How the Proposed HISAA Law Could Reshape Cybersecurity Compliance

It’s been a tough year for the healthcare sector. Throughout 2024, cybercriminals have unleashed a barrage of attacks on a vast number of healthcare organizations – with disconcerting levels of success. FBI research revealed that healthcare is now the US’s most targeted industry.

The attack on Change Healthcare, a United Health-owned health tech company, for example, disrupted operations at thousands of hospitals, pharmacies, and physician practices, led to the theft of up to 6TB of sensitive health data, and is thought to have affected around 100 million people.

Although HIPAA regulates healthcare sector cybersecurity, the requirements don’t go far enough to protect patient data and business operations. As such, Senators Ron Wyden (D-OR) and Mark Warner (R-VA) have introduced new legislation, the Health Infrastructure Security and Accountability Act (HISAA), that could transform the cybersecurity compliance landscape.

Where Has HISAA Come From?

As noted, HISAA has arisen out of an increasingly sophisticated cyber threat landscape, an onslaught of attacks on the healthcare sector, and the inadequacy of current regulations. As the one-pager for HISAA puts it:

“Health care has some of the weakest cybersecurity rules of any federally regulated industry. There are no mandatory cybersecurity standards, and billion-dollar mega-corporations face insignificant fines for lax cybersecurity. HHS has not been appropriately funded to be an effective cop on the beat — it has not conducted a cybersecurity audit since 2017 and has not issued updated regulations under the HIPAA Security Rule since 2013.”

HISAA also reflects increasing geopolitical tumult and the role cyberattacks could play in it. Healthcare is a fundamental part of a nation’s critical infrastructure and, if insecure, could be a significant attack vector for nation-states seeking to harm the United States. The head of the United Nations health agency even recently told the UN Security Council that ransomware attacks on the healthcare sector “pose a direct and systemic risk to global public health and security.”

What Would HISAA Do?

HISAA aims to strengthen cybersecurity in the healthcare sector, addressing the vulnerabilities highlighted by increasing data breaches and ransomware attacks. Key provisions include:

• Mandatory Cybersecurity Standards: HISAA would modernize HIPAA by setting mandatory minimum cybersecurity standards for health care providers, health plans, clearinghouses, and their business associates, with enhanced requirements for entities critical to national security.
• Annual Audits and Stress Tests: Covered entities would be forced to undergo annual independent cybersecurity audits and stress tests to ensure resilience and quick recovery after incidents. Small providers may qualify for waivers.
• Increased HHS Oversight: The Department of Health and Human Services (HHS) would need to proactively audit at least 20 entities annually, prioritizing systemically important providers.
• Corporate Accountability: Top executives would be required to certify annual compliance with cybersecurity requirements, and there would be penalties for false certifications.
• Elimination of Fine Caps: HISAA would remove statutory caps on HHS fines, allowing significant penalties to deter noncompliance, especially among large corporations.
• Support for HHS and Providers: The Act would fund HHS enforcement via user fees on regulated entities and provide $800 million to safety net hospitals and $500 million to other hospitals for adopting advanced cybersecurity measures.
• Emergency Medicare Payments: HISAA would codify authority for advanced Medicare payments during cybersecurity disruptions, such as those experienced in prior attacks.

In short, HISAA would be a genuinely significant overhaul of HIPAA, updating cybersecurity requirements to reflect the modern cybersecurity threat landscape, raising potential noncompliance fines, and improving the HHS’s ability to enforce these regulations.

What are the Implications for Healthcare Organizations?

Many organizations will need to make substantial investments in technology, training, and infrastructure upgrades to achieve compliance with HISAA. While smaller organizations may face financial and operational strain, the funding provisions within the legislation aim to alleviate some of these burdens, ensuring that even the most resource-strapped providers can enhance their cybersecurity posture.

HISAA’s corporate accountability measures will likely prompt a shift in executive priorities, bringing cybersecurity out of the shadows and into the boardroom – a shift that cybersecurity experts have long been calling for. Hopefully, this will encourage a proactive rather than reactive approach to cybersecurity.

If implemented effectively, HISAA could also enhance public trust in the American healthcare system. Patients and stakeholders alike would benefit from knowing organizations are protecting their sensitive health data and ensuring uninterrupted care delivery, even in the face of escalating cyber threats.

What are the Broader Implications of HISAA?

Aside from the obvious impacts on healthcare regulations, HISAA could have significant implications for the broader cybersecurity compliance landscape. If the legislation passes – which it is likely to do – and succeeds in reducing healthcare data breaches, lawmakers may seize the opportunity to update cybersecurity regulations for other critical sectors around the world.

The healthcare sector’s vulnerabilities are not unique; other critical industries, such as energy, finance, and transportation, face similar challenges and could benefit from adopting comparable regulatory standards. HISAA’s success might push lawmakers to reexamine outdated cybersecurity policies and enact more stringent protections tailored to modern threats.

All in all, HISAA would be a much-needed and welcome addition to the cybersecurity compliance landscape.

Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Tripwire.