In response to several high-profile cybersecurity incidents affecting hospitals and other health care providers, including the Change Healthcare breach, new federal legislation was recently introduced by Senators Ron Wyden (D-OR) and Mark Warner (R-VA).
The health care industry has received intense criticism for perceived weaknesses in cybersecurity protections. As stated in a summary of HISAA prepared by the Senate Finance Committee:
According to the FBI, the health care sector is now the #1 target of ransomware. These hacks are entirely preventable and are the direct result of lax cybersecurity practices by health care providers and their business partners. Cybersecurity failures have delayed and disrupted patient care, and have harmed patient health and privacy, as well as national security. Despite these high stakes, health care has some of the weakest cybersecurity rules of any federally regulated industry.
The new legislation, the Health Infrastructure Security and Accountability Act (HISAA), would create significant new security requirements applicable to HIPAA Covered Entities and Business Associates designed to address cybersecurity risks, require ongoing risk assessments and audits related cybersecurity practices, establish new penalties for noncompliance with these requirements and remove HIPAA statutory caps on such penalties, and create funding incentives and Medicare payment reduction disincentives for entities subject to these requirements.
Summary of HISAA Provisions
New Security Requirements Related to Cybersecurity Risks
- HISAA would require HHS to develop two sets of new regulations: (1) regulations to establish minimum security requirements for all HIPAA Covered Entities and Business Associates, and (2) regulations to establish additional, enhanced security requirements for those HIPAA Covered Entities and Business Associates determined by HHS to be of systematic importance to national security.
- The minimum security requirements and enhanced security requirements would be developed in consultation with the Director of Cybersecurity and Infrastructure Agency (CISA) and the Director of National Intelligence. The minimum security requirements are to be designed to prevent cyber incidents and harms to Covered Entities, Business Associates, and patients resulting from cyber incidents. While the enhanced security requirements are to be designed to protect against the specific threats faced by those Covered Entities and Business Associates which are of systematic importance to national security.
- HHS would be required to review and update the minimum security requirements and enhanced security requirements at least every two years.
Risk Assessment, Audits, and Reporting Requirements
- HISAA would require each Covered Entity and Business Associate to conduct a cybersecurity risk assessment annually. Requirements of this annual cybersecurity risk assessment would include:
- Documenting a plan for rapid and orderly resolution in the event of natural disaster, disruptive cyber incident, or other technological failure to its information systems;
- Conducting a stress test to evaluate whether the entity has the capabilities and planning necessary to recover essential functions following a cyber incident, natural disaster, or other threat to operations;
- Documenting revisions to prior plans produced in the annual assessments; and
- Producing a written statement from the entity’s Chief Executive Officer and Chief Information Security Officer that the entity is in compliance with the security requirements.
- HISAA would require that each Covered Entity or Business Associate contract with an independent auditor to conduct an annual audit to: (1) assess the compliance of the entity with the minimum security requirements and enhanced security requirements as well as the Healthcare and Public Health Sector Cybersecurity Performance Goals established by HHS; (2) identify areas in which the entity did not meet requirements; and (3) certify that the entity has resolved noncompliance or is implementing an appropriate plan to resolve the noncompliance.
- All entities would be required to report the risk assessment and audit information to HHS as required by HHS; however, each entity subject to enhanced security requirements would be required to report this information to HHS at least annually.
- HHS would be required to conduct an audit of at least 20 Covered Entities or Business Associates annually.
Penalties & Fees
- HISAA would establish tiered civil monetary penalties for failure to comply with the new minimum security requirements and enhanced security requirements. Unlike current civil monetary penalties for HIPAA violations, these penalties would not be subject to the statutory maximum limit.
- HISAA would establish civil monetary penalties of up to $5,000 per day for failure to comply with the new risk assessment, audit, and reporting requirements as well as criminal penalties for reporting false information.
- HHS would be authorized to charge fees to Covered Entities and Business Associates to cover the costs of oversight and enforcement of these activities. The total fees could not exceed $40 million in fiscal year in 2026, $50 million in 2027, and amounts increasing based on the consumer price index in later years.
Medicare Assistance
- HISAA would provide $800 million to go to critical access hospitals and eligible high-needs hospitals to assist with adoption of cybersecurity practices.
- An additional $500 million would be made available to all hospitals to incentivize adoption of cybersecurity practices. Hospitals would be subject to payment reductions for failing to adopt enhanced cybersecurity practices.
- HISAA would codify the authority of HHS to provide Medicare payments to providers that have significant cash flow problems resulting from unusual circumstances including disruption of claims processing due to a cybersecurity incident.
What It Means for Health Care Entities
While HISAA is designed as a cybersecurity adjunct to the HIPAA Security Rule applying to HIPAA Covered Entities and Business Associates, it would bring an enforcement and oversight structure radically different from HIPAA. Notably, unlike HIPAA, under HISAA: (1) HHS would be required to update the security requirements regularly – at least every two years; (2) Covered Entities and Business Associates would be subject to an annual assessment by an independent auditor as well as potential audit under mandated on-going government audits, and (3) HHS would have authority to charge Covered Entities and Business Associates for costs of its oversight and enforcement of these activities.
As the fallout of the Change Healthcare breach continues, one of the most significant impacts to the health care sector could be yet to come in the form of increased government oversight as proposed in HISAA.