New research by Austin, Texas-based Software Advice highlights gaps in the cybersecurity of healthcare providers that puts patients’ data at risk during breaches. And it comes as the controversial Health Infrastructure Security and Accountability Act (HISAA) continues to be debated in the US Senate.
The bill would create “serious accountability” for hospitals and other healthcare businesses by requiring them to adopt minimum cybersecurity standards and face annual audits.
The legislation was a direct response to the February 2024 ransomware attack of Change Healthcare – a UnitedHealth subsidiary – that exposed the protected health and other personally identifiable information (PII) of up to 110 million individuals.
The hack severely disrupted the industry nationwide.
The bill remains in the Senate Committee on Finance, and it’s unclear whether it will be reported out and to the full Senate for a vote before the current session of Congress adjourns.
There is no specific companion bill in the House, but there is the Health Equity and Accountability Act of 2024, which doesn’t go as far as HISAA. It does contain provisions related to developing interoperability and security systems for data management among federally conducted or supported health care or public health programs, as well as state health and social service agencies. It would also strengthen data collection, improve data analysis, and expand data reporting.
Software Advice’s Associate Principal Analyst, Lisa Morris, said Monday that “it’s frankly alarming that … over a third of medical practices who do not have – or are not aware of having – a cybersecurity incident response plan in place. Our recent research shows that the majority of medical practices do have a response plan in place, but that number is not as high as it should be. These practices are leaving themselves extremely vulnerable to loss of patient data, Health Insurance Portability and Accountability Act (HIPAA) violations, hefty fines, and even lawsuits from patients in the event of a cyber-attack.”
HIPAA protects Personal health information (PHI). Breaches of IT systems that expose HIPAA-protected patient records can result in the loss of accreditation and rack up punishing fines that are in addition to whatever monies healthcare providers must pay out to recover stolen data due to a ransomware attack.
Last week, Clearwater CEO Steve Cagle wrote in Chief Healthcare Executive that HISAA “is a big step forward in addressing the monumental cybersecurity challenges the healthcare sector faces,” adding that “while we can debate whether the specific proposals in the bill are the best ones to drive change, it is encouraging to see lawmakers taking action to address the gaps that many healthcare organizations have in their cybersecurity controls and risk management practices.”
Cagle said, “healthcare providers – and their business associates, including digital health and health IT companies – must ensure they are safeguarding patient information if they plan to create, receive, transmit or store it. Furthermore, if they are relying on technology to deliver services, they must ensure these systems are available and maintain their integrity. Creating mechanisms to ensure all healthcare organizations are meeting cybersecurity standards is essential to reduce the number of breaches and ransomware attacks. This bill aims to do just that.”
Cagle said in a Clearwater blog post that “while there are many in the [healthcare] sector that are already implementing recognized standards, having mandated standards would help to make sure everyone is playing by the same rules.” He added that “the bill seems to recognize the importance including all stakeholders in the healthcare ecosystem, as it refers to both covered entities and business associates (as defined under HIPAA) and is not singling out hospitals as we have seen some other cybersecurity initiatives do.”
When Sens. Ron Wyden and Mark Warner introduced HISAA, Wyden said the bill is necessary because “megacorporations like UnitedHealth are flunking Cybersecurity 101, and American families are suffering as a result.”
“The healthcare industry has some of the worst cybersecurity practices in the nation despite its critical importance to Americans’ well-being and privacy,” Wyden said. “These commonsense reforms, which include jail time for CEOs that lie to the government about their cybersecurity, will set a course to beef up cybersecurity among health care companies across the nation and stem the tide of cyberattacks that threaten to cripple the American healthcare system.”
A Fact Sheet about the bill states that “health care has some of the weakest cybersecurity rules of any federally regulated industry. There are no mandatory cybersecurity standards and billion-dollar mega-corporations face insignificant fines for lax cybersecurity.”
Wyden added that “the Department of Health and Human Services (HHS) has not been appropriately funded to be an effective cop on the beat — it has not conducted a cybersecurity audit since 2017 and has not issued updated regulations under the HIPAA Security Rule since 2013.”
The HHS Office for Civil Rights’ Breach Portal lists nearly 400 large data breaches this year alone that are attributed to hacking/IT incidents affecting more than 43 million individuals. In 2023, there were 602 data breaches involving the healthcare records of more than 151 million individuals, according to HHS records.
The portal identifies all the breaches that have been reported during the last 24 months that are currently under investigation by the Office for Civil Rights. Section 13402(e)(4) of the Health Information Technology for Economic and Clinical Health Act of 2009 requires the HHS secretary to post a list of breaches of unsecured protected health information affecting 500 or more individuals.
HHS has indicated that it supports HISAA. Deputy Secretary Andrea Palm said she is “grateful for Senator Wyden and Senator Warner’s leadership and look forward to continuing to work together on this legislation to strengthen cyber resiliency across our entire health care ecosystem.”
