New legislation aimed at improving cybersecurity in healthcare could see leaders at skilled nursing facilities, home health agencies and hospices jailed if they lie about their cybersecurity precautions, according to one of its sponsors.
Senate Finance Committee Chair Ron Wyden (D-OR) and Sen. Mark Warner (D-VA) announced the Health Infrastructure Security and Accountability Act on Thursday. The bill also covers other types of healthcare businesses.
“The healthcare industry has some of the worst cybersecurity practices in the nation despite its critical importance to Americans’ well-being and privacy,” Wyden said. “These commonsense reforms, which include jail time for CEOs that lie to the government about their cybersecurity, will set a course to beef up cybersecurity among healthcare companies across the nation and stem the tide of cyberattacks that threaten to cripple the American healthcare system.”
The bill would require the US Department of Health and Human Services to develop and enforce a set of minimum cybersecurity standards for healthcare providers, health plans, clearinghouses and their business associates. It also would remove the existing cap on fines under the Health Insurance Portability and Accountability Act.
Further, the bill would authorize HHS to conduct annual audits for compliance and create “serious accountability” for companies that do not meet certain cybersecurity requirements. HHS would be required to proactively audit the data security practices of at least 20 regulated entities each year, “focusing on providers of systemic importance.”
The proposal comes in the wake of a major cyberattack earlier this year on Change Healthcare, the nation’s largest healthcare billing clearinghouse. Its users include 67,000 pharmacies, and much of the early outage attention focused on prescription and pharmacy billing when the attack was identified on Feb. 21. Change reported that the outage had forced about 90% of US pharmacies to use a “modified” electronic claims process or switch to manual submissions.
The legislation would codify the HHS secretary’s authority to provide advanced and accelerated Medicare payments in the event of a cybersecurity disruption to the health system, “as was necessary during the Change Healthcare attack.”
