Regulatory update: Mandatory cybersecurity controls in healthcare

Washington is getting ready to significantly raise the stakes on cybersecurity requirements for healthcare providers and their business associates.

In the past two months, two bills were introduced in the U.S. Senate that will significantly increase cybersecurity requirements for healthcare providers. Both bills propose substantial regulatory reporting requirements and call for rewards and penalties.

The timing of and speed with which these bills are moving is underscored by a grim outlook for cybersecurity in the healthcare industry overall. According to IBM data:

• The average number of cyber systems in a hospital is 22, yet the optimal number is three
• Average functional utilization of each cyber system is 15%-25%, yet optimal utilization is 90%-plus
  
  

Each of the stats above increases the likelihood of a breach, with the likelihood growing as the numbers move farther away. For today’s healthcare organizations, a breach and loss of data is all but guaranteed.

The following is a summary of the two cybersecurity bills the U.S. Senate recently introduced.

S.5218—Health Infrastructure Security and Accountability Act of 2024

Sponsors: Sen. Ron Wyden (sponsor); Sen. Mark Warner (co-sponsor)

Summary: The bill’s aim is to strengthen and increase oversite of and compliance with security standards for health information.

Highlights:

• Requires independent third-party certification assessments against the subset of NIST 800-53 controls germane to HIPAA.
• Penalties of up to 1% of Medicare reimbursement for noncompliance.
• Grant funds of up to $2.6 million to help critical access hospitals become compliant.
• On top of third-party certification assessments, the OIG will perform random audits. Inaccurate reports will be subject to prosecution under the False Claims Act. Additional penalties may include $5000 per day of fraudulent activity, a $1 million lump sum penalty, and individual prosecutions of all senior executive and board members that are party to the fraudulent report’s signing.
• The covered healthcare provider’s business associates are also required to abide by the certification provisions.

Status: The bill has been advanced to the Senate Finance Committee, where it is still undergoing changes.

 

S.5390—Health Care Cybersecurity and Resiliency Act of 2024

Sponsors: Sen. Bill Cassidy (sponsor); Sen. Mark Warner, Sen. John Cornyn, Sen. Maggie Hassan (co-sponsors)

Summary: The bill seeks to increase cybersecurity reporting and help fund the development of proper cybersecurity protections for healthcare providers that need it.

Highlights:

• Mandates that HHS improves industrywide cyber reporting.
• Closes the gap between the average time to report and what is required by the regulations (i.e., enforces compliance).
• Increases transparency of reporting to Congress and the public.
• Makes funds available to those organizations needing assistance to implement the requirements.
• Makes funds available to organizations, via Medicare, to help health provider organizations that become financially stressed due to a cyberattack on their Medicare payment third-party infrastructure.
• Mandates that HHS creates and funds a cybersecurity workforce development program.

 

Status: The bill is in pre-submission form as of this writing.

For both these bills, there are many details that will need to either be fleshed out during the bill review process or by HHS. Therefore, the analysis and opinions will be “directional” for a short time.

Related news and opinions

At Kodiak, we’ve been keeping an eye on the Senate Health Care Cybersecurity Working Group, the HHS 457b Task Force, and related actions by other federal groups. Based on these groups’ workings, we’re confident in the following predictions:

• The requirements in S.5218 follow closely the directives of the Cybersecurity and Infrastructure Security Agency and the work of the U.S. Department of Defense following 2010’s Executive Order 13556—Controlled Unclassified Information. We expect that the certification method proposed in S.5218 will follow the methods undertaken by the DoD, the U.S. Department of Energy, the Securities and Exchange Commission, the U.S. Department of Education, and federal law enforcement. Therefore, being familiar with the DoD’s Cybersecurity Maturity Model Certification program (upon which all the others are based) will give you the best idea as to how the certification assessments introduced in S.5218 will be enforced.
• The OIG has recently reported that the HHS and its OCR have mismanaged their responsibility to enforce cyber protocols. Therefore, you can expect to see that the reporting requirements for a breach will:
• Have all reporting loopholes closed with significant fines for extending beyond the 72-hour time period to report a breach.
• Require sending the FBI all the machines that were part of the attack, with no changes made, except to back them up.
• Require a lot more detailed information.
• Require submission of the system security plan that was in place at the organization when the breach happened, along with the most recent certification against that plan.
• The incentives for compliance are still to be determined and are changing as the process moves forward. Here is the current state:

• The first bill is the only one to contain numbers for planning purposes: $2.6 billion in grant funding for critical access hospitals and no grant funding for noncritical access hospitals. In addition, the first bill notes an up to 1% reduction in Medicare reimbursements for noncompliance.
• The second bill has no detail about the incentives but mentions that it will be incumbent on Congress to fund the programs that HHS wants to put in place.
• The second bill seems to want to soften the financial issues created with the first bill. On the other hand, any grant funding for noncritical use hospitals is dependent on Congress to fund, which casts doubt on whether the funding will ever happen. Additionally, there is a lot of chatter in Washington about wanting to avoid another “Meaningful Use debacle.”
• As with many other federal programs, the legislation makes it clear that accountability will rest with organizations’ CEOs, CFOs, and boards of directors.
  
  

Health systems should begin preparing now

The bipartisan nature and popularity of, and the speed with which these cybersecurity bills are moving, make it clear that Congress is determined to require cyber controls for healthcare providers. It is also clear that the requirements will follow the success of the DoD’s CMMC program. This means that for healthcare leaders, having a good understanding of CMMC is useful to predict where these currently proposed programs will land.

To comply with these new laws and subsequent regulations, health systems will also need to rethink their cybersecurity strategies and rework their infrastructures into more streamlined and effective models. This will not be cheap. There are also significant downsides to noncompliance for organizations, including fines and reduction of Centers for Medicare & Medicaid Services revenue.

There are also downsides for C-suite leaders and governing boards, including the requirement to be aware of and approve all cybersecurity actions. This might be new to many boards and senior leaders, who will carry personal penalties in the event of a false report or breach. It’s worth noting that critical access hospitals will be given an opportunity to apply for grants to defray the cost of their cybersecurity controls.

 

Both bills will require HHS to take action in 2025. For healthcare organizations, starting preparations sooner than later will be paramount.