There's some big cybersecurity news shaking up the healthcare industry: Senators Ron Wyden (D-OR) and Mark Warner (D-VA) have introduced a bill called the Health Infrastructure Security and Accountability Act. This proposed legislation intends to mandate much more stringent cybersecurity standards across the entire healthcare sector.
Frankly, it's not surprising, given the slew of cyberattacks we've seen over the past year that have exposed glaring vulnerabilities in some of the nation's largest healthcare organizations.
As you probably remember, back in February, UnitedHealth's subsidiary, Change Healthcare, fell victim to a massive ransomware attack. This wasn't just a minor hiccup—it impacted over a third of Americans. People couldn't get their prescriptions filled on time and rural clinics and hospitals faced financial chaos due to unpaid claims.
The kicker? The attackers got in through a server that lacked basic multifactor authentication. For a company of that size, such an oversight is hard to swallow.
"Megacorporations like UnitedHealth are flunking Cybersecurity 101, and American families are suffering as a result," said Senator Wyden when introducing the bill. He's got a point: Cyberattacks against healthcare organizations have skyrocketed by 128% in 2023 alone, jumping from 113 known victims last year to 258 this year. That's a trend no one wants to see continue.
Senators Wyden and Warner believe these breaches are "entirely preventable" and stem from lax cybersecurity practices. Their proposed bill aims to change the game by introducing mandatory cybersecurity standards, holding healthcare entities accountable for protecting patient data, and keeping critical services running smoothly.
What Does the Health Infrastructure Security and Accountability Act Mean for the Healthcare Industry?
At the heart of the Health Infrastructure Security and Accountability Act (can we just call it HISAA?) is a push for stronger cybersecurity across the board—and more accountability.
Here are some key takeaways:
- Mandatory cybersecurity standards: Healthcare providers, health plans, clearinghouses, and their business associates would need to meet new benchmarks set by the Department of Health and Human Services (HHS). No more optional guidelines—these would be actual requirements.
- Annual audits and stress tests: Organizations would undergo yearly independent cybersecurity audits and stress tests to see how well they can bounce back from cyber incidents.
- Bigger penalties for non-compliance: The bill wants to remove caps on fines for large corporations that don't meet the standards. The idea is to make the penalties sting enough that companies simply can't afford to ignore cybersecurity.
- Executive accountability: Top executives would need to certify compliance every year. If they fudge the details, they could face felony charges and even jail time. (“If you want to see something fixed, make it a C-suite problem,” said Healthcare cybersecurity expert and CISA COVID task force leader Josh Corman.)
- Financial support for compliance: Recognizing that beefing up cybersecurity isn't cheap, the bill allocates $1.3 billion to help hospitals, especially those in rural or underserved areas, upgrade their systems.
Why Is This Happening Now?
The timing of this bill isn't random. The healthcare sector has been under siege from cyber threats, and the consequences have been severe. Patient data—a goldmine for cybercriminals—has been compromised, leading to identity theft, fraud, and a loss of trust in healthcare institutions.
The attack on Change Healthcare wasn’t the only successful major cyber breach of US healthcare in recent memory. Need a quick refresher?
- In September 2020, Universal Health Services (UHS) suffered a massive ransomware attack that disrupted operations across more than 400 facilities and affected patient care nationwide.
- In May 2021, Scripps Health in California was hit by ransomware, which forced system shutdowns, delayed treatments, and compromised the personal data of nearly 150,000 patients.
- In October 2022, CommonSpirit Health, one of the largest nonprofit health systems in the U.S., experienced a cyberattack that led to appointment cancellations and electronic health record downtime across multiple states.
- In June 2023, HCA Healthcare reported a data breach affecting 11 million patients due to unauthorized access.
Senator Warner summed it all up by saying, "The constant exposure of healthcare data and the delays in medical care caused by ransomware attacks are directly endangering Americans' lives and long-term health."
Simply put, the stakes are too high to stick with voluntary guidelines that clearly aren't cutting it.
What Should Healthcare Organizations Do?
If you're a healthcare organization, now's the time to take a hard look at your cybersecurity measures—it can no longer be an afterthought or a “nice to have” kind of thing. Organizations should proactively strengthen their defenses to comply with the impending regulations and, more importantly, to protect the patients they serve.
Investing in advanced cybersecurity solutions like Managed Endpoint Detection and Response (EDR) and Managed Security Information and Event Management (SIEM) systems can make a world of difference. These tools offer continuous monitoring, rapid threat detection, and swift responses to potential issues—exactly what you need to meet the new standards and protect your patients.
And the best part? Since these solutions are managed by cybersecurity professionals who report to your organization, you don’t need to hire or manage an internal team. You simply let the experts do what they do so you can focus on your day-to-day operations.
How Huntress Helps Healthcare Orgs
The Health Infrastructure Security and Accountability Act signals a significant shift in how healthcare organizations need to approach cybersecurity. By getting on board now, you can comply with upcoming regulations and reinforce the trust your patients place in you every day.
Remember, cybersecurity isn't just an IT issue—it's a critical component of patient care and organizational integrity.
Navigating all of these changes might feel overwhelming, but you don't have to do it alone. Huntress supports healthcare organizations with multiple solutions that help shield them from sophisticated cyber threats. We also provide Managed Security Awareness Training, which teaches staff to stay ahead of common threats, like phishing and social engineering, by helping them recognize real-world attacker tactics when they happen.
Ready to see the difference managed, proactive cybersecurity can make? Start your free trial with Huntress and take the first step toward stronger protection—and peace of mind.
