An Expert Weighs in on the Proposed Removal of Limits on HIPAA Fines

After a year in which the healthcare sector was a repeated victim of cyber-attacks, a new proposed measure would direct the Department of Health and Human Services (HHS) to craft a set of minimum cybersecurity standards and require the agency to conduct yearly audits. The Health Infrastructure Security and Accountability Act (HISAA) amends the Health Insurance Portability and Accountability Act (HIPAA).

An element of HISAA would include removing statutory caps on HHS fines allowing significant penalties to deter noncompliance, especially among large corporations.

Steve Cagle, CEO of Nashville-based Clearwater, believes the suggestion to remove a cap on fines for any organization involved in a breach is an element of the proposed bill that might have unforeseen impacts, specifically on smaller organizations. Healthcare Innovation recently spoke with Steve Cagle to learn more.

What are your thoughts on the proposed HISAA bill?

The Health Infrastructure Security and Accountability Act (HISAA) – proposed by Senators Elizabeth Warren [Sen.-D-MA] and Ron Wyden [Sen.-D-OR] - aims to strengthen cybersecurity in healthcare by introducing stricter accountability measures and financial penalties for organizations that fail to protect patient data. The Act also attempts to address gaps in existing regulations and calls for more comprehensive standards and enforcement. The bill seems to recognize the importance of including all stakeholders in the healthcare ecosystem regarding standards and enforcements, as it refers to both covered entities and business associates (as defined under HIPAA) and is not singling out hospitals as we have seen some other cybersecurity initiatives do. HISAA calls for $1.3B funding over what appears to be many years. While this is a good start, it is not enough to help smaller, cash-strapped healthcare organizations implement and maintain cybersecurity standards continuously. The healthcare sector needs stronger resources and financial support for smaller hospitals and healthcare provider groups.

What type of changes are organizations expected to make, and how challenging might this be?

The bill calls for the establishment of minimum and enhanced cybersecurity standards for covered entities and business associates (as defined by HIPAA), with the enhanced standards applicable to covered entities that are of “system importance to national security” and requiring these to be updated no less than every two years. Presumably, these would align with the HHS “voluntary” cybersecurity practices published in early 2024. It would also require covered entities and business associates to broaden the existing risk analysis requirement in the HIPAA Security Rule to assess their vendors and the current requirement to assess all internal systems that create, maintain, transmit, or store electronic Protected Health Information (ePHI).

The fact of the matter is that these practices are not new. They are based on minimal industry standards that have existed for some time in the NIST Cybersecurity Framework and the 405(d) Health Industry Cybersecurity Practices Guide. It’s important to realize that many healthcare organizations are already following these practices and, in many cases, are going well beyond these basic security controls. However, other organizations choose not to adhere to these standards in the manner they should; therefore, creating a requirement to meet standards would clarify what security practices are mandatory and level the playing field across the industry. While it is important to have clear and consistent standards that are required – not optional – it’s important to recognize that healthcare organizations that cannot afford the resources or investments to meet these standards will have serious challenges in complying with new regulations.

Cybersecurity requirements must be appropriate for the size of the organization, and we have to be realistic in providing necessary resources to those organizations that cannot afford or do not have the skills to meet these requirements. These organizations might benefit from collaborating with third-party healthcare cybersecurity firms that specialize in implementing and executing these programs under an outsourced model.

Does anything stand out in the proposed bill?

A few things stand out.

The bill calls for requirements for covered entities and business associates to create incident response, business continuity, and disaster recovery plans and stress test these plans to ensure they can restore systems promptly and document these tests. These are much needed in healthcare, as we must assume that no matter how strong a cybersecurity program is, at some point, there will be a security incident. The healthcare organization’s ability to detect, contain, respond, operate under duress, and recover will ultimately determine the impact on patient safety and compromise of ePHI.

Additionally, the bill calls for making the CEO and CISO formally accountable by having them attest that their organization complies with the security minimum standards and requiring them to post this attestation on their website. This proposal has received a lot of attention in the industry, and many think that it may further dissuade CISOs, who already accept lower pay and less resources, from working in healthcare organizations, as they may be held accountable for nonconformances that they cannot control due to lack of funding and support to meet the requirements.

