A new bill known as the “Health Infrastructure Security and Accountability Act of 2024,” has been introduced to the U.S. Senate to strengthen cybersecurity standards for healthcare information systems. This legislative proposal aims to implement strict security protocols across the healthcare sector, focusing on data protection and compliance enforcement.
Stricter Security Requirements for Healthcare Entities
The proposed bill outlines the need for developing minimum cybersecurity standards that all healthcare providers, insurance plans, and business associates must comply with. The Secretary of the Department of Health and Human Services (HHS) is tasked with adopting these standards to protect health information, ensuring availability and integrity in healthcare transactions. The urgency of these requirements became evident following cybersecurity incidents like the Change Healthcare breach, which exposed the risks of system weaknesses across the healthcare system. The improved security requirements will apply to entities identified as systemically important to national security. Once these standards are enacted, they will be reviewed and updated every two years to keep pace with cybersecurity risks and trends.
Audits, Reporting, and Penalties
Healthcare providers and their partners will be required to undergo annual security risk assessments. These evaluations will document risks, security measures in place, and plans for addressing any weaknesses identified. One aspect of the bill is the inclusion of “stress tests” for these entities, testing their ability to recover and maintain operations following a cyber incident. Covered entities will also be subject to independent security compliance audits, with the findings submitted to the Secretary of HHS. If a healthcare provider fails to meet the new standards, the bill proposes increased penalties, both civil and criminal, to enforce compliance. The fines can reach up to $5,000 per day for non-compliance, and there are criminal penalties for providing false information or willfully failing to meet reporting requirements.
Medicare’s Role in Cybersecurity Practices
The bill includes provisions for Medicare to play a role in supporting cybersecurity improvements. The legislation outlines an incentive program for eligible hospitals other access facilities, which would receive financial support to adopt new cybersecurity practices. An initial $800 million will be made available to hospitals for adopting the measures, followed by $500 million for enhanced practices. Payments will be drawn from the Federal Hospital Insurance Trust Fund. In case of cyber disruptions affecting healthcare entities’ operations, the Secretary of HHS is authorized to issue accelerated Medicare payments. These payments will help ensure that healthcare institutions can maintain their financial stability and continue providing services despite operational challenges due to cybersecurity incidents.
Accountability & HIPAA Fines
The bill seeks to hold healthcare executives accountable for their organization’s cybersecurity compliance. Chief Executive Officers and Chief Information Security Officers (or their equivalents) will be required to sign off on the organization’s compliance statements. Organizations failing to adhere to the standards may be subjected to civil money penalties, and there could be potential imprisonment for providing false reports. One of the other main changes proposed is the removal of the cap on fines under the Health Insurance Portability and Accountability Act (HIPAA). Lawmakers argue that the current limitations hinder the ability to impose sufficiently large penalties on major corporations that may neglect cybersecurity measures. If penalties are substantial enough to impact a corporation’s finances, it may incentivize the organization to prfioritize their cybersecurity efforts.
The “Health Infrastructure Security and Accountability Act of 2024” is a step toward strengthening healthcare cybersecurity practices and compliance. With a mandatory minimum and improved standards the bill aims to protect sensitive health data and hold healthcare entities accountable for their security practices.
Image credit: wladimir1804, AdobeStock
