Sens. Ron Wyden, D-Ore., and Mark Warner, D-Va., have introduced a bill that would direct the Department of Health and Human Services to establish and implement mandatory minimum cybersecurity standards for healthcare providers, clearinghouses, health plans and business associates, including those for key entities that are important to national security.

The Senate Finance Committee said Thursday the proposed Health Infrastructure Security and Accountability Act would provide upfront investment payments worth $800 million for rural and urban safety net hospitals and $500 million to all hospitals to implement improved cybersecurity standards. 

The legislation would require HHS to audit the data security practices of at least 20 regulated entities each year and support the department’s security oversight and enforcement activities through a user fee on all regulated institutions.

Under the proposed measure, business associates and covered entities would be required to perform independent cybersecurity audits each year and stress tests to determine their capability to quickly restore service following a cyber incident.

The bill would also remove the statutory caps on the department’s fining authority, require top executives to annually certify compliance with requirements to strengthen corporate accountability and codify the HHS secretary’s authority to provide accelerated and advanced Medicare payments in the event of a healthcare system disruption caused by a cyberattack.

“With hacks already targeting institutions across the country, it’s time to go beyond voluntary standards and ensure health care providers and vendors get serious about cybersecurity and patient safety. I’m glad to introduce legislation that would mandate sensible cybersecurity protocols while also getting resources to rural and underserved hospitals to ensure they have the funding to meet these new standards,” Warner said.

Join the Potomac Officers Club’s 2024 Healthcare Summit on Dec. 11, and explore the transformative trends and innovations shaping the future of the U.S. healthcare sector. Register now!

The National Security Agency and the Cybersecurity and Infrastructure Security Agency have collaborated with counterparts in Australia, Canada, New Zealand and the United Kingdom in developing a cybersecurity technical report and guidance to mitigate the Microsoft Active Directory platform’s vulnerabilities to cyber-attacks.

The guidebook, titled “Detecting and Mitigating Active Directory Compromises,” provides strategies to prevent and detect the most common techniques for malicious AD access, NSA said Thursday.

The 80-page report lists and describes the 17 techniques malicious actors commonly use to target AD, as well as recommends mitigation strategies against the cyber threats.

One of the cyberattack tactics that the report identified involves password spraying, which seeks authentication through a single or multiple passwords deployed on AD targets. As one security control to help deter password spraying, the guidance suggests long passwords with a minimum of 30 characters for local administrator and service accounts.

Microsoft launched AD in 1999 and became the most popular authentication and authorization platform in enterprise information technology networks worldwide.

Dave Luber, NSA cybersecurity director, noted that many networks of the Department of Defense and the defense industrial base rely on AD and are attractive cyberattack targets.

“Taking steps to properly defend AD from these common and advanced techniques will detect and prevent adversary activities and protect sensitive data from determined malicious cyber actors,” he said.

The NSA recently published a cybersecurity advisory, in coordination with the FBI, the U.S. Cyber Command’s Cyber National Mission Force and international allies, to alert on China-linked threat actors who hacked into internet-connected devices to create a botnet and execute malicious online activity.