If there is one industry that has an overabundance of acronyms, it’s the medical industry.  And if there are TWO industries that have an overabundance of acronyms, it’s the medical industry and the technology industry.  So it’s no surprise that at the end of 2024, a new bill was introduced in the 118^th Congress that would introduce yet another entry in the myriad acronyms we’ve all come to learn: the Health Infrastructure Security and Accountability Act, or HISAA (HIZZ-uh).  In this article, we’ll review in detail what HISAA is, how it builds upon the regulations in HIPAA and its predecessor, the HITECH Act, and discuss HISAA’s fate and what it means to the healthcare industry.

HISAA’s History

While the bill itself was only introduced late in 2024, the central theme of the bill is something that has been at the forefront for years: cybersecurity and data protection in healthcare.  The healthcare industry is reaching critical mass with hundreds of new data breaches every year.  After the Change Healthcare ransomware attack in 2024, new scrutiny was given to the state of information security at medical practices, hospitals, clinics, and insurance providers – and with good reason.  The healthcare industry continues to be the #1 most targeted industry by cybercriminals.

So, in September 2024, less than two months before the 2024 general election, Senators Ron Wyden (D-OR) and Mark Warner (D-VA) introduced S.5218, the Health Infrastructure Security and Accountability Act of 2024.  The 49-page bill set forth the most comprehensive overhaul of Titles XI and XVIII of the Social Security Act since the HITECH Act & Omnibus Rule in 2013.  Its primary aim was to strengthen cybersecurity and increase oversight of compliance with security standards related to health information.

You may be asking, “Did it become law?”  The answer, unfortunately, is no.  In fact, it didn’t even make it through its first committee referral before the 118^th Congress ended.  So why are we even bothering to talk about it?  Because there’s likely to be similar legislation introduced in the 119^th Congress that takes up the mantle of HISAA.  Forewarned is forearmed, so let’s dive into precisely what HISAA proposed, how it would have affected covered entities, and practical steps to getting “HISAA ready,” even if the 2024 version of the bill is defunct.

HISAA: HIPAA’s Enforcer

For decades, covered entities and business associates have handled PHI within the strictures of HIPAA.  From workforce training to meaningful use, HIPAA has been a mainstay in healthcare.  In 2013, the HITECH Act and the Omnibus Rule became law to push the adoption of electronic health records systems (EHRs) and enact stricter standards for business associates.  While there were provisions therein to bolster the protections for PHI (especially ePHI), security experts have always decried one key missing element: enforcement.

Comparative Oversight

In other highly regulated industries like banking and financial services, the regulatory bodies that govern have comprehensive audit & accountability mandates.  In banking, GLBA dictates strict security standards to protect banking information.  Regular audits by either the OCC or FDIC further enforce those security standards, and banks are required to undergo independent information security audits by an independent accounting firm at least annually.  Investment firms and publicly traded companies are similarly governed by the Sarbanes-Oxley Act (SOX), SEC, and FINRA rules and are likewise subject to regular InfoSec audits.

Breaches Abound in Healthcare

But the healthcare industry has long been lax in building and requiring independent audits to ensure adherence to information security standards & practices.  Speculation as to why that’s the case could be its own blog series.  Whatever the reasons, one thing is certain: the healthcare industry has suffered some of the most devastating breaches of security as a result of the lack of enforcement.  From the Anthem data breach in 2014-2015 to 2024’s Change Healthcare attack, it is estimated that nearly 250 million Americans have had their PHI compromised as a result of attacks on healthcare institutions; that’s a staggering 73% of the country!

HISAA’s Core Pillars: From Suggestion to Obligation

With HISAA, lawmakers attempted to tackle the problem systematically, outlining a structured and enforceable approach to cybersecurity in healthcare. Let’s explore the five key provisions of the bill in detail:

1. Minimum & Enhanced Security Standards
2. Annual Risk Assessments & Independent Audits
3. Stronger Penalties & Reporting
4. Medicare Cybersecurity Assistance
5. Funding Incentives

Minimum & Enhanced Security Standards

HIPAA’s original Security Rule has long been criticized for its ambiguous language around cybersecurity.  Terms like “reasonable” or “appropriate safeguards” have historically given providers and healthcare administrators far too much interpretative freedom, and as we’ve seen, many have interpreted it as “doing the bare minimum.”

Under HISAA, ambiguity became an artifact of the past.  The legislation explicitly required the Secretary of Health and Human Services to establish and enforce clear, minimum security standards for all covered entities and business associates.  These standards were no longer discretionary suggestions; compliance would be mandatory.  They’d be updated at least every two years to ensure they remained relevant against an evolving threat landscape, effectively ending the era of “set it and forget it.”

But the bill didn’t stop there.  It also introduced an even stricter set of standards called “enhanced security standards.” These weren’t for everyone, though.  HISAA singled out organizations deemed of “systemic importance” or critical to national security (think large health networks, major insurers, or large-scale health data repositories). Enhanced standards would include advanced safeguards like continuous threat monitoring, heightened incident-response protocols, and more rigorous access controls—similar to requirements you might see in critical infrastructure sectors like finance or energy.

Audits: Because HIPAA Just Asked Nicely

Perhaps the most ambitious (and overdue) aspect of HISAA was its mandate for annual security risk assessments and independent audits.  Under HIPAA & HITECH, organizations technically need to perform periodic security assessments, but the requirement was always somewhat nebulous, with little oversight or consequence for noncompliance.  HISAA aimed to change all that by explicitly requiring each covered entity and business associate to perform a comprehensive cybersecurity risk analysis annually and document it.  Documentation was no longer optional, vague, or done merely for posterity.  It would have become a matter of enforceable law.

