How HISAA could benefit healthcare 

According to the FBI’s 2023 Internet Crime Report, the healthcare sector has now become the number one target for cybercriminals in the United States, overtaking even financial services and government institutions. The shift marks a troubling escalation, especially considering the sensitive nature of healthcare data. The sector’s vulnerability was made clear in early 2024 with the ransomware attack on Change Healthcare, a core part of the nation’s medical billing infrastructure. That single breach disrupted operations at thousands of hospitals, pharmacies, and medical practices. It’s estimated that the attackers exfiltrated around six terabytes of highly sensitive data, impacting the personal health information and financial records of as many as 100 million people.

Despite the Health Insurance Portability and Accountability Act (HIPAA), which was designed in part to safeguard healthcare data, the regulatory framework has struggled to keep pace with today’s cyber threats. Many of HIPAA’s provisions were written before the rise of sophisticated ransomware, supply chain attacks, and the introduction of cloud-based health services. As a result, compliance with HIPAA often gives a false sense of security; organizations can be technically compliant yet still dangerously exposed.

In response to these growing concerns, Senators Ron Wyden (D-OR) and Mark Warner (R-VA) have put forward the Health Infrastructure Security and Accountability Act (HISAA), a bipartisan proposal directed at strengthening cybersecurity standards across the healthcare sector. The bill seeks to modernize regulations by introducing clearer, more enforceable security requirements, increasing transparency around breaches, and providing support for under-resourced healthcare providers to meet stronger security benchmarks. HISAA represents an attempt to address the gaps in our current system and to ensure that healthcare organizations can protect the patients who rely on them in our digital environment.

The origins and necessity of HISAA

According to a summary of the bill prepared by the Senate Finance Committee, “Hacks of the American health care system are out of control—with health care organizations reporting 725 data breaches in 2023 impacting over 120 million Americans.” These are not minor breaches or isolated incidents. The FBI now confirms that “the health care sector is now the #1 target of ransomware.”

The threat isn’t just about stolen data. As the summary puts it, “Cybersecurity failures have delayed and disrupted patient care, and have harmed patient health and privacy, as well as national security.” 

Many of these breaches are preventable. HISAA states, “These hacks are entirely preventable and are the direct result of lax cybersecurity practices by health care providers and their business partners.” 

Despite the risks, healthcare remains one of the least secure sectors in terms of federal regulation. “Health care has some of the weakest cybersecurity rules of any federally regulated industry. There are no mandatory cybersecurity standards and billion-dollar mega-corporations face insignificant fines for lax cybersecurity.”

The proposal argues that the Department of Health and Human Services (HHS), which is responsible for enforcing HIPAA and other privacy rules, doesn’t have the resources it needs to do the job. As the summary notes, “HHS has not been appropriately funded to be an effective cop on the beat. It has not conducted a cybersecurity audit since 2017, and has not issued updated regulations under the HIPAA Security Rule since 2013.”

So what does HISAA actually do? In the Senate’s own words: “The Health Infrastructure Security and Accountability Act sets tough minimum cybersecurity standards, requires annual audits for compliance, and creates serious accountability for companies that fail to meet those requirements, while providing financial support to HHS to enforce the law and to rural and urban safety net hospitals to meet the standards.”

More than just a policy update, it’s an effort to fix the enforcement gap, modernize outdated rules, and provide the funding necessary to bring under-resourced hospitals up to standard.

It also responds directly to growing national security risks. The World Health Organization has warned that ransomware attacks on hospitals and health systems now pose “a systemic risk to global security.”

The provisions of HISAA

As the one-pager for HISAA states, the bill is designed to “modernize HIPAA security requirements” by setting baseline cybersecurity standards for healthcare providers, insurers, clearinghouses, and business associates. Many of HIPAA’s guidelines are open to interpretation based on an organization’s own risk assessments. HISAA takes a different approach by creating clear requirements that all covered entities must follow. For some organizations—those tied to national security or with a large footprint in the healthcare system—those requirements would be stricter.

One of the biggest shifts in the proposal is the introduction of mandatory, independent cybersecurity audits and stress tests. These would evaluate whether an organization can defend against cyberattacks and also how well it can restore services if something goes wrong. According to the one-pager, HHS could “waive [these tests] for small providers,” acknowledging the limits many smaller practices face.

