PYMNTS-MonitorEdge-May-2024

Senate Proposal Would Set Minimum Cybersecurity Standards for Healthcare Firms

Nearly eight months after a hacker attack on UnitedHealth Group’s technology unit Change Healthcare roiled the healthcare industry, Capitol Hill has fired a shot across the bow for firms operating across the industry.

A new bill introduced in the U.S. Senate by Democrats Ron Wyden of Oregon and Mark Warner of Virginia would, among other things, set requirements to improve the “availability and resiliency of healthcare information systems and healthcare payments.”

Titled the “Health Infrastructure Security and Accountability Act” the bills sets security and risk management requirements for healthcare firms and associated entities, and also sets stiff penalties for companies that run afoul of those mandates — while setting what the legislation terms a “user fee” that will support data oversight and regulation.

Change Healthcare, as has been reported, was compromised earlier this year due in part because multifactor authentication protocols were not enabled on a server — and the hackers got into the system leveraging stolen credentials.

What’s in the Bill

The bill authorizes the Department of Health and Human Services to conduct audits of at least 20 regulated healthcare firms each year — and if there are violations found, civil penalties can be levied, and statutory caps would be removed.

The audits would include stress testing and security risk analyses “including information regarding the manner and extent to which …[an] entity or associate is exposed to risk through its business associates.”

In reference to the modernization and the digitization of the healthcare firms’ practices, the HHS secretary will be tasked beginning in fiscal year 2028 to, “identify enhanced cybersecurity practices … that address the safe use of digital data … and address high-risk cybersecurity vulnerabilities.” There is particular mention of ensuring that healthcare transactions can proceed without disruption.

Standards — and Who Pays

The bill would seek to bring mandatory cybersecurity standards to an industry that the senators said had been lacking, and HHS has not conducted a cybersecurity audit since 2017. Part of the issue lies with funding, said the legislators, and in addition to $800 million “in up-front investment payments to rural and urban safety net hospitals and $500 million to all hospitals to adopt enhanced cybersecurity standard,” there is also a user fee that will be a percentage of the “pro rata” share of the revenues to national health expenditures.

Entities running afoul of the documentation and audit requirements, or the minimum security standards, may incur civil fines of as much as $5,000 per day. Criminal penalties for individuals who knowingly submit false documentation could be fined as much as $1 million, and could faces a jail term of as long as 10 years.

In an interview with PYMNTS, Intellicheck CEO Bryan Lewis said one step in battling compromised credentials can be tied to verifying the authenticity of government-issued IDs, as account takeovers are gaining momentum and are relatively easy to set in motion, particularly as data thefts like the United Healthcare breach have exposed the details of millions of individuals.

“We are at about four times the level of data that has been breached this year to date compared to last year,” Lewis told PYMNTS CEO Karen Webster. “So, it is definitely a problem.”