Healthcare , Industry Specific , Legislation & Litigation

Healthcare Cyber Bill Calls for 'Corporate Accountability'

Senate Bill Would Mean Cyber Funding for Hospitals, Prison Time for Lying CEOs
Healthcare Cyber Bill Calls for 'Corporate Accountability'
Image: Getty Images

A pair of Democrat senators are proposing stricter security mandates for healthcare sector entities. The bill provides funding to help hospitals adopt enhanced requirements, but it lifts the cap on HIPAA enforcement fines and holds top executives accountable with threats of financial penalties and prison time for falsely attesting their organizations' compliance in security audits.

See Also: Enterprise Browser Supporting Healthcare, Cyber Resilience

The Health Infrastructure Security and Accountability Act, unveiled on Thursday by Senate Finance Committee Chair Ron Wyden, D-Ore., and Sen. Mark Warner, D-Va., is the latest - but most sweeping - of several bills introduced into Congress this year that aim to bolster healthcare sector cybersecurity - especially following the massively disruptive cyberattack on Change Healthcare in February.

Unlike some of the other recent healthcare cybersecurity proposals introduced by lawmakers that have bipartisan sponsorship, the Wyden-Warner bill does not yet have a Republican co-sponsor (see: CISA, HHS Would Team Up in Health Sector Under House Bill).

In any case, the likelihood of the Wyden-Warner bill - or any of the other proposed bills - gaining traction during election season is probably pretty low, some experts said.

"I’m not confident this legislation will move out of committee due to the current political and geopolitical issues facing the sponsors of the bill and all legislators," said Todd Weber, vice president of professional services at security firm Semperis.

Meanwhile, the U.S. Department of Health and Human Services is already working on proposed rulemaking expected by year-end to modify the HIPAA Security Rule and strengthen the cybersecurity of electronic protected health information (see: They're Back: HHS OCR Plans to Resurrect Random HIPAA Audits).

HHS also is also working on related regulations that would mandate certain essential and enhanced cybersecurity performance goals for healthcare sector entities - mostly likely hospitals - that could be tied to Medicare payments (see: Feds Wave Sticks, Carrots at Health Sector to Bolster Cyber).

“With hacks already targeting institutions across the country, it’s time to go beyond voluntary standards and ensure healthcare providers and vendors get serious about cybersecurity and patient safety," Warner said in a statement.

Wyden-Warner Proposals

Under the Wyden-Warner bill, HHS is required to adopt enhanced minimum security requirements within two years "to protect health information, protect patient safety, and ensure the availability and resiliency of healthcare information systems and healthcare transactions."

The minimum standards would apply to all covered organizations and business associates, while the enhanced security requirements would pertain to covered entities and business associates that are "of systemic importance," or are important to national security, as determined by HHS and CISA.

The bill also proposes mandatory security audits, including HHS annually auditing the data security practices of at least 20 covered entities or business associates. In selecting organizations for audit, HHS "shall consider whether the entity is of systemic importance, complaints made with respect to the data security practices, and history of previous violations."

Failure by covered entities and business associates to comply with the auditing requirements "would be subject to fines no greater than $5,000 per day, and criminal penalties for whoever knowingly submits a report containing false information."

Also, the bill creates civil money penalties for violations of security standards and requirements ranging from $500 for "no knowledge" of the noncompliance to $250,000 for willful neglect uncorrected.

The bill also aims to "increase corporate accountability" by requiring top executives to annually certify compliance with the requirements. "Congress already requires execs to sign off on financial statements, as part of Sarbanes-Oxley, and it is a felony to lie to the government," said a fact sheet about the Wyden-Warner bill.

Under the legislation, individuals who "submit, or causes to be submitted, any documentation or report required of a covered entity or business associate" related to the mandatory security compliance audits would face fines of up to $1 million and/or imprisonment for up to 10 years, if convicted.

“The healthcare industry has some of the worst cybersecurity practices in the nation despite its critical importance to Americans’ well-being and privacy," Wyden said in a statement. "These commonsense reforms, which include jail time for CEOs that lie to the government about their cybersecurity, will set a course to beef up cybersecurity among healthcare companies across the nation and stem the tide of cyberattacks that threaten to cripple the American healthcare system," he said.

If anything, the bill is again putting a spotlight on critical healthcare cybersecurity issues, some experts said.

"I think that this proposal in the bill will guarantee that cybersecurity is a standing agenda item on all board of directors meetings," said Toby Gouker, chief security officer of government and clinical innovation at consulting firm First Health Advisory.

The bill's other proposals include providing $800 million in up-front investment payments over two years for 2,000 rural and urban safety net hospitals to adopt essential cybersecurity standard; and $500 million to incentivize all hospitals to adopt enhanced cybersecurity practices.

Hospitals would be subject to a Medicare payment penalty if they do not adopt these enhanced practices after two years.

"Unfortunately, I do think that consequential fines will make boards, CEOs and CFOs pay more attention to the risks that not addressing cybersecurity present," said former healthcare CIO David Finn, executive vice president of governance, risk and compliance at First Health Advisory.

"Change Health, Ascension, and the CrowdStrike outages have created a lot of discussion about controls, third-party risk, and the massive operational and financial impacts of 'shutting down,'" he said.

"At the end of the day, you either pay to do security up front, or you pay after the event to fix it. Fixing things after an outage will always cost more than doing it correctly and addressing your security and resiliency before you are dependent on some new technology."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.eu, you agree to our use of cookies.