Further, HISAA proposed mandatory annual independent audits conducted by external, qualified cybersecurity professionals.  Organizations would have been required to contract with independent auditors to rigorously evaluate compliance with these new, stringent standards.  These weren’t intended to be token efforts either.  Auditors would certify that organizations were either fully compliant or, at the very least, were actively and demonstrably addressing any compliance gaps. Imagine Sarbanes-Oxley, but for healthcare data security.  The thought likely sent shivers down the spines of healthcare executives everywhere, and for good reason.

Stronger Penalties & Reporting: Driving Change Through Pain

The stakes were set significantly higher under HISAA.  If the potential embarrassment of being publicly identified as failing cybersecurity standards wasn’t motivating enough, the financial consequences might have been.  Entities failing to submit required documentation or comply with audit requirements faced penalties of up to $5,000 per day.  That kind of financial pain would surely capture the attention of hospital administrators and healthcare providers accustomed to treating compliance as a mere paperwork exercise.

Additionally, HISAA would have introduced severe criminal penalties (up to a $1 million fine and 10 years imprisonment) for knowingly submitting false cybersecurity documentation or willfully refusing to provide required information.  This represented a monumental escalation in accountability. Clearly, the sponsors were signaling that the era of treating cybersecurity lightly was over.

Medicare Cybersecurity Assistance & Funding Incentives: The Carrot Amongst Sticks

HISAA wasn’t all punitive; there were meaningful incentives as well.  Recognizing the financial strain these enhanced security standards could impose, the bill introduced funding opportunities for hospitals and critical access hospitals (CAHs) adopting essential and enhanced cybersecurity practices.

Beginning in fiscal year 2027, eligible hospitals and CAHs would have had access to an $800 million fund to adopt basic cybersecurity practices, followed by an additional $500 million earmarked in subsequent years to implement enhanced practices.  Beyond simply incentivizing adoption, HISAA laid out clear guidelines for ongoing cybersecurity improvements, promising payment adjustments and financial support for hospitals proactively managing cybersecurity risks.  These provisions underscored a recognition that cybersecurity improvements are costly, complex, and require ongoing financial and institutional commitment.

HISAA’s Fate & the Future of Healthcare Cybersecurity

Though HISAA stalled almost immediately in the 118th Congress, its core ideas certainly haven’t disappeared.  With healthcare remaining a top target for cybercriminals, it’s practically inevitable that similar legislation will resurface.  Already, whispers on Capitol Hill suggest the 119th Congress might breathe new life into HISAA-like legislation, particularly given the ongoing headlines of catastrophic breaches and ransomware attacks.

Emerging threats, particularly from increasingly sophisticated ransomware groups and state-sponsored actors, guarantee cybersecurity will remain a bipartisan priority.  Add to that the explosion of healthcare technology and AI-driven medical devices, and the urgency becomes even clearer.  The future landscape of healthcare cybersecurity demands robust, enforceable standards precisely like those proposed by HISAA.

AI, Emerging Threats & Opportunities in MedTech

The irony isn’t lost on us: AI, hailed as the future of everything, also represents a new frontier of vulnerability.  With artificial intelligence rapidly integrating into everything from patient diagnostics to treatment algorithms, the surface area for cyberattacks grows exponentially.  Bad actors now target AI-driven tools to disrupt operations or, worse, manipulate clinical outcomes.  Protecting AI-driven medical technologies isn’t optional; it’s existential.

Yet AI presents tremendous opportunities for enhanced cybersecurity as well.  Predictive analytics and machine learning algorithms are already helping identify and mitigate threats before they manifest fully.  Investing in AI-driven cybersecurity measures can offer real-time threat detection, immediate breach response, and far greater precision in managing vulnerabilities.

Preparation: Better Safe Than Breached

Regardless of HISAA’s ultimate fate, proactive preparedness is paramount. Here’s a pragmatic checklist of steps healthcare organizations can take now to prepare for future legislation:

• Conduct Comprehensive Security Risk Assessments.  Annually perform and document these assessments thoroughly.
• Engage Independent Auditors.  Even if not currently required by law, independent audits lend credibility and highlight vulnerabilities you may have missed.
• Develop Robust Incident Response Plans.  Regularly review and stress-test these plans against realistic scenarios.
• Enhance Security Awareness Training.  Make cybersecurity training rigorous, ongoing, and mandatory for all staff, not just IT.
• Budget for Cybersecurity Investments.  Allocate appropriate funds proactively rather than waiting for a breach or legislation.

In short, treat cybersecurity as a vital, continuous part of healthcare operations rather than an afterthought triggered only by regulation or catastrophic events.

Final Thoughts: Another Acronym Today, A Safer Tomorrow

Sure, HISAA might have failed to make much traction this time around, and yes, it represents yet another acronym we begrudgingly add to our already overcrowded healthcare vocabulary.  But the underlying principle, that healthcare data security demands greater accountability and enforcement, is irrefutable and inevitable.

Whether we call it HISAA, HIPAA 2.0, or something else entirely, strengthened cybersecurity legislation for healthcare is coming.  The question isn’t if but when.  And when it arrives, those organizations that proactively embraced its principles ahead of time will find themselves at a considerable advantage, both ethically and operationally.

So, for now, let’s embrace HISAA as a helpful reminder rather than an unwelcome obligation. After all, in healthcare, an ounce of cybersecurity prevention truly is worth a pound of cure.