Editor's Note: This story has been updated with a comment from a group of healthcare executives.
Democratic Sens. Ron Wyden, Oregon, and Mark Warner, Virginia, introduced new healthcare cybersecurity legislation Thursday that would establish minimum cybersecurity standards for hospitals and increase oversight of large healthcare organizations whose operational interruption could debilitate the healthcare system.
Cash flow was halted for a swath of providers earlier this year when UnitedHealth subsidiary Change Healthcare suffered a ransomware attack that took its claims management systems offline for weeks. Provider organizations were stuck in the middle, many without the ability to bill and process claims.
To help strengthen the resiliency of cybersecurity in the healthcare industry and prevent another crippling cyberattack, the Democratic senators propose standards, audits and a hefty amount of cash.
The proposed Health Infrastructure Security and Accountability Act would create minimum security requirements for all healthcare organizations and enhanced requirements for organizations with systemic importance or import to national security.
The bill (PDF) would infuse cash into rural and safety net hospitals to increase cybersecurity infrastructure, require annual cybersecurity reporting and stress tests from industry stakeholders and codify the ability for the Department of Health and Human Services' (HHS') secretary to provide advanced Medicare payments in the event of a cybersecurity disruption to a health system.
The bill would provide $800 million to 2,000 rural and urban safety net hospitals over two years to protect patient health data and internal systems from malicious attack. After the two-year funding period for safety net providers, the federal government would provide an additional $500 million for all other hospitals to beef up cybersecurity.
The bill accounts for the resiliency of healthcare institutions not just in the event of a cyberattack but also during natural disasters or technological failures.
Within three years, all healthcare organizations would have to conduct a security risk analysis and state on its website that the organization is in compliance with HHS requirements. Organizations with systemic importance would be required to submit the results of their cybersecurity tests annually, while other entities would need to be able to provide them upon request. Every organization would be required to hire an independent auditor within six months of enactment.
The bill would require HHS to audit 20 healthcare organizations' cybersecurity practices per year, according to their influence on the industry, and submit a report to Congress biennially for 10 years.
The bill also seeks to make large healthcare organizations feel the burn for lax cybersecurity by increasing HHS’ statutory fining limits to a minimum of “$500 for no knowledge, $5,000 for reasonable cause, $50,000 for willful neglect corrected, and $250,000 for willful neglect uncorrected.”
If passed, the legislation would also impose a user fee on regulated entities.
The secretary would have the ability to waive the requirements in certain cases where the burden of compliance outweighed the benefit.
The Healthcare Leadership Council, a group of healthcare executives, released a statement on Friday that condemned the bill's penalty structure.
“The healthcare industry faces increasing, aggressive cyberattacks," HLC wrote in a statement. "Instead of offering support and partnership to defend against relentless cybercriminal enterprises, this bill singles out our industry’s members for punishment."
There has been speculation in the industry that HHS would mandate healthcare organizations comply with its voluntary cybersecurity performance goals in its fall update to the Health Insurance Portability and Accountability Act’s Security Rule.
Modern Healthcare reported that the Centers for Medicare & Medicaid Services intends to publish cybersecurity regulations for third-party vendors by the end of the year.