Strengthening Healthcare Cybersecurity: The Health Infrastructure Security and Accountability Act

Strengthening Healthcare Cybersecurity: The Health Infrastructure Security and Accountability Act

According to an article by Kevin Wood at the Winstead firm, the healthcare sector faces escalating cybersecurity challenges, underscored by the recent ransomware attack on Change Healthcare. To bolster healthcare cybersecurity, Senators Ron Wyden and Mark Warner introduced the Health Infrastructure Security and Accountability Act (HISAA) on September 26, 2024. HISAA aims to establish mandatory minimum security standards for healthcare data, supported by initial federal funding.

Currently, HIPAA and HITECH require “reasonable” safeguards for electronic Protected Health Information (e-PHI) without setting minimum security standards. This flexible approach has led to inconsistent protections across interconnected systems, with some organizations considered inadequately safeguarded. 

The article notes that HISAA addresses this by proposing several key provisions:

1. Mandatory Cybersecurity Standards: HISAA mandates that HHS, CISA, and DNI develop robust cybersecurity standards, updated every two years to counter new threats.
2. Annual Audits and Stress Tests: HISAA requires independent audits to assess cybersecurity compliance, recovery abilities, and real-world readiness. Smaller organizations may receive exemptions based on financial hardship.
3. Increased Accountability and Penalties: Executive certifications of compliance will be required annually, with potential criminal charges for false information. HISAA would also eliminate penalty caps for severe non-compliance.
4. Financial Support: HISAA allocates $1.3 billion for infrastructure support, prioritizing rural and safety-net hospitals.
5. Medicare Payment Adjustments: HHS would gain authority to expedite Medicare payments after cybersecurity incidents.

While HISAA aims to standardize healthcare cybersecurity, compliance may pose challenges, especially for smaller entities. Healthcare organizations are encouraged to proactively enhance cybersecurity practices, including encryption, real-time monitoring, and comprehensive training, as they prepare for potential legislative changes.