Former acting National Cyber Director Kemba Walden said Thursday that in light of the Change Healthcare ransomware attack in February that paralyzed the largest healthcare payment system in the country, Congress needs to act on legislation to codify cyber requirements for the healthcare industry.
At the end of 2023, the Department of Health and Human Services (HHS) published a set of voluntary cybersecurity standards for healthcare systems – including those in rural areas.
“Something that Congress can do is to … codify some of those, if not all of those, voluntary requirements,” Walden said during a Washington Post Live event on June 6. “Make it a minimum cybersecurity standard required of all healthcare systems and then once you make the system defensible, enforce defending it and then cause hospitals to continuously develop resilience.”
Walden – who headed the White House’s Office of the National Cyber Director in an acting capacity from February to November 2023 – moved to the private sector just one month before the cyberattack on Change Healthcare swept headlines across the nation.
The hack – executed by the Russia-based ransomware group ALPHV BlackCat – paralyzed billing services for healthcare providers nationwide.
“[The attack] got in the way of access to healthcare for individuals. It got in the way of providers being able to provide that healthcare to individuals. That’s the first thing – the wellbeing of people and the impact it had,” Walden said. “The second is a bit more wonky, but it’s what happens in the cracks. What are the things that we’re not really engaging on?”
“The healthcare industry has become a corporate entity, a corporate structure, and a corporate ecosystem that engages in mergers and acquisitions, and it’s in those mergers and acquisitions – in the cracks – where we find some vulnerabilities,” she added.
Walden emphasized that because these larger healthcare companies, like United Healthcare, are providing digital services, they should be considered as part of the tech industry.
“As a tech company, they have to think of themselves as the responsible party for protecting patient data and services to enable access to healthcare. These are tech companies now, and we need to treat them that way,” she said.
Walden emphasized that the Federal government needs to start helping healthcare companies “become cybersecurity professionals, full stop.”
“We need to be able to give rural hospitals the resources that they need in order to be able to employ … cloud service providers, giving them training that they need in order to be able to look at vendor contracts in a particular way – in a way that they’re not used to looking,” Walden said. “Giving them the resources that they need to be able to deploy endpoint detection and explaining what that is and why it’s important.”
She said that the government needs to “fan out” into those rural areas that are providing healthcare to the most “underinvested communities possible” and help them become cybersecurity professionals because “it’s another tool to enable the delivery of healthcare service.”
In a June 5 letter to HHS Secretary Xavier Becerra, Senate Finance Committee Chair Ron Wyden, D-Ore., urged HHS to immediately mandate systemically important healthcare companies to improve their cybersecurity practices, and to protect against cyberattacks that can shut down medical centers for weeks and leave patients’ personal medical information exposed to criminals and foreign spies.
“It is clear that HHS’ current approach to healthcare cybersecurity – self-regulation and voluntary best practices – is woefully inadequate and has left the health care system vulnerable to criminals and foreign government hackers. HHS must follow the lead of other federal regulators in mandating cybersecurity best practices necessary to protect the health care sector from further, devastating, easily-preventable cyberattacks,” wrote Wyden.
“The current epidemic of successful cyberattacks against the health care sector is a direct result of HHS’s failure to appropriately regulate and oversee this industry, harming patients, providers, and our national security” continued Wyden. “I urge HHS to use all of its authorities to protect U.S. health care providers and patients from cybersecurity risk.”
