In response to the significant hacker attack on UnitedHealth Group’s technology unit, Change Healthcare, nearly eight months ago, lawmakers on Capitol Hill are taking action to enhance cybersecurity measures within the healthcare sector.
A new bill introduced in the U.S. Senate by Democratic Senators Ron Wyden of Oregon and Mark Warner of Virginia aims to establish minimum cybersecurity requirements to bolster the “availability and resiliency of healthcare information systems and healthcare payments.”
Named the “Health Infrastructure Security and Accountability Act,” the legislation outlines security and risk management protocols for healthcare organizations and related entities, imposing substantial penalties for non-compliance while instituting a “user fee” to fund data oversight and regulation.
The Change Healthcare breach, which occurred earlier this year, was partly attributed to the absence of multifactor authentication protocols on a server, allowing hackers to infiltrate the system using stolen credentials.
Key Provisions of the Bill
The proposed legislation empowers the Department of Health and Human Services (HHS) to conduct annual audits of at least 20 regulated healthcare organizations. Should violations be identified, civil penalties can be imposed, and statutory caps may be lifted.
These audits will involve stress testing and security risk assessments that evaluate the extent to which healthcare entities and their associates are exposed to risks via their business partners.
As part of the push for modernization and digitization within healthcare practices, the HHS secretary will be tasked starting in fiscal year 2028 with identifying enhanced cybersecurity practices that facilitate the safe use of digital data and address high-risk cybersecurity vulnerabilities. Special emphasis will be placed on ensuring the uninterrupted processing of healthcare transactions.
Establishing Standards and Funding
The bill seeks to impose mandatory cybersecurity standards on an industry that has been criticized for lacking robust protections, particularly since HHS has not conducted a cybersecurity audit since 2017. Funding issues have also been highlighted by the legislators; the proposal includes $800 million in upfront investment payments for rural and urban safety net hospitals, as well as $500 million for all hospitals to adopt improved cybersecurity standards. Additionally, a user fee will be applied as a percentage of the national health expenditures’ pro rata share.
Organizations that fail to meet documentation and audit requirements or minimum security standards could face civil fines of up to $5,000 per day. Individuals who knowingly submit false documentation may incur criminal penalties of up to $1 million and face potential imprisonment for up to 10 years.
Intellicheck CEO Bryan Lewis noted that addressing compromised credentials is crucial, emphasizing the importance of verifying the authenticity of government-issued IDs. With account takeovers becoming increasingly prevalent and data breaches, like the one at United Healthcare, exposing millions of personal details, he remarked, “We are currently experiencing about four times the level of data breaches this year compared to last.”
