A bill introduced in the Senate on Friday would make health care providers and their vendors affected by cyberattacks eligible for upfront and expedited payments through a government program as long as they meet minimum cybersecurity standards. be.
The bill, from Sen. Mark Warner (Va.), would allow a ransomware attack targeting Change Healthcare, a payment processing company whose technology affects one in three U.S. patient records, to disrupt the healthcare industry. It was filed a month after it crippled the capacity of many medical facilities. To bill your insurance company and receive payment.
The proposal comes as UnitedHealth Group, the healthcare giant and parent company of Change Healthcare, faces increased scrutiny, particularly from Congress, over its handling of the incident. UnitedHealth Group CEO Andrew Whitty told the Senate Finance Committee, which counts Warner as a member, to “discuss Change Healthcare and the attack on America's health care system.” The company plans to attend, a company spokesperson told CyberScoop on Friday.
“We prioritize patient access to treatment and medication, system recovery, and data protection, and we work with providers across multiple channels to increase awareness of the Provider Relief Program. “We are prioritizing this,” the spokesperson said. “We are also committed to working with Congress and industry leaders to address cybersecurity to ensure the protection and resilience of our health care system.”
Healthcare industry and cybersecurity experts told CyberScoop last week that implementing mandatory minimum cybersecurity standards would be difficult and that major groups, including the American Hospital Association, oppose such proposals.
A spokesperson for the American Hospital Association did not immediately respond to a request for comment Friday on Warner's bill.
Under Warner's bill, health care providers could be eligible for upfront payments through the Centers for Medicare and Medicaid Services (CMS) if they meet currently unspecified minimum cybersecurity standards set by the Secretary of Health and Human Services. There is sex. According to the law, if a provider's intermediary is the target of an incident, that intermediary must also meet these standards.
“I have been sounding the alarm about cybersecurity in healthcare for some time,” Warner, co-chair of the Senate Cybersecurity Caucus, said in a statement. “It was only a matter of time before a major attack occurred that disrupted the ability to care for patients across the country. Change Healthcare’s recent hack shows that the entire healthcare industry is vulnerable and needs to step up its efforts. We remind you that this legislation will provide significant economic incentives to providers and vendors.”
Sen. Ron Wyden, D-Ore., said during a March 14 hearing that he would also propose legislation to establish minimum standards. Senate Finance Committee Chairman Wyden also said that companies like UnitedHealth Group are “large enough” to create a “systemic cybersecurity risk” and that after mandatory rules are put in place, ” “The next step must be to impose fines and fines.” By holding accountable negligent CEOs, HHS can protect patients and national security. ”
