Today, Senate Finance Committee Chair Ron Wyden (D-Ore.) and Senator Mark Warner (D-Va.) announced new legislation aimed at bolstering cybersecurity within the U.S. healthcare system. The legislation is a direct response to a surge in cyberattacks targeting healthcare providers, breaching patient privacy, and disrupting care delivery across the nation.
The bill, titled the "Health Infrastructure Security and Accountability Act," aims to improve cybersecurity protocols, strengthen defenses, and enhance information sharing between healthcare organizations and government agencies. It targets hospitals, insurance companies, and healthcare providers by enforcing stricter standards and introducing more robust safeguards to prevent data breaches and ransomware attacks.
"Megacorporations like UnitedHealth are flunking Cybersecurity 101, and American families are suffering as a result," Senator Wyden said in a U.S. Senate on Finance Committee press release. "The health care industry has some of the worst cybersecurity practices in the nation despite its critical importance to Americans' well-being and privacy. These commonsense reforms, which include jail time for CEOs that lie to the government about their cybersecurity, will set a course to beef up cybersecurity among health care companies across the nation and stem the tide of cyberattacks that threaten to cripple the American health care system."
The legislation is designed to protect patients' private health information, ensuring that their medical records and personal data are not exposed or exploited by cybercriminals. It also would aid healthcare providers by providing guidance on improving security measures and helping avoid operational disruptions caused by cyberattacks. The legislation could potentially lower costs associated with recovery from breaches and improve public trust in healthcare services.
"Cyberattacks on our health care institutions threaten patients' most private data and delay essential medical care, directly endangering Americans' lives and long term health," Senator Warner said. "With hacks already targeting institutions across the country, it's time to go beyond voluntary standards and ensure health care providers and vendors get serious about cybersecurity and patient safety. I'm glad to introduce legislation that would mandate sensible cybersecurity protocols while also getting resources to rural and underserved hospitals to ensure they have the funding to meet these new standards."
The bill will go through the legislative process, where it will be debated and potentially amended before being voted on. If passed, healthcare providers will need to implement the new cybersecurity measures, likely with the assistance of government support and private sector partnerships. The legislation also emphasizes the need for coordinated efforts between federal agencies and healthcare institutions to respond more effectively to cyber threats.
"Cybersecurity remains an ever-evolving challenge in our health care ecosystem and more must be done to prevent cyber attacks and ensure patient safety," said Andrea Palm, Deputy Secretary of the Department of Health and Human Services. "Clear accountability measures and mandatory cybersecurity requirements for all organizations that hold sensitive data are essential. We are grateful for Senator Wyden and Senator Warner's leadership and look forward to continuing to work together on this legislation to strengthen cyber resiliency across our entire health care ecosystem."
Here's a one-page summary of the bill; a section-by-section summary; and the full legislative text.
There have been a slew of disruptions to healthcare organizations in recent years, some crippling systems and causing downstream affects to doctors' offices and pharmacies—ultimately affecting patients and their level of care and service.
In July of this year, UnitedHealth Group, the Minnesota-based health insurance giant, announced its second quarter results, revealing a stark financial impact from the cyberattack on its Change Healthcare subsidiary.
Reported in February of this year: For the last nine months, ordinary consumers, including parents and patients, have found themselves in the crosshairs of cybercriminals—mostly due to ransomware attacks.
Earlier this year, Sen. Wyden proposed the Algorithmic Accountability Act, legislation that would require companies to assess their automated systems for accuracy, bias, and privacy risks. This includes artificial intelligence (AI) and machine learning (ML) systems that are increasingly used in the healthcare industry.