The bill also increases oversight. Under HISAA, the Department of Health and Human Services would be expected to “proactively audit the data security practices of at least 20 regulated entities each year.” The focus would be on organizations with large-scale operations or influence in healthcare delivery. That’s a shift from HIPAA’s current approach, which tends to focus on investigations after a breach or complaint.

HISAA also puts more responsibility on leadership. Executives would be required to personally certify that their organizations are following the rules. As the summary points out, “Congress already requires execs to sign off on financial statements, as part of Sarbanes-Oxley, and it is a felony to lie to the government.” The move is intended to bring cybersecurity into regular oversight at the leadership level.

The proposal also removes limits on how much HHS can fine organizations that don’t comply. HISAA would “eliminate the statutory caps on HHS’ fining authority,” making it possible to impose larger penalties, especially on bigger companies. To help HHS carry out its enforcement duties, the bill also introduces a user fee paid by all regulated entities.

To help with the cost of meeting new requirements, the bill includes direct funding. HISAA would provide “$800 million in up-front investment payments to rural and urban safety net hospitals and $500 million to all hospitals” to help them strengthen their cybersecurity systems. The funding recognizes that not all healthcare institutions have adequate funding to improve security. 

The bill also addresses how Medicare payments are handled during a cyberattack. It would “codify the Secretary’s authority to provide advanced and accelerated Medicare payments in the event of a cybersecurity disruption,” a measure that became relevant during the recent Change Healthcare incident.

Overall, HISAA would move healthcare cybersecurity in a more structured direction. The bill outlines specific requirements, puts new checks in place, and adds funding and leadership accountability to support the changes.

The impact of HISAA

According to Tripwire, “Many organizations will need to make substantial investments in technology, training, and infrastructure upgrades to achieve compliance with HISAA. While smaller organizations may face financial and operational strain, the funding provisions within the legislation aim to alleviate some of these burdens, ensuring that even the most resource-strapped providers can enhance their cybersecurity posture.”

The bill’s corporate accountability measures could also change how leadership thinks about cybersecurity. “HISAA will likely prompt a shift in executive priorities, bringing cybersecurity out of the shadows and into the boardroom – a shift that cybersecurity experts have long been calling for.” 

The effects of the legislation might reach beyond healthcare, too. “Aside from the obvious impacts on healthcare regulations, HISAA could have significant implications for the broader cybersecurity compliance landscape.” If it passes and succeeds in reducing breaches, it could set a precedent for other critical sectors to prioritize cybersecurity. 

Healthcare isn’t the only industry with major vulnerabilities. Energy, finance, and transportation face similar threats, and they could benefit from stronger regulations. If HISAA works, it might push governments to revisit cybersecurity policies and raise the bar across the board.

“All in all,” Tripwire says, “HISAA would be a much-needed and welcome addition to the cybersecurity compliance landscape.”

FAQs

How will HISAA affect small or rural healthcare providers with limited cybersecurity resources?

While HISAA introduces strict new requirements, it also includes funding to support safety net hospitals and small providers. These organizations may also qualify for waived audits or adjusted standards, but they’ll still need to demonstrate basic cybersecurity preparedness to avoid penalties.

Will HISAA change how healthcare organizations choose or manage their IT vendors?

Yes. Healthcare providers will be expected to more rigorously assess and document their vendors’ cybersecurity compliance. Business associate agreements will likely require new clauses, and third-party risk assessments will become more detailed and frequent.

What distinguishes HISAA from HIPAA in terms of enforcement?

Unlike HIPAA, which often reacts after a breach, HISAA mandates proactive annual audits, allows for uncapped financial penalties, and makes executive leadership personally accountable. This shifts the focus from compliance checklists to ongoing, demonstrable security performance.

How might HISAA influence the cybersecurity workforce in healthcare?

Demand for trained cybersecurity professionals in healthcare is likely to increase, with more roles focused on compliance, risk management, and incident response. Smaller facilities may turn to managed security providers to meet technical and regulatory needs.

Could HISAA lead to broader changes in national cybersecurity policy?

Yes. If effective, HISAA could become a model for sector-specific cybersecurity regulation across other industries. Its focus on enforceable standards, executive accountability, and federal oversight may inspire similar frameworks in finance, energy, and transportation.