Meet HISAA, HIPAA's Potential Sister Law

Earlier this year, beginning from February 12, Change Healthcare of UnitedHealth Group was targeted in a ransomware attack that spanned a week. Damages were significant, with 6 terabytes of sensitive health information compromised, impacting a potential 110 million customers. Total losses now stand at $2.457 billion. The Office for Civil Rights is currently conducting an investigation to evaluate Change Healthcare’s HIPAA compliance. As the health care sector is now the #1 target of ransomware, according to the FBI, this case and many similar begin to illustrate a blind spot of HIPAA: outlining cybersecurity requirements.

To solve this issue, Senators Ron Wyden and Mark Warner proposed the Health Infrastructure Security and Accountability Act (HISAA) in September, calling for the Department of Health and Human Services to enforce minimum cybersecurity standards in healthcare. The United States Senate Committee on Finance describes the bill’s main points as follows:

• Requires covered entities and business associates to submit to annual independent cybersecurity audits, as well as stress tests to determine if they are capable of restoring service promptly after an incident, which HHS can waive for small providers. 
• Requires HHS to proactively audit the data security practices of at least 20 regulated entities each year, focusing on providers of systemic importance. 
• Increases corporate accountability by requiring top executives to annually certify compliance with the requirements. Congress already requires execs to sign off on financial statements, as part of Sarbanes-Oxley, and it is a felony to lie to the government. 
• Eliminate the statutory caps on HHS’ fining authority, so that mega-corporations face large enough fines to deter lax cybersecurity. 
• Supports the Department’s security oversight and enforcement work through a user fee on all regulated entities. 
• Provides $800 million in up-front investment payments to rural and urban safety net hospitals and $500 million to all hospitals to adopt enhanced cybersecurity standards. 

As technology improves and breaches grow more common, it is essential to have specific, actionable cybersecurity policies and requirements. HIPAA’s current language has become inadequate to cover the scope of the issue, and is rarely enforced in this context. While these new requirements may have a learning curve while facilities train cybersecurity specialists, they are ultimately necessary to patient safety. While opponents may cite potential difficulty for smaller hospitals to meet standards, the bill provides ample funding to solve this issue. If Congress votes to pass the bill, HISAA will complement HIPAA’s regulations to ensure individual health privacy.