Senate bill pushes cyber mandates for medical industry in wake of Change Healthcare debacle

Hospitals and other healthcare businesses would be required to adopt minimum cybersecurity standards and face annual audits under new legislation introduced by two prominent senators on Thursday. 

The Health Infrastructure Security and Accountability Act, announced by Sens. Ron Wyden (D-OR) and Mark Warner (D-VA), would  provide $1.3 billion for the Department of Health and Human Services (HHS) to support hospitals and create “serious accountability” for companies that fail to meet cybersecurity standards.

Wyden said the bill was necessary because “megacorporations like UnitedHealth are flunking Cybersecurity 101, and American families are suffering as a result.” 

A ransomware attack in February on UnitedHealth subsidiary Change Healthcare severely disrupted the industry nationwide. 

“The healthcare industry has some of the worst cybersecurity practices in the nation despite its critical importance to Americans’ well-being and privacy,” he said. 

“These common sense reforms, which include jail time for CEOs that lie to the government about their cybersecurity, will set a course to beef up cybersecurity among health care companies across the nation and stem the tide of cyberattacks that threaten to cripple the American healthcare system.”

Change Healthcare and 19 others

The 49-page bill takes a holistic approach to addressing cybersecurity protections in the healthcare industry. The minimum standards would apply to healthcare providers, health plans, clearinghouses and business associates.

Organizations covered under the bill would be required to undergo stress tests to determine if they are capable of restoring services after a cyber incident. This can be waived for smaller providers by the HHS. 

Organizations of particularly systemic importance, like Change Healthcare and 19 other entities, would be audited by HHS to test their data security practices. 

The annual audits would be certified by top executives, thereby increasing corporate accountability, according to the senators, who noted that it is a felony to lie to the government. 

The bill would also remove caps on the size of fines HHS is able to issue in an effort to dole out stiffer penalties to mega corporations. 

The bill says that for fiscal years 2027 and 2028 “critical access hospitals or an eligible high-needs hospital” could request funding to adopt essential cybersecurity practices from the Federal Hospital Insurance Trust Fund, which would have a total of $800 million available. 

For fiscal years 2029 and 2030 the fund would have $500 million. 

The bill also directly addresses one of the biggest issues seen during the Change Healthcare ransomware attack, giving the secretary of HHS the power to “provide advanced and accelerated Medicare payments in the event of a cybersecurity disruption to the health system.”

‘A C-suite problem’

Warner warned that the constant exposure of healthcare data and the delays in medical care caused by ransomware attacks are “directly endangering Americans’ lives and long term health.”

He criticized the industry’s continued demand for voluntary cybersecurity standards, arguing that it is “time to go beyond” the practice and force healthcare providers, vendors and more to “get serious about cybersecurity and patient safety.”

The bill has the backing of HHS, which said in a statement that accountability measures and mandatory cybersecurity requirements for all organizations that hold sensitive data are essential.

The American Hospital Association, which has previously criticized attempts to mandate cybersecurity minimum standards, declined to comment on the bill.

The proposed legislation comes as hospitals across the U.S. continue to face ransomware attacks that force nurses to revert back to pen and paper and leave ambulances stranded. 

The Change Healthcare hack — which exposed the information of more than a third of all Americans — prompted calls to better regulate the healthcare industry after UnitedHealth Group’s CEO admitted the entire attack was traced back to a remote access server that was not protected with multifactor authentication (MFA).

The attack on Change Healthcare is considered by many to be the largest ransomware event to ever hit the healthcare industry and sparked outrage as millions of U.S. residents struggled to get medications.

Wyden said last month that UnitedHealth’s senior executives and board of directors “must be held accountable” for a cascade of reckless decisions — most notably having a chief information security officer who had not worked in a full-time cybersecurity role before he was elevated to the job in June 2023.

Healthcare cybersecurity expert Josh Corman — who led CISA's COVID Task Force for two years and has been an ardent advocate for more stringent cyber protections through his organization I Am The Cavalry — lauded the bill for its efforts to expand the cyber focus of HHS. 

The department has focused only on data security in relation to the Health Insurance Portability and Accountability Act (HIPAA) but the bill would force the federal government to take on an expanded role in protecting the U.S. healthcare system, he said.

He noted the bill was introduced on the last day before Congress disperses ahead of the election, meaning it is unlikely it will gain any traction in this legislative session. 

“I think this becomes the starting point for debate and discussion, but I hope what no one can disagree with is we do need executive-level accountability and incentives, and we do need a sense of urgency to make sure that the regulator of 20% of the economy and public safety/human life is equipped to do their job and preserve this trust,” he said.

“If you want to see something fixed, make it a C-suite problem.”