HIPAA Redux: New Bill Proposes Sweeping Security Standards for the Health Care Sector
This Feature Article is brought to you by AHLA's Health Information and Technology Practice Group.
- October 18, 2024
- Michael McLaughlin , Buchanan Ingersoll & Rooney
- Andria Adigwe , Buchanan Ingersoll & Rooney
In recent years, the health care sector has faced increasingly severe cyber threats—both directly and indirectly through vendors—that have compromised patient data and disrupted critical services. In February 2024, for instance, the health care sector was rocked by a ransomware attack on the widely used payment processing company, Change Healthcare, a UnitedHealth Group subsidiary.[1] The attack crippled billing operations nationwide, posing “a direct threat to critically needed patient care and essential operations of the healthcare industry.”[2] The ramifications of this ransomware attack are still being felt.
In response, Senators Ron Wyden (D-OR) and Mark Warner (R-VA) introduced the Health Infrastructure Security and Accountability Act (HISAA) on September 26, 2024. HISAA aims to overhaul how health care organizations approach cybersecurity by imposing mandatory minimum security standards and providing financial support to ensure compliance. This article delves into the specifics of the proposed bill, its implications for health care providers, and the broader context of cybersecurity in the health care industry.
Background
As proposed, HISAA seeks to build on the Health Insurance Accountability and Portability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) and will apply to the same Covered Entities and Business Associates as defined by HIPAA. Previously, these entities were required to maintain reasonable and appropriate “administrative, technical, and physical” safeguards to protect electronic Protected Health Information (e-PHI) under HIPAA’s Security Rule. This standard was designed to be flexible and scalable, allowing entities to tailor those requirements to their specific needs and implement solutions suitable for their environments, considering factors such as size, resources, and nature of the business. As a result, e-PHI stored on interconnected networks are protected by security controls with varying levels of sophistication.
The U.S. Department of Health and Human Services (HHS) has spent considerable time and resources providing guidance to entities on demonstrating sufficient compliance with HIPAA and HITECH. This includes working papers, educational paper series, video training, and outside reference materials from the Federal Trade Commission and National Institute of Standards and Technology.[3] Senators Wyden and Warner have been vocal advocates for improving cybersecurity in health care, criticizing the current voluntary standards as insufficient. The Senators have also criticized health care entities and HHS more broadly for their roles in the existing state of the health care sector’s cybersecurity ecosystem, stating:
“These hacks are entirely preventable and are the direct result of lax cybersecurity practices by health care providers and their business partners…. HHS has not been appropriately funded to be an effective cop on the beat — it has not conducted a cybersecurity audit since 2017, and has not issued updated regulations under the HIPAA Security Rule since 2013.”[4]
HISAA could bring cohesion to this patchwork of regulations and require entities to stay current with software operating systems and cybersecurity standards.
Key Components of the Proposed Legislation
1. Mandatory Cybersecurity Standards
The bill mandates that all health care providers, health plans, and Business Associates adhere to minimum cybersecurity standards. These standards are designed to secure e-PHI, ensure the resilience of health care systems, and prevent cyber incidents. Enhanced requirements will apply to entities of systemic importance, such as large hospital networks and national health data clearinghouses.
The HHS Secretary will oversee the development and implementation of these standards in consultation with the Director of the Cybersecurity and Infrastructure Security Agency (CISA) and the Director of National Intelligence. The standards will be reviewed and updated every two years to address evolving cyber threats.
2. Annual Audits and Stress Tests
To ensure compliance, health care organizations will be required to conduct their own annual independent cybersecurity audits and document the results. These audits will assess whether organizations meet the prescribed standards and evaluate their ability to restore services after a cyber incident. Health care systems will be required to conduct stress tests to simulate real-world scenarios and evaluate their operational resilience. Smaller providers may be eligible for waivers from certain requirements, recognizing the potential burden on their operations. However, all organizations will need to publicly disclose their compliance status, including whether they meet the enhanced security requirements.
Under HIPAA, HHS will continue to employ its Audit Protocol but will be required to audit the data security practices of at least 20 entities annually and report the results to Congress.
3. Increased Accountability and Penalties
The bill introduces significant penalties for non-compliance, with fines reaching up to $250,000 for willful neglect. Similar to the Sarbanes-Oxley Act, health care executives will be required to certify compliance annually, and providing false information could result in criminal charges, including fines of up to $1 million and imprisonment for up to 10 years.
Additionally, the bill proposes eliminating statutory caps on fines, enabling HHS to impose penalties substantial enough to deter lax cybersecurity practices, especially among large entities.
