Americans hear about cybersecurity incidents on a frequent basis. As the adage goes, it is not a matter of “if” a breach or security hack occurs; it is a matter of “when.” At no time was that more evident earlier this year when the healthcare industry was hit with the widespread ransomware attack on Change Healthcare, a subsidiary of the United Health Group. Because of the nature of the Change Healthcare shutdown and its impact across the industry, the U.S. Department of Health & Human Services (HHS) and its HIPAA enforcement arm, the Office for Civil Rights (OCR), conducted investigations and issued FAQ responses for those impacted by the cybersecurity event.
In further response, Senators Ron Wyden (D-OR) and Mark Warner (R-VA) introduced the Health Infrastructure Security and Accountability Act (HISAA) on September 26, 2024. Like HIPAA and HITECH before it, which established minimum levels of protection for healthcare information, HISAA looks to reshape how healthcare organizations address cybersecurity by enacting mandatory minimum security standards to protect healthcare information and by providing initial financial support to facilitate compliance. A copy of the legislative text can be found here, and a one-page summary of the bill can be found here.
To date, HIPAA and HITECH require covered entities and business associates to develop, implement, and maintain reasonable and appropriate “administrative, technical, physical” safeguards to protect electronic Protected Health Information or e-PHI. However, the safeguards do not specify minimum requirements; instead, they prescribe standards intended to be scalable, depending on the specific needs, resources, and capabilities of the respective organization. What this means is that e-PHI stored or exchanged among interconnected networks are subject to systems with often different levels of sophistication or protection.
Given the considerable time, effort, and resources dedicated to HIPAA/HITECH compliance, many consider the current state of voluntary safeguards as inadequate. This is especially the case since regulations under the HIPAA Security Rule have not been updated since 2013. As a result, Senators Wyden and Warner introduced HISAA in an effort to bring the patchwork of healthcare data security standards under one minimum umbrella and to require healthcare organizations to remain on top of software systems and cybersecurity standards.
Key pieces of HISAA, as proposed, include:
- Mandatory Cybersecurity Standards—If enacted, the Secretary of HHS, together with the Director of the Cybersecurity and Infrastructure Security Agency (CISA) and the Director of National Intelligence (DNI), will oversee the development and implementation of required standards and the standards will be subject to review and update every two years to counter evolving threats.
- Annual Audits and Stress Tests—Like current Security Risk Assessment (SRA) requirements, HISAA will require healthcare organizations to conduct annual cybersecurity audits and document the results. Unlike current requirements, these audits will need to be conducted by independent organizations to assess compliance, evaluate restoration abilities, and conduct stress tests in real-world simulations. While smaller organizations may be eligible for waivers from certain requirements because of undue burden, all healthcare organizations will have to publicly disclose compliance status as determined by these audits.
- Increased Accountability and Penalties—HISAA would implement significant penalties for non-compliance and would require healthcare executives to certify compliance on an annual basis. False information in such certifications could result in criminal charges, including fines of up to $1 million and prison time for up to 10 years. HISAA would also eliminate fine caps to allow HHS to impose penalties commiserate with the level needed to deter lax behaviors, especially among larger healthcare organizations.
- Financial Support for Enhancements—Because the costs for new standards could be substantial, especially for smaller organizations, HISAA would allocate $1.3 billion to support hospitals for infrastructure enhancements. Of this $1.3 billion, $800 million would be for rural and safety net hospitals over the first two years, and an additional $500 million would be available for all hospitals in succeeding years.
- Medicare Payment Adjustments—Finally, HISAA enables the Secretary of HHS to provide accelerated Medicare payments to organizations impacted by cybersecurity events. HHS offered similar accelerated payments during the Change Healthcare event, and HISAA would codify similar authority to HHS for recovery periods related to future cyberattacks.
While HISAA will establish a baseline of cybersecurity requirements, compliance with those requirements will require a significant investment of time and resources in devices and operating systems/software, training, and personnel. Even with the proposed funding, this could result in substantial challenges for smaller and rural facilities to comply. Moreover, healthcare providers will need to prioritize items such as encryption, multi-factor authentication, real-time monitoring, comprehensive response and remediation plans, and robust training and exercises to support compliance efforts.
Finally, at this juncture, the more important issue is for healthcare organizations to recognize their responsibilities in maintaining effective cybersecurity practices and to stay updated on any potential changes to these requirements. Since HISAA was introduced in the latter days of a hectic (and historic) election season, we will monitor its progress as the current Congress winds down in 2024 and the new Congress readies for action with a new administration in 2025.