2024-10-29
The US Health Infrastructure Security and Accountability Act
In September 2024, US Senators Ron Wyden (D-Oregon) and Mark Warner (D-Virginia) introduced the Health Infrastructure Security and Accountability Act (HISAA). The proposed legislation is a direct response to the February 2024 Change Healthcare breach that affects 100 million people. HISAA's provisions include updating HIPAA cybersecurity standards; 'Requir[ing] covered entities and business associates to submit to annual independent cybersecurity audits, as well as stress tests to determine if they are capable of restoring service promptly after an incident, which HHS can waive for small providers;' and 'requiring top executives to annually certify compliance with the requirements.'
Editor's Note
The HIPAA Privacy Rules came out in 2002. More than 20 years of HIPAA being reactive and compliant-driven vs. proactive and assessment-driven have proven change is needed to make meaningful progress in healthcare security. But the US has also failed to pass national privacy legislation over that same period, despite similar bipartisan starting points.
John Pescatore
While well intended, HIPAA security requirements have done more to inhibit the adoption of electronic healthcare records than to ensure their security when adopted. The result is that healthcare is a highly targeted and exploited industry. While it is far from clear that more law and regulation will fix the problem, we need an initiative.
William Hugh Murray
Two things popped out of the Change Healthcare incident: first, the lack of MFA enabled the initial attack to succeed; and second, the CISO's lack of experience was a contributing factor. Note that while they did pay $22 million in ransom, the data wasnÕt deleted. The HISAA comes with teeth and funding. The teeth include fines ranging from a minimum of $500 to $250,000, as well as funding in the form of $800 million for rural and urban safety net hospital up-front investment payments with another $500 million for all hospitals making cyber investments.