Cyberattacks on payment processors that crippled much of the U.S. health care system have prompted calls in Washington for urgent cybersecurity regulation of the sector, with strong opposition to such a move. Confrontations have begun with hospitals and medical organizations that are in charge.
“These companies have become so large that they pose an overall cybersecurity risk,” said Sen. Ron Wyden, D-Ore.. He made the remarks Thursday at a Senate Finance Committee hearing with Health and Human Services Secretary Xavier Becerra, who is responsible for overseeing digital security standards for the health care industry.
The Feb. 21 attack on Change Healthcare, Inc., involved backroom technology that affected one in three U.S. patient records and disrupted payment processing for prescriptions and other medical services across the country. Many medical institutions were in financial trouble, and some were on the verge of bankruptcy.
The incident has reignited debate among policymakers in Washington about how to improve security in the health sector. HHS has proposed a set of voluntary cybersecurity standards and is working on developing mandatory rules, but these are unlikely to go into effect anytime soon.
Until mandatory rules are enacted, industry critics like Wyden want sharper action. “The next step will be fines and accountability for the negligent CEOs so that HHS can protect patients and national security,” he said Thursday.
HHS, through the Centers for Medicare and Medicaid Services, is working to develop mandatory cybersecurity rules. Updates to the Health Insurance Portability and Accountability Act's security rules will include cybersecurity requirements. The Biden administration is expected to issue a notice of proposed rulemaking establishing minimum cybersecurity standards for the health care sector this month or next, according to a senior administration official who spoke on condition of anonymity.
This push puts the Biden administration on a collision course with the health care industry.
Richard J. Pollack, president of the American Hospital Association, said in a letter earlier this week to Mr. Wyden and Sen. Mike Crapo (Idaho), ranking member of the Senate Finance Committee, that his industry group is “I cannot support proposals that impose mandatory requirements.” Hospitals are blaming the hackers as if it was their fault they committed the crime. ”
In his letter, Pollack said hospitals and medical institutions are investing significant amounts of money in cybersecurity. He added that most attacks are carried out through third-party technology or other vendors, a fact that makes it unfair to hold cash-strapped hospitals responsible.
“Issuing fines or reducing Medicare payments would reduce hospital resources needed to combat cybercrime and be counterproductive to our common goal of preventing cyberattacks,” the letter said. added. The Biden administration's budget proposal, which ties cybersecurity investments to mandatory minimum standards, is “misguided and … will not improve the cybersecurity posture of the health care sector as a whole.”
President Joe Biden's budget proposal released this week includes $1.3 billion to support hospital cybersecurity efforts, as well as proposals for financial penalties for hospitals that don't meet requirements. It is unclear whether Congress will adopt this proposal.
A spokesperson for UnitedHealth Group, Change Healthcare's parent company, did not respond to questions about the company's position on minimum mandatory cybersecurity standards.
Officials say the White House is sensitive to the fact that new cybersecurity standards will impose additional costs on the health care industry, which is still recovering to some extent from the COVID-19 pandemic. He stated the following measures that he expected: Represents the fundamentals for building more secure digital systems.
The critical nature of this industry – the confidentiality of the services it provides and the data it holds – should drive companies in this space to build more secure systems. “The industry has not been able to effectively protect itself,” the official said, adding that a series of recent attacks on the healthcare industry shows the urgency of implementing minimum cybersecurity standards. added.
On the other hand, consolidation within the industry means that if a company like Change Healthcare were to fall victim to ransomware, it could dislodge a central figure and have a cascading effect that would have a “devastating national impact.” the official added.
Sen. Mark Warner, the ranking Virginia Democrat who heads the Senate Intelligence Committee, also called for action and plans to introduce legislation that would speed up payments to providers and vendors “as long as they meet minimum cybersecurity standards.” said.
Citing an “unprecedented scale of cyberattack,” HHS this week asked whether there was a breach of protected health information and whether Change Healthcare and its parent company, UnitedHealth Group, were in compliance with federal health data privacy laws. He announced that he would investigate whether this was the case. Three federal lawsuits have also been filed in connection with the breach.
In a statement to CyberScoop after Thursday's hearing, Wyden said it was “not surprising” that industry would oppose mandating technical standards.
“Private sector opposition to effective cybersecurity regulations is the biggest reason why our nation's critical infrastructure, especially the health care sector, is woefully unprepared for even simple cyberattacks,” Wyden said. Stated.
Experts say it is possible to apply minimum cybersecurity standards to the healthcare industry, but it is complicated. Despite the explosion in attacks on healthcare facilities in recent years, it can be difficult for small and medium-sized healthcare organizations to spend significant amounts on cybersecurity. Labor costs, equipment costs, and day-to-day expenses can limit investments in cybersecurity.
Beau Woods, a former senior adviser at the Cybersecurity and Infrastructure Security Agency, said the difference between healthcare organizations believing that addressing cybersecurity is a huge burden and the reality that healthcare organizations are exposed to a huge number of breaches. He said there was tension.
Woods, co-founder of I Am the Cavalry, a volunteer group of cybersecurity professionals who support healthcare organizations, warned that resource constraints do not mean “the status quo is acceptable.”
Dr. Toby Gawker, chief security officer for government health at First Advisory Health, a health industry security advisory firm, said the ongoing debate about standards and obligations has evolved over the past few years. He said calls for mandatory standards needed to be met with funding.
“If mandated without any kind of financial incentive, there would be extreme resistance on the medical side,” Gawker said.
Some advocate creating new regulatory bodies to enforce standards for medical technology stakeholders and funding investments in cybersecurity talent and technology.
A former Congressional official familiar with the cybersecurity rule-making process told CyberScoop that orders that are outcome-focused and include the ability to verify with a third party that standards are being met may be acceptable. He said it would make him more sexually active.
But former staffers said they don't expect anything to happen anytime soon, given that this is an election year.
“I think the industry is just going to say, 'Let's just get through this for the rest of this year and see what happens next year,'” the staffer said.