Cybersecurity upgrades eyed for health providers
Crackdown comes after ransomware disrupts payments
Washington is cracking down on the technology running behind the scenes in health care following a debilitating cyberattack on a health care payments processing company — and it could have major implications for hospitals and the vendors selling crucial IT.
In the weeks since a ransomware attack on Change Healthcare brought pharmacy and hospital payments across the country to a halt, policymakers and lobbyists have raced to cobble together strategies for averting future attacks, ranging from tying federal aid to minimum cybersecurity requirements to new voluntary standards spun up by public-private partnerships. Change Healthcare is a unit of UnitedHealth Group.
The attack exposed how security vulnerabilities at a single company could bring down critical technology infrastructure that a vast majority of health care providers and health insurers rely on every day. In the aftermath, federal regulators have come under fire for not being prepared and not acting soon enough, with some lawmakers calling for “tough, mandatory cybersecurity standards for the health care industry” including regular audits.
Still, it’s not yet clear what will take hold in Washington: Experts said it will that it’ll depend on the upcoming election, how fast federal regulators can get their act together, and the amount of lobbying pressure health trade groups exert to ensure they’re not penalized for being attacked.
“How quickly can people step back from being angry about what happened to Change, and realize, ‘let’s really think about the roles — the roles are, are you the victim? Or are you the criminal?’” said Rodney Whitlock, a vice president at McDermott+Consulting, the health policy subsidiary of law and lobbying firm McDermott Will & Emery.
Experts said early federal proposals appear to offer hospitals financial incentives for meeting cybersecurity requirements, but don’t offer significant support if they meet that bar and still fall victim to a hack.
“If there is a minimum standard, and I’m meeting that minimum standard, what do I get other than, ‘OK, if you come back and you still have an attack, it’s still your fault?’” Whitlock said.
A recent White House budget request, for instance, would set aside $800 million to help financially struggling hospitals cover the cost of meeting the minimum cyber standards set by the Department of Health and Human Services. An additional $500 million incentive program is proposed to encourage all hospitals to invest in cybersecurity.
The Homeland Security Department’s Cybersecurity and Infrastructure Security Agency proposed a rule requiring organizations dealing with cyber attacks to report the incident to the government within 72 hours, and any ransomware payments within 24 hours — failure to comply could lead to enforcement actions.
Senator Mark Warner, a Virginia Democrat who co-chairs the Senate Cybersecurity Caucus, introduced a bill that would allow for advance Medicare payments to providers who suffer a cybersecurity incident as long as they and their vendors meet minimum security requirements.
“This bill is a carrot, but Medicare could also require certain standards like the President included in his FY25 budget request if more mandatory steps are needed,” a spokesperson for Warner told STAT.
In some cases, if there’s data theft, the Office for Civil Rights within HHS could levy fines for organizations experiencing ransomware attacks.
Government-imposed financial penalties sometimes work, but in an industry as large and complex as health care, “it’s very difficult to effect positive results with smaller organizations,” especially if they’re scattered, said Stuart Gerson, a former acting attorney general under President George H.W. Bush and current member of law firm Epstein Becker Green’s health care litigation practice. For Gerson, a “better model” would be partnering with the private sector, whether to pressure-test organizations’ cybersecurity preparedness or to establish voluntary standards.
“While you can demonstrate substantial compliance, that doesn’t solve the problem — these [hacking] organizations are able to successfully attack organizations that have stateof-the-art compliance,” he said.
Greg Garcia, executive director for cybersecurity of the industry coalition Healthcare Sector Coordinating Council, urged regulators to work with industry on a detailed map of the health industry’s technological utilities to flag “where those critical chokepoints are, and what we need to do to protect them.” The council has been recognized by the federal government to coordinate a government-industry cybersecurity strategy.
Health care lobbying groups could potentially nudge Washington to dial back rules that place compliance burden on hospitals, but it’ll depend on how well they coordinate with each other, Whitlock said.
John Riggi, a national cybersecurity adviser for the American Hospital Association, which has opposed proposals penalizing hospitals dealing with attacks, suggested cybersecurity certifications for thirdparty tech vendors, potentially granted by the federal government or a private partnership.
“We don’t write our own operating system code, we don’t build our own medical devices, we buy them,” Riggi said. “How do we manage that third-party risk?”
The federal government could reduce these risks by enforcing higher security standards for the outside applications health systems, pharmacies, and payers rely on for things like billing and scheduling, he said. It could also offer even more funding for hospitals who can’t currently afford to beef up those protections.
“Even if we spent every dollar of our budgets on cybersecurity, that still does not eliminate the majority of cyber risk that comes to us from third parties,” he said.