Top Democrat proposes minimum cybersecurity standards in wake of Change Healthcare attack
A bill proposed Friday in the Senate would allow health care providers who suffer cyberattacks to qualify for advanced and accelerated payments through government programs so long as they and their vendors met minimum cybersecurity standards.
The legislation from Sen. Mark Warner, D-Va., comes a month after the ransomware attack that targeted Change Healthcare — a payment processor whose technology touches 1 in 3 American patient records — crippled the health industry and the ability for many health care facilities to bill insurance companies and receive payments.
The proposal comes as UnitedHealth Group, the health industry behemoth and Change Healthcare parent company, has come under increasing scrutiny for its handling of the incident, particularly from Congress. UnitedHealth Group CEO Andrew Witty is planning an appearance before the Senate Finance Committee, which counts Warner as a member, to “discuss the attack on Change Healthcare and the U.S. health care system,” a company spokesperson told CyberScoop on Friday.
“We are prioritizing ensuring patient access to care and medications, restoration of our systems, protection of data, and engaging with providers through multiple channels to help raise awareness of our provider relief programs,” the spokesperson said. “We are also committed to working with Congress and industry leaders to address cybersecurity to ensure the protection and resiliency of our health care system.”
Health care industry and cybersecurity experts told CyberScoop last week that implementing mandatory minimum cybersecurity standards will be difficult, and major groups — including the American Hospital Association — have said they would oppose such proposals.
A spokesperson for the American Hospital Association did not immediately respond to a request for comment Friday regarding Warner’s legislation.
Under Warner’s bill, health care providers could be eligible for advanced payments through the Centers for Medicare & Medicaid Services (CMS) if they met so-far undetermined minimum cybersecurity standards established by the secretary of the Department of Health and Human Services. If a provider’s intermediary was the target of the incident, that intermediary would also have to have met those standards, according to the legislation.
“I’ve been sounding the alarm about cybersecurity in the health care sector for some time,” Warner, co-chair of the Senate Cybersecurity Caucus, said in a statement. “It was only a matter of time before we saw a major attack that disrupted the ability to care for patients nationwide. The recent hack of Change Healthcare is a reminder that the entire health care industry is vulnerable and needs to step up its game. This legislation would provide some important financial incentives for providers and vendors to do so.”
Sen. Ron Wyden, D-Ore., said during a March 14 hearing that he would also be proposing legislation to establish minimum standards. Wyden, the Senate Finance Committee chair, also said that companies like UnitedHealth Group have become “so large” as to create a “systemic cybersecurity risk,” and that after mandatory rules are in place, “the next step has got to be fines and accountability for negligent CEOs, which will enable HHS to protect patients and our national security.”
