A group of industry experts called on Congress this week to enforce minimum cybersecurity standards among healthcare organizations in light of the February ransomware attack on UnitedHealth subsidiary Change Healthcare.
The cyberattack – executed by the Russia-based ransomware group ALPHV BlackCat – paralyzed billing services for providers nationwide, opening lawmakers’ eyes to the dangers of a consolidated healthcare sector.
“UnitedHealth was a target because of its size. It’s the largest health company in the world,” House Energy and Commerce Health Subcommittee Ranking Member Anna Eshoo, D-Calif., said during an April 16 hearing focused on the ransomware attack. “The attack shows how UnitedHealth’s anti-competitive practices present a national security risk.”
Full committee Chair Cathy McMorris Rodgers, R-Wash., agreed, noting that as the nation’s healthcare system becomes more consolidated, the impacts of cyberattacks may be more widespread.
According to a recent report issued by the FBI, healthcare and public health organizations were the top critical infrastructure sectors that fell victim to ransomware attacks in 2023.
“Despite significant increase in cyberattacks perpetrated against the healthcare sector, a lesson holds true: we spend more money cleaning up a mess after it happens rather than paying for less inexpensive measures up front,” Rep. Eshoo said.
Greg Garcia, Executive Director for Cybersecurity for the Healthcare Sector Coordinating Council, said the February attack was the “most appalling and disruptive” the nation has seen to the healthcare sector.
Scott MacLean, the College of Healthcare Information Management Executives (CHIME) board chair, said CHIME conducted a study among its members that found only 13 percent were left unimpacted from the Change Healthcare cyberattack.
“Cybersecurity is a shared responsibility, however, without additional Federal assistance, the healthcare and public health sector is limited in what we can do,” MacLean said.
MacLean recommended that Congress prioritize funding healthcare organizations, particularly those that are small and under resourced, to help implement the Department of Health and Human Services (HHS) voluntary cyber performance goals.
Among other recommendations, MacLean also called on Congress for a “Federally driven playbook” so that healthcare organizations have immediate access to needed information – like who to contact – in the face of the next cyberattack.
“Put simply, we must have a clear pathway to the Federal front door at HHS,” he said.
Adam Bruggeman, an orthopedic surgeon at Texas Spine Center, echoed many of MacLean’s recommendations, saying that “Congress should clarify the agencies’ authority to respond to future disruptions so that impacted parties do not lose precious time waiting for guidance.”
Bruggeman made arguments for advanced payments from the government in the event of a cyberattack – legislation the Senate already has in the works.
In light of the Change Healthcare incident, Sen. Mark Warner, D-Va., introduced legislation that would provide financial incentives for healthcare providers to boost their cyber defense by requiring them to meet minimum cybersecurity standards in order to receive accelerated payment.
Sen. Gary Peters, D-Mich., has also begun probing both HHS and the Cybersecurity and Infrastructure Security Agency to prioritize cybersecurity efforts in the healthcare sector.