New cybersecurity bill is a step in the right direction, but we can’t stop here | Viewpoint

The Health Infrastructure Security and Accountability Act (HISAA), introduced in the U.S. Senate last month, is a big step forward in addressing the monumental cybersecurity challenges the healthcare sector faces.

Steve Cagle

While we can debate whether the specific proposals in the bill are the best ones to drive change, it is encouraging to see lawmakers taking action to address the gaps that many healthcare organizations have in their cybersecurity controls and risk management practices.

While certainly there are organizations who are following industry best cybersecurity practices, the reality is that many others are not. Cyberattacks on healthcare organizations include devastating ransomware attacks that create major disruptions in healthcare services and data breaches of highly sensitive electronic protected health information, causing significant harm to patients.

Healthcare providers – and their business associates, including digital health and health IT companies - must ensure they are safeguarding patient information if they plan to create, receive, transmit or store it. Furthermore, if they are relying on technology to deliver services, they must ensure these systems are available and maintain their integrity.

Creating mechanisms to ensure all healthcare organizations are meeting cybersecurity standards is essential to reduce the number of breaches and ransomware attacks. This bill aims to do just that.

Cybersecurity and risk management issues aren’t confined to one corner of the sector—it's a challenge for the entire system, and it’s about time we all moved in the same direction. As we saw with the Change Healthcare and OneBlood ransomware attacks, a disruption to the supply chain can have a rippling effect on the entire sector.

• Read more: The Change Healthcare cyberattack affected 100 million Americans

The American Hospital Association has repeatedly argued that much of the challenge in healthcare cybersecurity lies in software vendors shortcomings. HISAA seems to recognize this point, as it would require that business associates covered under HIPAA comply with the same standards that providers must adhere to. HISAA also includes incentives in the form of funding from the government, however, this support is reserved for hospitals.

What does HISAA bring to the table?

The bill takes several important steps to strengthen healthcare cybersecurity:

1. Establishes minimum and enhanced standards: HISAA sets minimum cybersecurity standards for covered entities and business associates, with enhanced standards for those deemed critical to national security. The standards are also set to be updated at least every two years.
2. Expands risk analysis requirements: While healthcare organizations are already required to conduct risk analyses under HIPAA, HISAA expands this to include risks related to business associates, strengthening the entire supply chain.
3. Incident response and recovery plans: Organizations will need to create and stress-test incident response, business continuity, and disaster recovery plans to ensure they can bounce back quickly when (not if) something goes wrong.
4. Accountability at the top: CEOs and CISOs will be held formally accountable by attesting that their organization complies with the security standards—and they’ll have to post this attestation on their website for all to see.
5. Third-party audits: Organizations will need to bring in third-party auditors to assess compliance with the minimum standards, and certain entities will have to submit those results to HHS annually.
6. Annual HHS audits: The bill mandates that HHS audit at least 20 covered entities or business associates per year, keeping everyone on their toes.
7. Funding for rural and urban safety net hospitals: HISAA allocates $1.3 billion in funding to help hospitals—particularly smaller, rural, and urban safety net hospitals—implement better cybersecurity practices.

My take on the legislation

The funding piece is a good start, but let’s be clear—it’s not enough. While $1.3 billion sounds like a lot, it’s still insufficient when you consider the sheer size of the sector and the financial struggles of many organizations, especially non-profits. We need more funding, particularly for those organizations that don’t have the resources to meet even the most basic cybersecurity controls.

One thing that would really move the needle is providing incentives, like we saw with the Meaningful Use/Promoting Interoperability programs, to motivate organizations to invest in cybersecurity. Fines and penalties alone aren't enough to spur the kind of proactive investment we need.

It’s also crucial that smaller healthcare organizations—especially critical access hospitals and rural health centers—get ongoing support. These organizations are vital to our health system, and they simply don’t have the resources to meet the new standards without additional help.

I’m also glad to see the bill includes third-party audits, but we need to make sure these auditors are vetted and certified, much like the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) program does. Otherwise, we risk inconsistent or subpar assessments.

And it’s good to see there might finally be some accountability at senior levels of the organization, with proposed requirements to have the CEO attest that the organization meets the minimum cybersecurity requirements.

Just as Sarbanes-Oxley raised the stakes for financial accountability in the early 2000s, this legislation is likely the beginning of a new era of accountability in cybersecurity. When senior executives are held responsible, we can expect to see more organizations take these requirements seriously.

Notably, the bill falls short on providing safe harbor to those organizations who are meeting recognized security standards and meeting HIPAA requirements, such as on-going risk analysis and risk management.

Healthcare organizations that do everything they can to prevent, detect and stop an attack, and who have strong resiliency plans in place, should not be penalized or face class action lawsuits if they are attacked by criminals, who are often supported or harbored by adversarial nation states. These types of laws already exist in some states, such as in Ohio, which passed the Data Protection Act in 2018.

A call to action for healthcare leaders

Healthcare leaders should not wait for this bill to become law in order to act. Threats to healthcare continue to grow in both frequency and severity.

Healthcare breaches and ransomware attacks are becoming more impactful to operations, revenue, brand reputation and most importantly patient safety. It should not take regulations to implement what is already required under HIPAA and already considered best practice for healthcare organizations.

As with any patient safety issue, or threat to the business, leaders should ensure that their organizations are protecting themselves and that they have long term strategies in place to assess and mitigate high risks. Unfortunately, while this is obvious to some, others will continue to ignore the issue, or simply not be able to afford to address it.

Therefore, whether it’s HISAA or some other bill, we need some catalyst to drive change and help our healthcare industry to achieve a more secure, compliant and resilient state.

Coming Monday: Chief Healthcare Executive® presents a discussion on cybersecurity in healthcare from three of the top experts in the field.