Earlier this year, beginning from February 12, Change Healthcare of UnitedHealth Group was targeted in a ransomware attack that spanned a week. Damages were significant, with 6 terabytes of sensitive health information compromised, impacting a potential 110 million customers. Total losses now stand at $2.457 billion. The Office for Civil Rights is currently conducting an investigation to evaluate Change Healthcare’s HIPAA compliance. As the health care sector is now the #1 target of ransomware, according to the FBI, this case and many similar begin to illustrate a blind spot of HIPAA: outlining cybersecurity requirements.
To solve this issue, Senators Ron Wyden and Mark Warner proposed the Health Infrastructure Security and Accountability Act (HISAA) in September, calling for the Department of Health and Human Services to enforce minimum cybersecurity standards in healthcare. The United States Senate Committee on Finance describes the bill’s main points as follows:
As technology improves and breaches grow more common, it is essential to have specific, actionable cybersecurity policies and requirements. HIPAA’s current language has become inadequate to cover the scope of the issue, and is rarely enforced in this context. While these new requirements may have a learning curve while facilities train cybersecurity specialists, they are ultimately necessary to patient safety. While opponents may cite potential difficulty for smaller hospitals to meet standards, the bill provides ample funding to solve this issue. If Congress votes to pass the bill, HISAA will complement HIPAA’s regulations to ensure individual health privacy.