CSO

The story behind the Health Infrastructure Security and Accountability Act

Health care breaches lead to legislation

Partner Content Breaches breed regulation; which hopefully in turn breeds meaningful change.

In February 2024, Change Healthcare, a subsidiary of UnitedHealth Group (UHG), was the victim of a significant ransomware attack carried out by the ALPHV/BlackCat ransomware group. The attackers gained access to Change Healthcare's systems for over a week between February 12 and February 20, 2024, stealing around 4 terabytes of data, including protected health information (PHI) in the process. The breach had the potential to impact up to 110 million individuals, potentially exposing sensitive healthcare data on a massive scale.

During a congressional hearing in May 2024, UnitedHealthcare CEO Andrew Witty disclosed that lack of Multi Factor Authentication contributed to the initial breach, which cascaded into far more significant impacts both to patients and providers. Some patients were not able to fill their prescriptions, while others lost access to healthcare providers themselves. From the healthcare providers’ perspective, many had gone without pay, or had been forced to close operations. Furthermore, despite a $22 million ransom payout, the attackers did not deliver on their promise to delete the data.

While the outcome of many breaches is an email from the company offering free credit monitoring to customers, this breach inspired a more significant response. The US Senate introduced new regulations to protect healthcare data aimed at preventing similar future outcomes.

You might be thinking, “Isn’t this the purpose of HIPAA?” (the Health Insurance Portability and Accountability Act) Not exactly. HIPAA sets standards for how health information is handled and the privacy of PHI, but struggles on the security and accountability front. In fact, the cybersecurity requirements in HIPAA have often been viewed as voluntary and have been under-enforced. While HIPAA ensures that healthcare professionals, for example, cannot discuss your protected health information unless given explicit permission, it does not ensure that the overall security program that governs your information meets baseline requirements.

Shortly after Andrew Witty’s congressional hearing, Senate Finance Committee Chair Ron Wyden sent a letter to FTC Chair Lina Khan and SEC Chair Gary Gensler stating that the incident was completely preventable and the direct result of corporate negligence." As stated in the letter, the fault appears due to the lack of experience of UHG’s CISO Steve Martin, who allegedly “had not worked in a full-time cyber security role before he was elevated to the top cybersecurity position at UHG.” In his estimation, the lack of best practices and cyber hygiene in this case had led to wide-scale exposure. Additionally, he also addressed the issue of resilience: an organization's ability to prepare for, respond to, and recover from cyberattacks and other disruptions to its digital infrastructure. The weaknesses he outlined served as the catalyst for the new bill which Senator Wyden introduced to Congress on September 26, 2024 alongside Senator Mark Warner of Virginia.

The bill, named the Health Infrastructure Security and Accountability Act" (HISAA), is proposed as the solution to standardize practices for cybersecurity. It applies to “entities that are of systemic importance”. What makes an entity of significant importance is that a case of failure or disruption would have a debilitating impact on access to healthcare or the stability of the healthcare system".

Highlights of the new standard include:

  • Performing and documenting a security risk analysis of exposure
  • Documentation of a business continuity plan (BCP)
  • Stress test of resiliency and documentation of any planned changes to the BCP
  • A signed statement by both the CEO and CISO of compliance
  • A third-party audit to certify compliance (no later than six months after enactment)

These new standards create a baseline for healthcare entities, ensuring that these organizations perform regular tests to understand their security exposure and have business continuity plans in place for a scenario where operational integrity is compromised.

As accountability is a primary motivator in the bill (as well as part of the name itself) there will also be checks on specific organizations to ensure compliance. Twenty entities will be chosen to be audited, based on “whether the entity is of systemic importance, complaints [are] made with respect to the data security practices, and history of previous violations.” Failure to comply will result in penalties. In other words, the Health Infrastructure Security and Accountability Act (HISAA) comes with fangs. For example, failure to comply also bears civil costs:

  • No knowledge – Minimum of $500
  • Reasonable cause – Minimum of $5,000
  • Willful neglect (Corrected) – Minimum of $50,000
  • Willful neglect (Uncorrected) – Minimum of $250,000

While there are some repercussions for those who don’t meet the requirements, there is some good news for healthcare organizations that struggle with budgets. The bill provides $800 million in up-front investment payments to rural and urban safety net hospitals and $500 million to all hospitals to adopt enhanced cybersecurity standards. This will hopefully mean security programs will get a lifeline of discretionary funds to ensure that security programs meet the necessary standards. I personally have seen how limited resources, both in funds and personnel, can negatively impact a security and continuity program. Security leaders are forced to make tough decisions on how to spend funds and mitigate risk. Hopefully, this will translate to a little more breathing room in the long run.

Should this bill be signed into law, HISAA will permanently change the US healthcare industry moving forward. The proposed legislation takes the foundational confidentiality and privacy of information founded in HIPAA into consideration but takes a far more pragmatic approach to ensure that standards of cyber hygiene are accomplished, with its focus on how this is demonstrated and proven. Proper documentation and consistent testing of security programs enable security teams to understand where their security is effective, and where it needs to be improved. This level of security validation" is paramount to creating practical and effective security.

While no one likes audits, this act is not too dissimilar from the Sarbanes-Oxley Act (SOX) for publicly traded companies which has ensured a baseline of risk mitigation since its enactment in 2002. The ultimate goal is to avoid gross negligence of cybersecurity best practices. And the “2 pronged approach” of both fines and funds can do just that.

One pager of the Health Infrastructure Security and Accountability Act
Section by Section Summary of the Health Infrastructure Security and Accountability Act

This article was written by Jay Mar Tang, Field CISO, Pentera.

To learn more about Pentera, visit pentera.io

More about

TIP US OFF

Send us news