US bill would set standards for healthcare cybersecurity

US lawmakers have introduced a bill to set cybersecurity standards for healthcare organisations in the wake of a string of ransomware incidents and other attacks.

The Health Infrastructure Security and Accountability Act legislation (PDF) – sponsored by Senators Ron Wyden (D-Ore, pictured above) and Mark Warner (D-Va) – would direct the Health and Human Security (HHS) department to develop minimum standards for providers, health plans, claims clearinghouses and business associates.

Wyden said that the action had been taken because big corporations like UnitedHealth are "flunking cybersecurity 101," leading to breaches of Americans' data privacy and major disruptions to care across the country. The standards would be applied to organisations that are deemed to be important to national security.

"The healthcare industry has some of the worst cybersecurity practices in the nation despite its critical importance to Americans’ well-being and privacy," claimed the senator. "These commonsense reforms, which include jail time for CEOs that lie to the government about their cybersecurity, will set a course to beef up cybersecurity among healthcare companies across the nation and stem the tide of cyberattacks that threaten to cripple the American healthcare system."

A summary (PDF) of the main elements of the bill notes that there were 725 data breaches involving healthcare organisations in 2023 impacting over 120m Americans, with the sector now the number one target for ransomware attacks, according to the FBI. These attacks are "entirely preventable," it claims, and occur because healthcare has "some of the weakest cybersecurity rules of any federally regulated industry."

Other measures include mandatory annual independent cybersecurity audits and stress testing of defences – which could be waived for small providers – and a requirement for the HHS to audit at least 20 regulated entities each year to make sure they are in compliance with the standards.

The cap on HHS fines should also be removed so that "mega-corporations face large enough fines to deter lax cybersecurity," according to the document. At the same time, it would provide $800m in upfront federal funding for rural and urban hospitals and $500m to all hospitals to adopt enhanced cybersecurity standards.

The move follows the notorious attack earlier this year against UnitedHealth's Change Healthcare unit by ransomware group BlackCat – also known as AlphV – that shut down its systems for more than a week and disrupted patient care.

"Cyberattacks on our health care institutions threaten patients’ most private data and delay essential medical care, directly endangering Americans’ lives and long-term health," said Warner.

"With hacks already targeting institutions across the country, it’s time to go beyond voluntary standards and ensure healthcare providers and vendors get serious about cybersecurity and patient safety."