In a significant move to enhance cybersecurity across the healthcare sector, Senators Ron Wyden (D-Ore.) and Mark Warner (D-Va.) have introduced the Health Infrastructure Security and Accountability Act. According to TechTarget, this new legislation seeks to establish essential minimum cybersecurity standards that healthcare providers, health plans, clearinghouses, and business associates must adhere to in order to strengthen security across the healthcare ecosystem.
A key aspect of the proposed bill is its aim to eliminate the current cap on fines under the Health Insurance Portability and Accountability Act (HIPAA). Lawmakers argue that this cap hinders the Department of Health and Human Services (HHS) from imposing substantial fines that could deter large corporations from neglecting robust cybersecurity practices.
The bill’s introduction follows the recent Change Healthcare cyberattack, which highlighted vulnerabilities in the U.S. healthcare system and placed providers in precarious financial situations. “Megacorporations like UnitedHealth are flunking Cybersecurity 101, and American families are suffering as a result,” Wyden stated in a press release.
Warner emphasized the dire state of cybersecurity in healthcare, asserting, “The health care industry has some of the worst cybersecurity practices in the nation despite its critical importance to Americans’ well-being and privacy.” He described the proposed reforms as “commonsense” measures that could not only strengthen cybersecurity among healthcare companies but also introduce penalties, including potential jail time for executives who mislead the government about their cybersecurity practices.
Read more: Mastercard to Acquire Cybersecurity Firm Recorded Future for $2.65 Billion
The Health Infrastructure Security and Accountability Act outlines several key provisions that address ongoing cybersecurity concerns in the healthcare sector. One of its central mandates requires the HHS secretary to develop and implement minimum and enhanced security requirements within two years. The minimum standards would apply to all healthcare entities nationwide, while enhanced standards would target organizations deemed critical to national security or of systemic importance.
In addition to establishing these standards, the bill mandates that covered entities and business associates conduct annual independent security audits and stress tests to evaluate their capacity to recover from cybersecurity incidents. Furthermore, it requires HHS to perform annual audits on at least 20 regulated entities to assess their data security practices, eliminating statutory caps on fines that HHS can levy.
The bill also promotes corporate accountability by requiring executives to certify their compliance with these standards annually. If enacted, it would give the HHS secretary the authority to provide accelerated Medicare payments in the event of disruptions to the healthcare system, similar to measures taken during the Change Healthcare cyberattack.
To further bolster cybersecurity efforts, the bill allocates $800 million in initial funding for rural and urban safety-net hospitals and an additional $500 million for hospitals nationwide to implement enhanced cybersecurity measures.
Both Wyden and Warner have been vocal proponents of increased cybersecurity standards in healthcare. Warner previously published a policy options paper in November 2022 that addressed prevailing cybersecurity threats in the sector. Following the Change Healthcare incident, Wyden urged investigations by the Federal Trade Commission and the Securities and Exchange Commission into UnitedHealth Group to determine if any federal laws had been violated.
“Cyberattacks on our healthcare institutions threaten patients’ most private data and delay essential medical care, directly endangering Americans’ lives and long-term health,” Warner stated. He underscored the urgency of moving beyond voluntary standards, insisting that healthcare providers and vendors must prioritize cybersecurity and patient safety.
Source: TechTarget
Featured News
Judge Dismisses Antitrust Lawsuit Against Ivy League Over Athletic Scholarships
Oct 11, 2024 by
CPI
FTC and DOJ Revamp Merger Guidelines to Identify Illegal Transactions More Efficiently
Oct 11, 2024 by
CPI
US Consumer Watchdog Eyes Expansion of ‘Junk Fee’ Crackdown Ahead of 2024 Election
Oct 10, 2024 by
CPI
Brazil Proposes Reform to Competition Law Targeting Big Tech
Oct 10, 2024 by
CPI
Meta Enhances User Data Control, Resolving German Antitrust Dispute
Oct 10, 2024 by
CPI
Antitrust Mix by CPI
Antitrust Chronicle® – Refusal to Deal
Sep 27, 2024 by
CPI
Antitrust’s Refusal-to-Deal Doctrine: The Emperor Has No Clothes
Sep 27, 2024 by
Erik Hovenkamp
Why All Antitrust Claims are Refusal to Deal Claims and What that Means for Policy
Sep 27, 2024 by
Ramsi Woodcock
The Aspen Misadventure
Sep 27, 2024 by
Roger Blair & Holly P. Stidham
Refusal to Deal in Antitrust Law: Evolving Jurisprudence and Business Justifications in the Align Technology Case
Sep 27, 2024 by
Timothy Hsieh