4. Financial Support for Cybersecurity Enhancements
Recognizing the financial challenges associated with implementing these new standards, the bill allocates $1.3 billion to support hospitals in enhancing their cybersecurity infrastructure. This includes $800 million for rural and safety net hospitals over two years, with an additional $500 million available for all hospitals in subsequent years.
These funds aim to help hospitals adopt essential and enhanced cybersecurity practices, ensuring they are equipped to protect patient data and maintain service continuity in the face of cyber threats.
5. Medicare Payment Adjustments
To further support health care providers, the bill empowers the HHS Secretary to provide accelerated Medicare payments to organizations affected by cybersecurity incidents. HHS saw the benefits of offering accelerated Medicare payments during the Change Healthcare incident, alleviating some financial pressures on the health care industry. HISAA codifies HHS’ authority and ensures that health care providers can maintain financial stability during recovery periods following a cyberattack.
Implications for Health Care Providers
HISAA presents both challenges and opportunities to the health care sector. The bill establishes a baseline that forces entities to maintain proper cybersecurity hygiene. Compliance with the new cybersecurity standards will require significant investment in software and hardware, training, and personnel. Smaller, rural and safety net facilities may face significant financial challenges complying with HISAA.
Providers will need to prioritize implementing robust cybersecurity measures, such as multi-factor authentication, real-time monitoring systems, comprehensive incident response and remediation plans, and conducting tabletop exercises. Regular audits and stress tests will become integral to operations, ensuring readiness to respond to potential cyber incidents.
The financial support offered by this bill can defray some of these costs, helping providers enhance their defenses against cyber threats. However, the initial $800 million allocated to rural and safety net facilities will not be accessible to certain providers who also may not be able to upgrade their cybersecurity systems, such as non-profit organizations and even larger hospitals that are struggling financially. Moreover, proper cybersecurity maintenance is an ongoing endeavor as technology and threats continue to evolve rapidly. A one-time influx of cash may provide immediate relief, but a financial continuation plan is needed to ensure continued success for the sector. This could involve state-sponsored collaboration with the private sector and tax incentives. Furthermore, the government will need to establish a certification program for competent, vetted, and affordable independent auditors that can help entities identify security gaps and provide recommendations on how best to rectify those gaps.
Conclusion
HISAA marks a pivotal moment in the evolution of cybersecurity regulation within the health care sector. Recent attacks on the health care industry have compromised sensitive patient data, disrupted critical services with potentially life-threatening consequences, and impacted the reputations of health care entities. In this highly interconnected world, creating a minimum standard for an entire industry strengthens the proverbial “weakest link” and minimizes the threat of a single cybersecurity incident impacting the entire industry. By imposing mandatory standards and providing financial support, the bill aims to safeguard patient data and ensure the resilience of health care systems against cyber threats.
Health care providers must stay informed and proactive in adapting to these changes, leveraging available resources to fortify their cybersecurity posture. As the bill progresses through the legislative process, providers should engage with policymakers and industry experts to understand its full impact and prepare for its implementation.
The stakes are high, but with the right strategies and support, the health care sector can rise to meet the cybersecurity challenges of the future. The proposed legislation offers a framework for achieving this goal, emphasizing the need for comprehensive, coordinated efforts to protect patient data and ensure the continuity of care.
About the Authors
Michael McLaughlin: is co-leader of Buchanan Ingersoll & Rooney’s Cybersecurity & Data Privacy practice group and Principal in the firm’s government relations section. He helps clients navigate the complexities of cybersecurity, data privacy and the related regulatory landscape.
Andria Adigwe: is a Regulatory Health Law and Data Privacy & Cybersecurity attorney at Buchanan Ingersoll Rooney, and Co-Chair of the E-Health Committee of New York State Bar Association’s Health Law Section. She assists clients through complex mergers and acquisitions, provides regulatory guidance on operational questions, and advises on data privacy and cyber security compliance issues.
[1] Health and Human Services (HHS), Change Healthcare Cybersecurity Incident Frequently Asked Questions, Rev. July 30, 2024, available at https://www.hhs.gov/hipaa/for-professionals/special-topics/change-healthcare-cybersecurity-incident-frequently-asked-questions/index.html.
[2] HHS, HHS Office for Civil Rights Issues Letter and Opens Investigation of Change Healthcare Cyberattack, March 13, 2024, available at https://www.hhs.gov/about/news/2024/03/13/hhs-office-civil-rights-issues-letter-opens-investigation-change-healthcare-cyberattack.html.
[3] HHS, Security Rule Guidance Material, Rev. Aug. 21, 2024, available at https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html.
[4] Senate Finance Committee, Health Infrastructure Security and Accountability Act, One Pager, available at https://www.finance.senate.gov/imo/media/doc/health_infrastructure_security_and_accountability_act_one-pager.pdf.