SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

What is the Health Infrastructure Security and Accountability Act of 2024 (HISAA)?

Healthcare Assessments

These days, with recent ransomware attacks disrupting healthcare providers and affecting millions of Americans, it’s become painfully clear that cybersecurity in this sector is no longer just an IT issue—it’s a patient safety issue, and the stakes are higher than ever. The proposed Health Infrastructure Security and Accountability Act of 2024 (HISAA), spearheaded by Senators Ron Wyden and Mark Warner, aims to address these vulnerabilities head-on.

As cybersecurity experts with a long-time presence in the healthcare regulation and assessment space, we can tell you that—if it passes—HISAA will introduce a new reality for healthcare organizations that will include enhanced accountability and mandatory cybersecurity compliance. To help you get ahead of such a landmark shift, let us provide some insight.

In this article, we’ll overview HISAA—including more details on the motivations for its introduction—before examining more deeply the importance of the new bill’s independent assessment requirement so that you can make the best choices for your organization as the Act moves closer to becoming law.

 

An Overview of HISAA

Due to the wealth of sensitive patient data they hold, healthcare systems have become prime targets for cybercriminals, who can sell or wield that incredibly valuable information on the dark web for use in fraudulent activities. In fact, according to recent intelligence, cyberattacks on the healthcare sector increased by a staggering 128% in 2023 alone.

One of the most significant breaches involved UnitedHealth’s Change Healthcare unit—stolen credentials and a lack of multifactor authentication led to millions of Americans being affected in a clear example of the ripple effects of such breaches, which can cause:

  • Enormous delays in prescriptions;
  • Cash flow challenges for rural clinics; and
  • (Most importantly) a compromise of patient care.

To avoid those outcomes and mitigate these risks, the proposed HISAA will amend the Health Insurance Portability and Accountability Act (HIPAA) and direct the Department of Health and Human Services (HHS) to establish minimum cybersecurity standards for healthcare providers, health plans, clearinghouses, and business associates.

Some of the key provisions under HISAA include:

  • Mandatory cybersecurity measures, including multifactor authentication, data encryption, and regular risk assessments
  • Accountability penalties— such as reductions in Medicare reimbursements—for noncompliance
  • Required incident reporting in a prompt and transparent manner

 

2 Central Components of HISAA

Two other main requirements of HISAA include compulsory independent assessments and what the law is calling “stress tests,” which will both require significant planning and investment in the event HISAA passes.

Mandatory Independent Assessments

Yes, under this new bill, covered entities and business associates will be required to undergo annual independent cybersecurity audits to confirm that you have controls in place in compliance with the “Healthcare and Public Health Sector Cybersecurity Performance Goals (CPGs).”

(Created by the U.S. government to help the healthcare sector improve its cybersecurity resilience, these CPGS are a set of voluntary guidelines that now serve as the foundation for the more enforceable standards that will be mandated under HISAA, should it pass.)

Because they’re intended to ensure that your organization’s cybersecurity infrastructure is robust enough to protect patient data and healthcare operations, audits of this nature won’t just be a box to check and you’ll also have to engage a third party to perform them.

HISAA has likely required such because internal teams, while knowledgeable, can sometimes miss key vulnerabilities due to familiarity with your systems. Third-party auditors bring fresh eyes and can spot issues that internal teams might overlook, and they also provide credibility. When regulators, stakeholders, and even patients see that your cybersecurity protocols have been vetted by an objective third party, it fosters stronger trust.

Should HISAA become effective, healthcare organizations will be allowed 18 months to undergo your initial independent audit.

“Stress Tests”

Annual stress tests are another component of the proposed legislation. Under HISAA, healthcare organizations must also evaluate their preparedness for a cyber incident by simulating real-world attacks that test their ability to recover essential functions—such as patient care—quickly and efficiently.

Stress testing often includes a combination of:

Altogether, stress tests help create a proactive culture of preparedness—requiring them under HISAA communicates an aim to transform the industry so that healthcare organizations are less reactive and scrambling after an attack, which can be the difference between a minor disruption and a full-blown crisis during a cyberattack.

Should HISAA become effective, healthcare organizations will be allowed 36 months to conduct your initial stress test.

Preparing for HISAA

HISAA represents a potential big shift for many in the healthcare space that will mean planning for these mandatory annual audits and stress tests, as well as the other new required security protocols under the law.

Getting it right will require expertise, diligence, and foresight, and since compliance with these new rules won’t be optional, starting now will definitely be key to success. It may seem like you have a long runway to satisfy those requirements for now, but waiting until the last minute could result in rushed implementations, missed vulnerabilities, or worse—non-compliance, which could cost well into the millions annually in fines for larger organizations.

Getting it right will also take resources, and critical access hospitals or high-needs hospitals should know that starting in 2027—and continuing into the early 2030s—funding is being earmarked to help. In a clear signal from Congress that they recognize the importance of bolstering security across the healthcare infrastructure, the government has set aside $1.3 billion specifically for cybersecurity improvements in the sector.

 

Getting Ready for HISAA and Partnering for Success

These days, a data breach that affects patient care can put lives at risk, and protecting those lives requires strong, proactive security measures. As such, healthcare organizations need to treat cybersecurity with the same seriousness as any other patient care protocol, and—if HISAA passes—they’ll be required to do so.

Now that you know a little more about the potential new regulation, read our other content to understand more of some other specific things you should know about when it comes to securing healthcare data:

And while everyone waits on the progression and eventual enforcement of HISAA, if you’re interested in getting started now as we recommend, you’ll need a trusted third-party partner, and Schellman may be the right fit.

As we understand the complexities of healthcare operations and the unique cybersecurity challenges facing the industry today, our team is qualified to guide you through the intricacies of the new legislation, whether you want to start with a readiness assessment or want to move forward with the comprehensive stress tests and independent audits.

If you’d like to learn more about how Schellman can help your organization navigate the new standards, contact us today. Our team is ready to discuss how we can help you not just meet a regulatory requirement but also future-proof your organization against evolving cybersecurity threats so that you remain resilient enough to protect what matters most: your patients.

 

About the Authors

1061Ryan Meehan is a Director at Schellman. He has worked in public accounting since 2007 specializing in compliance auditing, including SOC examinations, ISO certifications, and healthcare audits such as HIPAA and HITRUST. Ryan has serviced clients in a multitude of industries including business process outsourcing, financial services, information technology, and healthcare. Ryan holds certifications including the CISSP, CISA, ISO 27001 Lead Auditor, CIPP/US, CCSFP, CHQP, and the Advanced SOC certification.

1136-1Josh Tomkiel is a Managing Director on Schellman’s Penetration Testing Team based in the Greater Philadelphia area with over a decade of experience within the Information Security field. He has a deep background in all facets of penetration testing and works closely with all of Schellman's service lines to ensure that any penetration testing requirements are met. Having been a penetration tester himself, he knows what it takes to have a successful assessment. Additionally, Josh understands the importance of a positive client experience and takes great care to ensure that expectations are not only met but exceeded.

About Schellman

Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.