Health care groups resist cybersecurity rules in wake of landmark breach
A cyberattack on a payment processor that has crippled large parts of the U.S. health care system is inspiring calls in Washington to urgently implement cybersecurity regulations for the sector, setting up a showdown with hospital and health care groups that are stridently arguing against such a move.
“As these companies have become so large, it is creating a systemic cybersecurity risk,” Sen. Ron Wyden, an Oregon Democrat, said Thursday during a Senate Finance Committee hearing featuring Health and Human Services Secretary Xavier Becerra, whose agency is responsible for overseeing the health care industry’s digital security standards.
The Feb. 21 attack on Change Healthcare, a firm whose backroom technology touches 1 in 3 American patient records, crippled payment processing for prescriptions and other health services across the country, leaving many health practices financially strapped, some on the brink of ruin.
The incident has reinvigorated conversations among policymakers in Washington about how to improve the health care sector’s security posture. HHS has proposed a voluntary set of cybersecurity standards and is working to develop mandatory rules, but these are unlikely to come into effect soon.
Until mandatory rules are in place, industry critics like Wyden want sharper action. “The next step has got to be fines and accountability for negligent CEOs, which will enable HHS to protect patients and our national security,” he said Thursday.
HHS is working to develop its mandatory cybersecurity rules via the Centers for Medicare and Medicaid Services. An update to the security rules of the Health Insurance Portability and Accountability Act is expected to include cybersecurity requirements. According to a senior administration official speaking on condition of anonymity, the Biden administration plans to roll out a notice of proposed rule-making sometime this month or next that would establish minimum cybersecurity standards for the health care sector.
This push sets the Biden administration on a collision course with the health care industry.
Richard J. Pollack, the head of the American Hospital Association, wrote in a letter to Wyden and Senate Finance Committee ranking member Sen. Mike Crapo of Idaho, earlier this week that his trade group “cannot support proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault for the success of hackers in perpetrating a crime.”
Hospitals and health care entities have invested enormous sums into cybersecurity, Pollack said in his letter. He added that most attacks are carried out via third-party technology or other vendors, and because of that fact it would be unfair to hold cash-strapped hospitals accountable.
“Imposing fines or cutting Medicare payments would diminish hospital resources needed to combat cybercrime and would be counterproductive to our shared goal of preventing cyberattacks,” the letter added. Biden administration budget proposals that tie investment in cybersecurity to mandatory minimum standards are “misguided, and … will not improve the overall cybersecurity posture of the health care sector.”
President Joe Biden’s budget released this week called for $1.3 billion to support hospitals’ cybersecurity efforts, alongside a proposal to financially penalize hospitals that did not meet requirements, but it is unclear whether Congress will take up that proposal.
A spokesperson for UnitedHealth Group, the parent company of Change Healthcare, did not respond to questions about the company’s position on minimum mandatory cybersecurity standards.
The senior administration official said that while the White House is sensitive to the fact that new cybersecurity standards will impose additional costs on a health care industry that is to a certain extent still recovering from the COVID-19 pandemic, the steps the administration expects the industry to take represent the basics of building more secure digital systems.
The critical nature of the industry — between the services it provides and the sensitivity of the data it holds — should create an impetus for companies in the sector to build more secure systems. “The sector is not able to effectively defend itself,” the official said, adding that a string of recent attacks on the health care industry illustrates the urgency of implementing minimum cybersecurity standards.
Meanwhile, consolidation within the industry means that when a company like Change Healthcare gets hit by ransomware, it knocks out a central player with cascading effects that “have outsize national impact,” the official added.
Sen. Mark Warner, the influential Virginia Democrat who leads the Senate Intelligence Committee, has also called for action, saying he plans to introduce legislation that would provide accelerated payments to providers and vendors “as long as they meet minimum cybersecurity standards.”
Citing the “unprecedented magnitude of this cyberattack,” HHS announced an investigation this week into whether a breach of protected health information occurred and whether Change Healthcare and its parent company, UnitedHealth Group, were in compliance with federal health data privacy laws. Three federal lawsuits linked to the breach have also been filed.
Wyden said in a statement to CyberScoop after Thursday’s hearing that it’s “no surprise” the industry opposes mandatory technical standards.
“Private-sector opposition to effective cybersecurity rules is the number one reason our critical infrastructure, particularly the health care sector, is so woefully unprepared for even unsophisticated cyberattacks,” Wyden said.
Experts say applying minimum cybersecurity standards to the health care industry is possible, but complicated. Even as attacks on health care facilities have exploded in recent years, it can be hard for small and medium-sized health care entities to spend significant sums on cybersecurity. Costs for personnel and equipment, along with day-to-day expenses, can limit investments in cybersecurity.
Beau Woods, a former senior advisor to the Cybersecurity and Infrastructure Security Agency, said there is a tension between health care entities who think addressing cybersecurity would add major burdens and the reality that health care organizations are subject to a huge number of breaches.
Woods, who co-founded I Am the Cavalry, a volunteer group of cybersecurity experts who help health care entities, cautioned that that resource constraint does not mean that “the status quo is acceptable.”
The ongoing conversation about standards and mandates has evolved in recent years, said Dr. Toby Gouker, the chief security officer for government health with First Health Advisory, a health industry security advisory firm. Any calls for mandatory standards must be matched with funding, he said.
“There will be an extreme level of resistance on the part of health care, if mandates come out without some kind of financial incentives, as well,” Gouker said.
Some have argued for a new regulatory entity to enforce standards for health technology stakeholders or financial support to invest in cybersecurity personnel and technology.
A former congressional staffer familiar with previous cybersecurity rule-making processes told CyberScoop that mandates will be more likely to be accepted if they’re outcome-focused, with the ability to verify with third parties that standards are being met.
But, the former staffer said, given that it’s an election year, don’t expect anything to happen soon.
“I think industry is just going to just say ‘let’s ride this out the rest of the year and see where we are next year,'” the staffer said.
