On September 26, 2024, the Health Infrastructure Security and Accountability Act was introduced in the U.S. Senate. The bill would amend the Health Insurance Portability and Accountability Act (HIPAA) and direct the U.S. Department of Health and Human Services (HHS) to develop new “mandatory minimum cybersecurity standards for health care providers, health plans, clearinghouses and business associates.” It would further mandate annual cybersecurity audits and stress tests for healthcare entities, with particular waivers for small providers. To fund these new endeavors, the bill would remove fine caps for large corporations, fund the HHS’s oversight through user fees, and allocate $1.3 billion to hospitals for cybersecurity improvements.
HHS has indicated its backing of the bill, with Deputy Secretary Andrea Palm stating, “Clear accountability measures and mandatory cybersecurity requirements for all organizations that hold sensitive data are essential.” At this writing, the American Hospital Association (AHA) has declined to comment on the bill.
One of the bill’s sponsors, Senator Ron Wyden of Oregon, has commented that the bill is necessary because “megacorporations like UnitedHealth are flunking Cybersecurity 101, and American families are suffering as a result.” UnitedHealth’s subsidiary Change Healthcare was subject to one of the largest ransomware attacks in America’s history, leading to significant impacts on patients and healthcare providers. The fallout from this ransomware breach continues to be felt across the healthcare industry.
Given that the bill was introduced as Congress concluded its last day of business until the upcoming election, it is unlikely to progress any further during this legislative session. Moreover, depending upon the outcome of the upcoming election, the bill faces an uncertain future. Nevertheless, the healthcare industry is likely to continue to face pressure to improve its cybersecurity standards, whether voluntarily or through legal mandates.