fines and prison sentences. In fact, the Healthcare Leadership Council decried the bill for its “punitive nature.” Our guess is that if HISAA eventually does become law, criminal penalties will be off the table.

***

Have questions about HISAA or how your organization can prepare to comply with more onerous regulatory standards? Contact us today.