Why the Health Infrastructure Security and Accountability Act Matters

As Health IT leaders, we are acutely aware of the ever-increasing cyber threats targeting our industry. The proposed Health Infrastructure Security and Accountability Act is a significant development aimed at strengthening the cybersecurity posture of healthcare organizations across the nation. In this article, I will outline the key provisions of the ACT, delve into each proposed section, and share my professional insights on their potential impact!

The State of Healthcare Cybersecurity

Healthcare organizations are among the most vulnerable when it comes to ransomware attacks, data breaches, and cyberattacks. The consequences of these incidents are severe, not only for the privacy of patients but also for the ability of hospitals and clinics to deliver timely, life-saving care.

Unfortunately, healthcare regulations are outdated. The HIPAA Security Rule hasn’t seen a meaningful update since 2013, and federal enforcement agencies, such as the Department of Health and Human Services (HHS), have not conducted cybersecurity audits since 2017. Healthcare providers, particularly large corporations, are often fined small amounts that fail to reflect the gravity of their cybersecurity shortcomings.

The Health Infrastructure Security and Accountability Act aims to rectify this imbalance by introducing mandatory cybersecurity standards, rigorous audits, and significant penalties for non-compliance. But what does this mean for you as a healthcare IT leader?

Key Provisions and Their Impact

Minimum Security Requirements

This section of the legislation requires the HHS Secretary to adopt minimum and enhanced security requirements within two years after the bill is passed. The goal is to protect patient health information, ensure patient safety, and safeguard healthcare systems from cyber disruptions.

Finally, we are seeing an attempt to 'enforce' cybersecurity across healthcare entities. Currently, the sector has a fragmented variation of guidelines. The key word here is 'guidelines.' By implementing mandatory minimum standards, this bill is essentially pushing every healthcare organization to prioritize cybersecurity.

Additionally, enhanced security controls will be required for entities critical to national security or the healthcare system's stability. These organizations, due to their systemic importance, need to be held to a higher standard. However, the fact that this determination isn’t subject to judicial review may raise concerns. While it expedites decision-making, it could result in arbitrary decisions that impact organizations without clear recourse. Transparency and fairness will be key in implementing this.

Risk Management, Reporting, and Audits

Within three years of enactment, covered entities and business associates will be required to conduct and document a risk assessment, create a disaster recovery plan, conduct stress tests, and provide written attestations from their CEO and CISO. These documents must be submitted annually for entities subject to enhanced security requirements. Additionally, independent cybersecurity audits will become mandatory, with a minimum of 20 audits performed annually by HHS.

This section takes cybersecurity seriously, introducing a level of accountability that has been sorely lacking. The requirement for top executives (CEOs and CISOs) to personally sign off on cybersecurity compliance is crucial. It ensures that security is no longer a concern relegated to IT teams alone, it’s a top-down responsibility! Executives will have skin in the game, which will force organizations to take a more holistic, integrated approach to their cybersecurity measures.

The mandatory stress tests are another another way of saying disaster recovery and incident response testing, which is smart. Much like financial stress tests that evaluate how banks can survive economic shocks, these tests will push healthcare organizations to evaluate how they would recover from a breach (e.g., ransomware.) Given the rise in disruptive cyber incidents, testing organizational resilience is essential.

The caveat of waivers, where entities can avoid certain reporting requirements due to cost or scale, will provide relief for smaller organizations. However, I believe there must be strict criteria for waivers to avoid exploitation.

Increased Civil Penalties

This section of the legislation introduces a tiered structure for penalties based on the severity of cybersecurity violations, ranging from $500 for unknowing violations to $250,000 for willful neglect that goes uncorrected. Penalties could vary based on an entity’s size, compliance history, and good faith efforts. This is a comparison based on the current civil penalty scale.

Introducing substantial financial penalties creates real consequences for non-compliance. It’s one thing to issue fines, but ensuring that they are meaningful and proportional to the scale of the organization is critical for driving behavioral change. For billion-dollar healthcare organizations, previous fines were mere drops in the bucket. Now, with a penalty structure that can escalate up to $250,000, we are more likely to see serious investments in cybersecurity.

User Fee for Oversight

A new user fee will be introduced to fund oversight and enforcement activities by the HHS. The fee is capped at $40 million for 2026 and $50 million for 2027, with subsequent increases tied to the consumer price index.

Charging organizations a fee to fund cybersecurity oversight is a "interesting" way to ensure sustained funding for HHS. However, I believe it's important to ensure that the fees do not place an undue burden on smaller organizations. HHS must strike a delicate balance between raising sufficient funds and not inadvertently disadvantaging smaller healthcare entities.

Medicare Safe Cybersecurity Practices

This section sets aside $800 million in investment for rural and urban safety net hospitals to implement cybersecurity standards. An additional $500 million will incentivize all hospitals to adopt enhanced cybersecurity practices.

The government's financial assistance to smaller hospitals demonstrates an understanding of the challenges in healthcare beyond just accountability. Often, rural and smaller healthcare providers struggle with the financial burden of upgrading their systems to meet security requirements. Providing this upfront investment will ensure that these hospitals, which are often more vulnerable to attacks, can secure their infrastructure without compromising patient care due to budgetary and resource constraints.

Accelerated Payments for Cybersecurity Incidents

This section codifies HHS’s authority to provide advanced and accelerated payments to Medicare providers affected by a cybersecurity incident. The goal is to help them recover financially from disruptions.

This provision is critical in ensuring that healthcare organizations can continue operations in the aftermath of a cyberattack. Disruptions in Medicare claims processing can have a ripple effect, especially for smaller providers with tight cash flows as we have seen in the Change Healthcare Breach. Offering a safety net through accelerated payments ensures continuity of care, which is crucial.

Is This Enough?

The Health Infrastructure Security and Accountability Act is undoubtedly a significant step forward in increasing cybersecurity efforts within the healthcare sector. By establishing minimum security standards, increasing oversight, and imposing strict penalties, the bill forces healthcare organizations to take a more proactive and comprehensive approach to safeguarding patient data and critical infrastructure.

However, the success of this bill will depend on its implementation. While the minimum standards and enhanced requirements are necessary, the bill must ensure flexibility and fairness in applying these rules, especially for smaller healthcare entities. Furthermore, enforcement mechanisms must be upheld, and oversight agencies like HHS need the proper funding and resources to carry out these audits and enforce compliance effectively.

How I Can Help You Navigate

Over the past 15 years, I've worked alongside organizations like yours to build compliant, flexible, and secure systems. My approach isn't about off-the-shelf solutions; it's about crafting strategies that fit your unique environment. Whether it's conducting a comprehensive HIPAA compliance audit or working as an extension of your team, I'm happy to help!

Lead with confidence and let's talk strategy .

Until next time, stay secure and keep innovating.

Thanks for reading and subscribing!

Larry

P.S. What would you add to the bill that is not already included?