Palm said: “Cybersecurity remains an ever-evolving challenge in our health care ecosystem and more must be done to prevent cyberattacks and ensure patient safety. Clear accountability measures and mandatory cybersecurity requirements for all organizations that hold sensitive data are essential.”
Cagle said there is a “lack of enforcement for existing HIPAA regulations, stemming from inadequate funding to HHS’s Office for Civil Rights to perform audits, as they are supposed to do under HIPAA, and to enforce compliance with HIPAA regulations when violations occur.” He also said there is an “absence of specifically mandated cybersecurity practices for healthcare organizations (best practices exist today, but they are voluntary), and no requirements for any third-party audit or validation of meeting cybersecurity and risk management standards.”
The American Hospital Association has declined to comment on the bill.
Software Advice’s survey found that 59 percent of practices impacted by ransomware attacks reported disruptions to patient care, leaving healthcare providers unable to access crucial medical records and diagnostic tools.
“In addition to patient safety risks, financial damages from cyber incidents are often astronomical, involving legal fees, forensic investigations, and regulatory fines. The reputational damage alone can result in patients losing trust and seeking care elsewhere,” Software Advice said, noting that “developing a comprehensive cybersecurity incident response plan is critical for healthcare practices of all sizes.”
Software Advice said that “with 89 percent of practices already using tools like two-factor authentication, the importance of integrating robust cybersecurity software cannot be overstated. Healthcare providers must integrate advanced measures, including email security protocols, firewalls, and real-time threat detection systems, to ensure comprehensive protection against data breaches.”
“Downtime from a cyberattack can disrupt production, profits, and reputation for most businesses, but in healthcare, it means inaccessible medical records, malfunctioning devices, and delayed critical procedures,” Morris said. “To mitigate these risks for patients, it’s essential to implement robust cybersecurity measures, including response plans and employee training.”
“Unfortunately, the things that make a data breach so much worse for medical organizations than other types of businesses also make these healthcare organizations a high-value target for cybercriminals, who know that these victims will be even more motivated to pay ransoms to recover stolen data,” the survey report says.
Josuah Corman, who led the Cybersecurity and Infrastructure Security Agency COVID Task Force and is an ardent advocate for more rigorous cyber fortifications throughout the healthcare industry, told the Senate Committee on Health, Education, Labor, and Pensions two years ago that “attacks on healthcare are increasing in volume, variety, and impact – with consequences that now include the loss of life. While directionally correct steps have been taken, we’re getting worse faster than we’re getting better. Bold actions and assistance will be required to change this trajectory, address these market failures, lack of incentives, and historical under-investments.”
Presently the Executive in Residence for Public Safety and Resilience at the Institute for Security and Technology, and founder of I Am the Cavalry, a grassroots organization focused on the intersection of digital security and public safety, Corman said HISAA would force the federal government to take on an expanded role in protecting the US healthcare system. While he acknowledges that the bill was introduced on the last day before Congress recessed ahead of the election next week and may not see any movement toward passage in the final months of this legislative session, he said, “I think this becomes the starting point for debate and discussion, but I hope what no one can disagree with is we do need executive-level accountability and incentives, and we do need a sense of urgency to make sure that the regulator of 20 percent of the economy and public safety/human life is equipped to do their job and preserve this trust. If you want to see something fixed, make it a C-suite problem.”
Congress did pass the Protecting and Transforming Cyber Health Care Act of 2022 as a part of the 2023 Consolidated Appropriations Act, but it only regulates medical device cybersecurity.
Corman said the bipartisan bill, known as the PATCH Act, “addressed the increased risks from evolving medical technology, including the rise of ransomware attacks on hospitals that have increased significantly in recent years.”
Suzanne Schwartz, Director of the Office of Strategic Partnerships and Technology Innovation at the Center for Devices and Radiological Health of the Food and Drug Administration, said the bill “gives [the FDA] teeth” and that “this really, for the first time, would establish very explicitly, authority in the area of cybersecurity and tie that directly to the safety of medical devices We want the devices of tomorrow to not have the same legacy issues that we’re dealing with today.”
“The PATCH Act marks a significant milestone for making cybersecurity concerns a part of the product evaluation process for any new medical technology. Protecting the integrity of US hospitals is paramount to the safety of all patients,” Corman said.
But more still needs to be done. Depending on the outcome of the election next week and the likely shifting seats in both the House and Senate, HISAA faces an ambiguous future. What isn’t ambiguous though, cybersecurity experts stress, is the healthcare industry will continue to face mounting pressure to convalesce its cybersecurity protections, whether voluntarily or through legal dictates.
Article Topics
biometrics | cybersecurity | HIPAA | legislation | multifactor authentication | patient identification | U.S. Government
