Senate bill pushes cyber mandates for medical industry in wake of Change Healthcare cyberattack The Record from Recorded Future News

pppLeadershipppCybercrimeppNationstateppElectionsppTechnologyppCyber DailyppClick Here Podcastpp Free Newsletterpp Hospitals and other healthcare businesses would be required to adopt minimum cybersecurity standards and face annual audits under new legislation introduced by two prominent senators on Thursday  pp The Health Infrastructure Security and Accountability Act announced by Sens Ron Wyden DOR and Mark Warner DVA would  provide 13 billion for the Department of Health and Human Services HHS to support hospitals and create serious accountability for companies that fail to meet cybersecurity standards pp Wyden said the bill was necessary because megacorporations like UnitedHealth are flunking Cybersecurity 101 and American families are suffering as a result  pp A ransomware attack in February on UnitedHealth subsidiary Change Healthcare severely disrupted the industry nationwide  pp The healthcare industry has some of the worst cybersecurity practices in the nation despite its critical importance to Americans wellbeing and privacy he said  pp These common sense reforms which include jail time for CEOs that lie to the government about their cybersecurity will set a course to beef up cybersecurity among health care companies across the nation and stem the tide of cyberattacks that threaten to cripple the American healthcare system pp The 49page bill takes a holistic approach to addressing cybersecurity protections in the healthcare industry The minimum standards would apply to healthcare providers health plans clearinghouses and business associates pp Organizations covered under the bill would be required to undergo stress tests to determine if they are capable of restoring services after a cyber incident This can be waived for smaller providers by the HHS  pp Organizations of particularly systemic importance like Change Healthcare and 19 other entities would be audited by HHS to test their data security practices  pp The annual audits would be certified by top executives thereby increasing corporate accountability according to the senators who noted that it is a felony to lie to the government  pp The bill would also remove caps on the size of fines HHS is able to issue in an effort to dole out stiffer penalties to mega corporations  pp The bill says that for fiscal years 2027 and 2028 critical access hospitals or an eligible highneeds hospital could request funding to adopt essential cybersecurity practices from the Federal Hospital Insurance Trust Fund which would have a total of 800 million available  pp For fiscal years 2029 and 2030 the fund would have 500 million  pp The bill also directly addresses one of the biggest issues seen during the Change Healthcare ransomware attack giving the secretary of HHS the power to provide advanced and accelerated Medicare payments in the event of a cybersecurity disruption to the health system pp Warner warned that the constant exposure of healthcare data and the delays in medical care caused by ransomware attacks are directly endangering Americans lives and long term health pp He criticized the industrys continued demand for voluntary cybersecurity standards arguing that it is time to go beyond the practice and force healthcare providers vendors and more to get serious about cybersecurity and patient safety pp The bill has the backing of HHS which said in a statement that accountability measures and mandatory cybersecurity requirements for all organizations that hold sensitive data are essential pp The American Hospital Association which has previously criticized attempts to mandate cybersecurity minimum standards declined to comment on the bill pp The proposed legislation comes as hospitals across the US continue to face ransomware attacks that force nurses to revert back to pen and paper and leave ambulances stranded  pp The Change Healthcare hack which exposed the information of more than a third of all Americans prompted calls to better regulate the healthcare industry after UnitedHealth Groups CEO admitted the entire attack was traced back to a remote access server that was not protected with multifactor authentication MFA pp The attack on Change Healthcare is considered by many to be the largest ransomware event to ever hit the healthcare industry and sparked outrage as millions of US residents struggled to get medications pp Wyden said last month that UnitedHealths senior executives and board of directors must be held accountable for a cascade of reckless decisions most notably having a chief information security officer who had not worked in a fulltime cybersecurity role before he was elevated to the job in June 2023 pp Healthcare cybersecurity expert Josh Corman who led CISAs COVID Task Force for two years and has been an ardent advocate for more stringent cyber protections through his organization I Am The Cavalry lauded the bill for its efforts to expand the cyber focus of HHS  pp The department has focused only on data security in relation to the Health Insurance Portability and Accountability Act HIPAA but the bill would force the federal government to take on an expanded role in protecting the US healthcare system he said pp He noted the bill was introduced on the last day before Congress disperses ahead of the election meaning it is unlikely it will gain any traction in this legislative session  pp I think this becomes the starting point for debate and discussion but I hope what no one can disagree with is we do need executivelevel accountability and incentives and we do need a sense of urgency to make sure that the regulator of 20 of the economy and public safetyhuman life is equipped to do their job and preserve this trust he said pp If you want to see something fixed make it a Csuite problem ppJonathan Greigppis a Breaking News Reporter at Recorded Future News Jonathan has worked across the globe as a journalist since 2014 Before moving back to New York City he worked for news outlets in South Africa Jordan and Cambodia He previously covered cybersecurity at ZDNet and TechRepublicppPrivacyppAboutppContact Uspp Copyright 2024 The Record from Recorded Future Newsp