Blog

Perspective on the Proposed Health Infrastructure Security and Accountability Act

By: Steve Cagle, MBA, HCISSP, CHISL, CDH-E
Clearwater CEO

The Health Infrastructure Security and Accountability Act (HISAA) introduced in the U.S. Senate on September 26 is another good step forward in addressing key factors contributing to the healthcare sector’s deficiency in establishing and maintaining adequate cybersecurity controls and risk management programs. While there are many in the sector that are already implementing recognized standards, having mandated standards would help to make sure everyone is playing by the same rules.

The bill seems to recognize the importance including all stakeholders in the healthcare ecosystem, as it refers to both covered entities and business associates (as defined under HIPAA) and is not singling out hospitals as we have seen some other cybersecurity initiatives do.

Cybersecurity and risk management shortcomings in different parts of the healthcare ecosystem have led to an onslaught of cyberattacks that have resulted in severe impacts to patient care and billions of dollars of costs to the sector.

These deficiencies include:

  • Lack of enforcement for existing HIPAA regulations, stemming from inadequate funding to HHS Office for Civil Rights to perform audits, as they are supposed to do under HIPAA, and to enforce compliance with HIPAA regulations when violations occur
  • Absence of specifically mandated cybersecurity practices for healthcare organizations (best practices exist today, but they are voluntary)
  • No requirements for any third-party audit or validation of meeting cybersecurity and risk management standards
  • Minimal to no consequences for organizations that fail to meet HIPAA and or industry recognized security practices
  • Lack of accountability for the CEO or Board of Directors for failing to ensure cybersecurity governance is in place and that the organization is acting responsibly with its cybersecurity program
  • No identification of organizations that could cause sector wide impacts, which interfere with patient care or cause severe economic impact to the sector, when cyberattacks on them occur, and failure to create a higher level of cybersecurity standards and accountability for such organizations (e.g., Change Healthcare and OneBlood attacks)
  • Inability for small hospitals to fund even basic cybersecurity programs, let alone keep up with sophisticated attack techniques from nation-state backed professional cybercriminal gangs
  • No codified backstop in the case that Medicare payments are interrupted, because of a cyberattack or other significant event

HISAA would result in the following:

  • Establishing of minimum and enhanced cybersecurity standards for covered entities and businesses associates (as defined by HIPAA), with the enhanced standards applicable to covered entities that are of “system importance to national security”, and requiring these are updated no less than every two years.
  • Requiring covered entities and business associates to conduct a security risk analysis of risks related to its business associates; risk analysis is already required under the HIPAA Security Rule, so presumably HISAA intends to expand the current requirement to also include the supply chain.
  • Requirements for covered entities and business associates to create incident response, business continuity and disaster recovery plans, stress test aforesaid plans to ensure they can restore systems promptly, and document these tests.
  • Mandating that entities and business associates subject to the enhanced security requirements are required to submit the above documents to the HHS on an annual basis, all other entities are required to provide the documentation upon request.
  • Making the Chief Executive Officer and Chief Information Security Officer formally accountable by having them attest that their organization is complying with the security minimum standards and requiring them to post this attestation on their website.
  • Requiring covered entities and business associates to contract with an approved third-party auditor to assess compliance with minimum cybersecurity standards. Prior to the availability of minimum standards, the audit would instead evaluate implementation of the existing HHS cybersecurity performance goals. Certain entities would have to submit the audit results to HHS, and all others must be prepared to do so upon HHS request.
  • Mandating that HHS audit at least 20 covered entities or business associates per year.
  • Authorizing HHS to charge user fees to covered entities and business associates to fund enforcement of cybersecurity standards (and presumably HIPAA).
  • Increasing current civil money penalties for failure to meet security standards and other requirements for health information (removing the statutory caps that exist today that result in little deterrence for larger organizations who can afford small fines).
  • Providing $800M in funding to 2,000 rural and urban safety net hospitals over two years to support implementation of cybersecurity practices and $500M to other hospitals to support implementation of enhanced practices over three years (the latter following the first two years of funding to small hospitals).
  • Providing advanced and accelerated payments to Part A and Part B providers when there is a significant cash flow problem resulting from its Medicare Administrative Contractor, including one resulting from a cybersecurity incident.

While the $1.3B in funding being allocated is a good starting point, it is still insufficient, and we need to consider other entities that may be larger but are struggling financially as well as non-profit organizations. We would also like to see more incentives, such as we had with Meaningful Use/Promoting Interoperability, to motivate investments, rather than solely rely on penalties and fines.

We must recognize that smaller organizations do not have the resources and funding to implement even many of the basic controls to thwart cyberattacks. Smaller healthcare organizations, and in particular critical access hospitals and rural health centers, are vital to our health system and will need support from our government (in the form of ongoing funding) to be in a reasonable position to meet these standards.

The third-party assessor element is extremely important as well, but we need to ensure that these assessors are vetted and certified themselves, similar to what the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) program does with Certified Third-Party Assessor Organizations (C3PAO).

Lastly, accountability at both the C-Level and the board is essential. As with Sarbanes-Oxley, when senior executives are held responsible for meeting requirements, there likely will be more action.

View All Resources

Newsletter

Sign up for our monthly newsletter discussing hot topics and access to invaluable resources.


Related Blogs

New York’s Updated Cybersecurity Regulations: A Step forward in Healthcare Protection

New York’s Updated Cybersecurity Regulations: A Step forward in Healthcare Protection

Blog
Cyberattacks targeting healthcare organizations have been on the rise, and New York State is stepping up its defenses. As of October 2, 2024, new cybersecurity regulations are in effect for general hospitals in the state, marking a significant step forward in protecting sensitive patient data and ensuring the operational resilience of healthcare facilities. These new rules introduce a range of requirements that go beyond federal HIPAA regulations, demanding more stringent protections for patient data and a broader definition of sensitive information. With a compliance deadline set for October 2025, hospitals have one year to prepare, but they must immediately comply with the incident reporting requirements. In this blog, we’ll break down the most important aspects of these new regulations, explain who they apply to, and why this move is a positive step for the healthcare sector.
Read More

Connect
With Us