Sen. Mark Warner, D-Va. – co-chair of the Senate Cybersecurity Caucus – introduced legislation that would provide financial incentives for healthcare providers to boost their cyber defense by requiring them to meet minimum cybersecurity standards in order to receive accelerated payment in the event of a cyberattack.
The lawmaker’s “Health Care Cybersecurity Improvement Act of 2024” introduced Friday follows a ransomware attack on UnitedHealth subsidiary Change Healthcare that paralyzed billing services for providers nationwide late last month.
“I’ve been sounding the alarm about cybersecurity in the health care sector for some time. It was only a matter of time before we saw a major attack that disrupted the ability to care for patients nationwide,” Sen. Warner said in a March 22 statement.
“The recent hack of Change Healthcare is a reminder that the entire health care industry is vulnerable and needs to step up its game,” the senator said. “This legislation would provide some important financial incentives for providers and vendors to do so.”
The Department of Health and Human Services (HHS) said early this month that it is investigating the situation with Change Healthcare after a ransomware attack in February disrupted health care services across the country.
The new legislation would modify the existing Accelerated and Advance Payment programs – which provide temporary financial relief to healthcare participants via the Centers for Medicare & Medicaid Services.
“In rare situations, Medicare Part A providers (such as acute care hospitals, skilled nursing facilities, and other inpatient care facilities) and Part B suppliers (including physicians, nonphysician practitioners, durable medical equipment suppliers, and others who furnish outpatient services) can face cash flow challenges due to specified circumstances beyond their control (for instance, during the COVID-19 pandemic),” a press release about the new bill states.
“Since the 1980s, the Centers for Medicare & Medicaid Services (CMS) has provided temporary financial relief to participants in these programs through Accelerated and Advance Payment (AAP) programs, during which these providers and suppliers receive advance payments from the federal government that are later recovered by withholding payment for subsequent claims,” the press release says.
Sen. Warner’s “Health Care Cybersecurity Improvement Act of 2024” would require the HHS secretary to determine if the need for accelerated and advanced payments results from a cyber incident. If it does, the health care provider receiving the payment would need to meet minimum cybersecurity standards. If a provider’s intermediary was the target of the incident, the intermediary must also meet minimum cybersecurity standards.
These provisions would go into effect two years from the date of enactment of the bill.
According to a recent report issued by the FBI, healthcare and public health organizations were the top critical infrastructure sectors that fell victim to ransomware in 2023.