It is good to see that HISAA addresses business associates under HIPAA, and not only hospitals or providers. As we have seen with the massive ransomware attacks and breaches over the last several years, healthcare is an interconnected sector, with information and technology shared among many parts of the supply chain. This creates extensive vulnerabilities, and threat actors have specifically exploited these at third-party organizations to impact providers and payors. All parts of the sector must share responsibility to keep the sector secure and resilient. Future regulations must hold all organizations accountable and not just single out hospitals or other types of healthcare organizations.

Could you clarify the difference between organizations that are negligent in preventing a breach and those that act in good faith?

Many healthcare providers, payors and business associates act responsibly to implement, execute, and mature their cybersecurity practices based on industry standards like the NIST Cybersecurity Framework and 405(d) Health Industry Cybersecurity Practices (HICP). For an organization to act responsibly and in good faith, it must conduct ongoing risk analysis of all its information systems continuously, and it must do so when changes are made to its systems or organization.

The process of risk analysis is required under the HIPAA Security Rule, and it is purposely designed to allow organizations to continue to assess, analyze, and determine where they have risks above their risk tolerance. So long as they are meeting the best practices, implementing this ongoing process of information system-based risk analysis, and reducing high risks, they are acting in good faith.

Risk never goes to zero, and therefore, there will be organizations that meet all of the cybersecurity standards but still have a breach or a ransomware attack by a threat actor that specifically targets it. These threat actors are typically well-funded organized criminal organizations harbored and supported by nation-states. It is not reasonable and unfair to punish a healthcare provider acting responsibly but attacked and violated by a criminal. This is different than a situation where an organization’s management team knowingly did not implement basic cybersecurity practices, ignored the risk analysis requirement under the HIPAA Security Rule, or failed to address high risks knowingly while having the means to do so or do so at some level.

Organizations that decide to ignore basic cybersecurity requirements or fail to perform a risk analysis of all of their information systems yet continue to implement and rely upon new technologies to treat patients or perform operations involving sensitive data are not acting responsibly, and there is a strong case to hold them accountable, as these decisions can lead to patient harm and harm to other organizations that rely on them for services.

What kind of impact would removing a cap on fines have on an organization involved with a breach?

Removing caps on fines will only have an impact if there is stronger enforcement of the existing HIPAA regulations and application of the fines. To date, there has been limited enforcement, which is generally related to HIPAA violations from up to 5 years ago. More funding would need to be allocated to investigation and enforcement actions to assess larger fines. This money would be better spent on funding cybersecurity programs for those organizations without the means or resources to meet the standards.

What is your opinion about incentives for security improvement through federal funding?

Smaller healthcare providers need support rather than being threatened with penalties. A more effective approach might involve incentivizing security improvements for smaller, resource-constrained entities through federal funding, requiring the funds to be used to meet HIPAA security requirements. Perhaps we can use the fines and penalties raised from larger organizations that have the means but are negligent to help fund grants for smaller organizations that want to improve their cybersecurity posture but cannot afford to do so.

What are your thoughts on implementing a model similar to the Cybersecurity Maturity Model Certification (CMMC)?

The HISAA bill also calls for third-party audits to assess implementation and compliance with the standards, which may be challenging if third-party assessors are not vetted and certified. As we see today in healthcare, numerous firms misrepresent their assessments as “HIPAA certifications” or incorrectly say they have performed a “risk analysis,” which, in reality, is a gap assessment of the HIPAA Security Rule. A model similar to the CMMC or PCI DSS for larger organizations, whereby assessors must be certified and maintain strict credentials and requirements themselves, would be beneficial to ensure quality and consistency. Smaller organizations with less risk and less means to pay for certifications could self-attest.

Do you have additional advice?

There is no one-size-fits-all solution - a balanced approach that considers organization size, resources, and interconnected risks will strengthen healthcare cybersecurity. With thoughtful reforms and accountability measures, we can build a system that promotes security and fairness, ultimately protecting patient data across the healthcare landscape.

While the $1.3B in funding being allocated is a good starting point, it is still insufficient, and we need to consider other entities that may be larger but are struggling financially, as well as non-profit organizations. We would also like to see more incentives, such as those we had with Meaningful Use/Promoting Interoperability, to motivate investments rather than solely rely on penalties and fines.

We must recognize that smaller organizations do not have the resources and funding to implement even many basic controls to thwart cyberattacks. Smaller healthcare organizations, particularly critical access hospitals, and rural health centers, are vital to our health system and will need support from our government.