Critical infrastructure
Medical
News
Regulation, Standards and Compliance

New legislation mandates minimum cybersecurity standards to safeguard healthcare providers in case of future hacks

March 25, 2024
New legislation mandates minimum cybersecurity standards to safeguard healthcare providers in case of future hacks

A U.S. Senator has introduced the Health Care Cybersecurity Improvement Act of 2024, which proposes providing advance and accelerated payments to healthcare providers following a cyber incident, contingent upon meeting minimum cybersecurity standards. This legislation comes in response to a ransomware attack on Change Healthcare that disrupted billing services for providers nationwide, putting many at risk of financial insolvency.

The legislation brought in by Mark R. Warner, a Democrat from Virginia, member of the Senate Finance Committee, and co-chair of the Senate Cybersecurity Caucus would modify the existing Medicare Hospital Accelerated Payment Program and the Medicare Part B Advance Payment Program by requiring the Secretary to determine if the need for payments results from a cyber incident. 

Additionally, if it does, requiring the health care provider receiving the payment to meet minimum cybersecurity standards, as determined by the Secretary, to be eligible; and if a provider’s intermediary was the target of the incident, the intermediary must also meet minimum cybersecurity standards, as determined by the Secretary, for the provider to receive the payments. These provisions would go into effect two years from the date of enactment.

The text of the Act stipulated that “Beginning on the date that is 2 years after the date of enactment of the Health Care Cybersecurity Improvement Act of 2024 if the Secretary determines that a cybersecurity incident led to the disruptions of the operations of such hospital’s intermediary or the unusual circumstances to such hospital’s operation that resulted in such significant cash flow problems, accelerated payments shall not be made to such hospital unless such hospital meets minimum cybersecurity standards, as determined by the Secretary; and in the case of operations of such hospital’s intermediary, such intermediary meets minimum cybersecurity standards, as determined by the Secretary.’’

It also laid down that “Beginning on the date that is 2 years after the date of enactment of this Act, in the event of a cybersecurity incident, as determined by the Secretary of Health and Human Services, leading to the making of payments pursuant to the program described in section 421.214 of title 742, Code of Federal Regulations (or any successor regulation), such payments shall not be made to a provider of services or supplier unless such provider of services or supplier meets minimum cybersecurity standards, as determined by the Secretary; and in the case of such provider’s or supplier’s intermediary being the target of such incident, such intermediary meets minimum cybersecurity standards, as determined by the Secretary.”

“I’ve been sounding the alarm about cybersecurity in the healthcare sector for some time. It was only a matter of time before we saw a major attack that disrupted the ability to care for patients nationwide,” Senator Warner said in a media statement. “The recent hack of Change Healthcare is a reminder that the entire healthcare industry is vulnerable and needs to step up its game. This legislation would provide some important financial incentives for providers and vendors to do so.” 

He also highlighted that in rare situations, Medicare Part A providers (such as acute care hospitals, skilled nursing facilities, and other inpatient care facilities) and Part B suppliers (including physicians, nonphysician practitioners, durable medical equipment suppliers, and others who furnish outpatient services) can face cash flow challenges due to specified circumstances beyond their control, such as during the COVID-19 pandemic.

Since the 1980s, the Centers for Medicare & Medicaid Services (CMS) has provided temporary financial relief to participants in these programs through Accelerated and Advance Payment (AAP) programs, during which these providers and suppliers receive advance payments from the federal government that are later recovered by withholding payment for subsequent claims.

In 2022, Sen. Warner authored a policy options paper ‘Cybersecurity is Patient Safety,’ a policy options paper, outlining current cybersecurity threats facing healthcare providers and systems and offering for discussion a series of policy solutions to improve cybersecurity across the industry.  Since publishing, Sen. Warner has launched the Health Care Cybersecurity Working Group with a bipartisan group of colleagues to examine and propose potential legislative solutions to strengthen cybersecurity in the healthcare and public health sector.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation