Wyden, Warner introduce bill to set strong cybersecurity standards for health care industry

WASHINGTON (KTVZ) -- Senate Finance Committee Chair Ron Wyden, D-Ore., and Senator Mark Warner, D-Va., announced legislation Thursday to improve cybersecurity in the American health care system amid a wave of increased cyberattacks that are breaching Americans’ privacy and causing major disruptions to care across the country.

“Megacorporations like UnitedHealth are flunking Cybersecurity 101, and American families are suffering as a result,” Wyden said. “The health care industry has some of the worst cybersecurity practices in the nation despite its critical importance to Americans’ well-being and privacy. These commonsense reforms, which include jail time for CEOs that lie to the government about their cybersecurity, will set a course to beef up cybersecurity among health care companies across the nation and stem the tide of cyberattacks that threaten to cripple the American health care system.”  

“Cyberattacks on our health care institutions threaten patients’ most private data and delay essential medical care, directly endangering Americans’ lives and long term health,” Warner said. “With hacks already targeting institutions across the country, it’s time to go beyond voluntary standards and ensure health care providers and vendors get serious about cybersecurity and patient safety. I’m glad to introduce legislation that would mandate sensible cybersecurity protocols while also getting resources to rural and underserved hospitals to ensure they have the funding to meet these new standards.”

“Cybersecurity remains an ever-evolving challenge in our health care ecosystem and more must be done to prevent cyber attacks and ensure patient safety,” said Andrea Palm, Deputy Secretary of the Department of Health and Human Services. “Clear accountability measures and mandatory cybersecurity requirements for all organizations that hold sensitive data are essential. We are grateful for Senator Wyden and Senator Warner’s leadership and look forward to continuing to work together on this legislation to strengthen cyber resiliency across our entire health care ecosystem.”

The bill, titled the “Health Infrastructure Security and Accountability Act,” would require the Department of Health and Human Services (HHS) to develop and enforce a set of tough minimum cybersecurity standards for health care providers, health plans, clearinghouses and business associates, including stronger standards for systemically important entities and entities important for national security.

The bill would also remove the existing cap on fines under the Health Insurance Portability and Accountability Act, which prevent the regulator from  issuing fines large enough to deter mega-corporations from ignoring cybersecurity standards, and provides funding for hospitals to improve their cybersecurity, particularly low-resource hospitals in rural and urban areas.

In May, the Finance Committee held a hearing with UnitedHealth Group (UHG) CEO Andrew Witty in the wake of the cyberattack against Change Healthcare, a subsidiary of UHG, which crippled significant elements of the American health care system. In June, Wyden called on the Biden Administration to investigate UHG and hold the company accountable for its lax cybersecurity.

A one-page summary of the bill can be found here. A section-by-section summary can be found here. The legislative text can be found here.