In response to the devastating ransomware attack on Change Healthcare earlier this year, Senators Ron Wyden (D-OR) and Mark Warner (D-VA) introduced the Health Infrastructure Security and Accountability Act.

The bill seeks to enforce mandatory cybersecurity standards across the healthcare industry, ensuring that companies like UnitedHealth, which owns Change Healthcare, cannot avoid key security protocols. It also allocates $1.3 billion to the Department of Health and Human Services (HHS) to help healthcare entities improve their cybersecurity defenses.

The legislation focuses on addressing vulnerabilities exposed by the February ransomware attack, which severely disrupted healthcare services nationwide and compromised the personal data of millions of patients. This raised serious concerns about the industry’s inadequate cybersecurity measures.

A major element of the bill is executive accountability, with the potential for jail time for CEOs who mislead the government about their organization’s cybersecurity readiness.

Additionally, the act mandates minimum cybersecurity standards for all healthcare providers, health plans, and associated entities, along with annual audits to ensure compliance.

Why It Matters: The Change Healthcare cyberattack highlighted the serious consequences of cybersecurity lapses in healthcare, jeopardizing both patient data and timely access to care. With a surge in ransomware attacks this year disrupting emergency services and delaying treatments, the impact on patients and their families has been severe. Many have faced delays in critical care, underscoring that improved security measures in healthcare are long overdue and crucial for protecting both privacy and patient safety going forward.

• Stricter Cybersecurity Standards: The new legislation mandates that healthcare providers, health plans, and business associates adopt minimum cybersecurity standards. The HHS would audit at least 20 major health systems annually, with penalties for those failing to comply.

• Executive Accountability: The bill introduces stringent measures, including potential jail time for top executives who provide false information about their company’s cybersecurity status, emphasizing corporate responsibility in safeguarding sensitive health data.

• Expanded HHS Powers: The bill provides HHS with $1.3 billion to support hospitals in implementing cybersecurity upgrades and removes existing caps on the fines the agency can impose for non-compliance, enabling more significant penalties for major corporations like UnitedHealth.

• Response to Systemic Failures: The bill directly responds to the Change Healthcare breach, the largest ransomware attack in U.S. healthcare history, which exposed significant industry-wide vulnerabilities, especially in organizations lacking multi-factor authentication.

Go Deeper -> Senate Bill Pushes Cyber Mandates for Medical Industry in Wake of Change Healthcare Debacle – The Record

Senate Bill Eyes Minimum Cybersecurity Standards for Health Care Industry – Cyber Scoop