Cybersecurity

Senate bill eyes minimum cybersecurity standards for health care industry

The legislation from Sens. Wyden and Warner comes in the aftermath of the February ransomware attack on Change Healthcare.

By Matt Bracken

September 26, 2024

Sens. Ron Wyden, D-Ore., and Mark Warner, D-Va., talk before a Senate Armed Services Committee hearing in Washington, D.C. on Jan. 10, 2017. Wyden and Warner introduced a bill to require minimum cybersecurity standards in the health care sector on Sept. 26, 2024. (TASOS KATOPODIS/AFP via Getty Images)

Nearly five months after his high-profile grilling of UnitedHealth Group’s chief executive following the devastating ransomware attack on Change Healthcare, Senate Finance Committee Chairman Ron Wyden introduced a bill Thursday aimed at preventing future cyber incidents capable of roiling the health care industry.

The Health Infrastructure Security and Accountability Act from Wyden, an Oregon Democrat, and Senate Intelligence Committee Chairman Mark Warner, D-Va., would lock in mandatory minimum cybersecurity standards for providers, health plans and connected entities.

Change Healthcare was vulnerable to the February attack because it did not have multi-factor authentication enabled on a server, allowing the hackers to gain remote access to the UnitedHealth-owned payment processor’s systems with a set of stolen credentials. UHG’s chief information security officer said this month that the company was forced to “start over” with its systems and is still feeling the effects of the attack.

“Megacorporations like UnitedHealth are flunking Cybersecurity 101, and American families are suffering as a result,” Wyden said in a statement. “The health care industry has some of the worst cybersecurity practices in the nation despite its critical importance to Americans’ well-being and privacy.

“These common sense reforms,” Wyden continued, would “include jail time for CEOs that lie to the government about their cybersecurity” and “will set a course to beef up cybersecurity among health care companies across the nation and stem the tide of cyberattacks that threaten to cripple the American health care system.”

UnitedHealth CEO Andrew Witty said during the May Senate hearing that Change Healthcare, which the company acquired in October 2022, was in dire need of modernization and this particular server had not yet undergone the shift to MFA. The result was the exposure of “a substantial portion” of Americans’ health data and massive, industry-wide issues — including problems with claim submissions, payments and the verification of patient eligibility — that continue to this day.

Stronger protections for health care data is a key component of the new bill, which would require the Department of Health and Human Services to “proactively audit the data security practices of at least 20 regulated entities each year,” focusing specifically on health systems deemed to be systemically important.

“Cyberattacks on our health care institutions threaten patients’ most private data and delay essential medical care, directly endangering Americans’ lives and long term health,” Warner said in a statement. “With hacks already targeting institutions across the country, it’s time to go beyond voluntary standards and ensure health care providers and vendors get serious about cybersecurity and patient safety.”

Warner also noted in his statement the portion of the bill intended to narrow the cyber gap between the industry’s haves and have-nots. Rural and urban safety net hospitals would receive $800 million in up-front investment payments to ensure adoption of strengthened cybersecurity standards, while $500 million would be ticketed for all other hospitals.

In addition to its new audit duties called out in the bill, HHS would be able to levy larger financial penalties on health care companies with lax cyber practices thanks to the elimination of statutory caps on the agency’s fining authorities. And HHS would have discretion to waive annual independent cyber stress tests for small providers that would otherwise be required of covered entities and business associates.

“Cybersecurity remains an ever-evolving challenge in our health care ecosystem and more must be done to prevent cyberattacks and ensure patient safety,” HHS Deputy Secretary Andrea Palm said in a statement. “Clear accountability measures and mandatory cybersecurity requirements for all organizations that hold sensitive data are essential. We are grateful for Senator Wyden and Senator Warner’s leadership and look forward to continuing to work together on this legislation to strengthen cyber resiliency across our entire health care ecosystem.”

The bill also seeks to hold health care executives more responsible for cybersecurity failures, requiring those leaders to certify their institutions’ compliance with the new minimum standards on a yearly basis.

In the May Senate hearing, in which Witty confirmed UnitedHealth’s $22 million ransom payment to the ALPHV hacking group, Wyden closed with his concerns about the attack setting a precedent “to the bad guys of what they can accomplish,” underscoring the need for legislative action and more industry transparency.

“You’re going to have to be much more active and much more forthcoming,” he said, “if we’re going to turn this around.”