Senate Finance Committee Chair Ron Wyden of Oregon and Sen. Mark Warner of Virginia today announced legislation to improve cybersecurity in the American health care system.
The legislation introduction comes amid a wave of increased cyberattacks that are breaching Americans’ privacy and causing major disruptions to healthcare across the country.
“Megacorporations like UnitedHealth are flunking Cybersecurity 101, and American families are suffering as a result,” Wyden said. “The health care industry has some of the worst cybersecurity practices in the nation despite its critical importance to Americans’ well-being and privacy. These commonsense reforms, which include jail time for CEOs that lie to the government about their cybersecurity, will set a course to beef up cybersecurity among health care companies across the nation and stem the tide of cyberattacks that threaten to cripple the American health care system.”
Warner, a former technology entrepreneur, said cyberattacks threaten patients’ most private data and delay medical care, which is a direct danger to American lives and long-term health.
“With hacks already targeting institutions across the country, it’s time to go beyond voluntary standards and ensure health care providers and vendors get serious about cybersecurity and patient safety. I’m glad to introduce legislation that would mandate sensible cybersecurity protocols while also getting resources to rural and underserved hospitals to ensure they have the funding to meet these new standards,” Warner said.
Deputy Secretary of the Department of Health and Human Services Andrea Palm said that cybersecurity is an ever-evolving challenge for the healthcare system and cyberattacks must be prevented to ensure patient safety.
“Clear accountability measures and mandatory cybersecurity requirements for all organizations that hold sensitive data are essential. We are grateful for Senator Wyden and Senator Warner’s leadership and look forward to continuing to work together on this legislation to strengthen cyber resiliency across our entire health care ecosystem,” Palm said.
The bill, titled the Health Infrastructure Security and Accountability Act, would require the Department of Health and Human Services (HHS) to develop and enforce a set of tough minimum cybersecurity standards for health care providers, health plans, clearinghouses and business associates, including stronger standards for systemically important entities and entities important for national security. The bill would also remove the existing cap on fines under the Health Insurance Portability and Accountability Act, which prevent the regulator from issuing fines large enough to deter megacorporations from ignoring cybersecurity standards, and provides funding for hospitals to improve their cybersecurity, particularly low-resource hospitals in rural and urban areas.
In May, the Finance Committee held a hearing with UnitedHealth Group (UHG) CEO Andrew Witty in the wake of the cyberattack against Change Healthcare, a subsidiary of UHG, which crippled significant elements of the American health care system. In June, Wyden called on the Biden administration to investigate UHG and hold the company accountable for its lax cybersecurity.