While the healthcare industry's cybersecurity has always garnered attention, it's never been to the extend as today following the Change Healthcare ransomware attack. That attack forced millions of patients to endure delays and ambiguity in getting care, and with billing services, claims, and insurance/eligibility disruptions that have remained ongoing after the attack.
Of course, such an attack is expected to cause patient anger and lawsuits, but the Change Healthcare attack also caught the attention of Congress. Last week, The House Committee on Energy and Commerce sent a letter to UnitedHealth Group—Change Healthcare’s parent company—requesting information on the status of the attack and its impact, the specific steps UnitedHealth Group took to remediate the incident, and how Change Healthcare plans to adjust its approach to cybersecurity. The committee seeks a response by April 29.
The letter from Congress also seeks to know how Change Healthcare is providing emergency support to the healthcare community, such as access to temporary funding. Senator Mark R. Warner isn't waiting for a response regarding the funding efforts. In March, the senator, a member of the Senate Finance Committee and co-chair of the Senate Cybersecurity Caucus, introduced the Health Care Cybersecurity Improvement Act of 2024.
If passed, healthcare providers would be eligible for accelerated payments in the wake of future disruptions related to cybersecurity. The hitch? Healthcare providers must meet levels of cybersecurity as defined by the Department of Health and Human Services (HHS).
The bill modifies the existing Medicare Hospital Accelerated Payment Program and Part B advance payments by:
Requiring the Secretary to determine if the need for payments results from a cyber incident;
If it does, requiring the health care provider receiving the payment to meet minimum cybersecurity standards, as determined by the Secretary, to be eligible and
If a provider's intermediary was the target of the incident, the intermediary must also meet minimum cybersecurity standards, as determined by the Secretary, for the provider to receive the payments.
The letter to Congress and the Health Care Cybersecurity Improvement Act of 2024 show that the Change Healthcare ransomware attack could significantly change healthcare cybersecurity.
Sen. Warner's bill is getting mixed responses from industry participants. Christopher Todd Doss, senior managing director at Guidepost Solutions, says that tying federal payments to meeting security requirements could bring positive outcomes but cautions that the move ends up improving healthcare security isn't guaranteed. "Consider a hospital that relies heavily on federal funding. The prospect of receiving these funds could motivate the hospital to prioritize cybersecurity, leading to improved practices such as regular system updates and employee training," says Doss.
Doss and others also warn that this regulatory strategy could cause a "compliance mindset" among healthcare providers.
"The hospital might focus on ticking off the minimum requirements to secure funding rather than implementing a comprehensive and effective cybersecurity strategy. This could result in a superficial improvement in cybersecurity without addressing deeper, underlying issues," Doss warns.
However, others, such as Ted Miracco at threat analytics provider Approov, are confident that such a bill would help improve healthcare cybersecurity. "We think mandates are an effective way of raising the bar immediately," says Miracco. Miracco says financial rewards, or penalties, are a powerful motivator to change behaviors, and by making the receipt of federal payments conditioned upon meeting specific cybersecurity criteria, healthcare providers are more likely to invest more in cybersecurity.
"The hospital might focus on ticking off the minimum requirements to secure funding rather than implementing a comprehensive and effective cybersecurity strategy."
—Christopher Todd Doss
Still, many in the cybersecurity industry don't believe the new bill, if enacted, would have a positive impact. Kiran Chinnagangannagari, chief product and technology officer at Securin, notes that the act poses "no meaningful definition of minimum cybersecurity standards" and that healthcare providers already have the Cybersecurity and Infrastructure Security Agency’s Cross-Sector Cybersecurity Performance Goals, Binding Operational Directives, and other legislative mandates that they have to adhere to. Not to mention HIPAA, Medicaid, and Medicare to enforce these standards.
"Why come up with a new bill that is so ambiguous? In my opinion, this bill allows organizations to be lazy and continue bad cybersecurity practices as it offers a sense of a safety net," he says.
Instead of a new bill, the government should focus on revamping current regulations and providing other means to help the healthcare industry defend itself, Chinnagangannagari and others contend.
One such idea is to find areas where the government and private sector can better collaborate on developing more robust defenses. "Implement mandatory cybersecurity audits by independent third parties to ensure compliance with security standards," says Miracco. "These alternative strategies can complement the legislative approach by creating an environment that promotes continual improvement in cybersecurity practices across all sizes of healthcare providers," Miracco says.
Chinnagangannagari agrees that promoting collaboration among healthcare providers and government agencies would be beneficial. "This collaboration enables the sharing of best practices, threat intelligence, lessons learned, and ultimately fostering a stronger defense against cyber threats," he says.
Chinnagangannagari adds that some form of financial support or incentives could help the industry. "This support can come in the form of grants, subsidies, or low-interest loans specifically designed to facilitate investments in cybersecurity," he adds.
"These alternative strategies can complement the legislative approach by creating an environment that promotes continual improvement in cybersecurity practices across all sizes of healthcare providers."
—Ted Miracco
Additionally, specialized training and educational programs are essential in guiding healthcare providers. He says these programs can equip them with the necessary knowledge and skills to enhance their cybersecurity capabilities effectively.
"Developing cybersecurity guidelines that are realistic and achievable for organizations of varying sizes and capabilities is essential. Flexibility in compliance requirements is crucial, ensuring that the fundamental security of patient data is maintained while accommodating the distinct needs and resources of smaller providers," he says.
While the passage of Warner's Health Care Cybersecurity Improvement Act of 2024 is far from certain, one thing will remain certain for some time: the debate over how to improve the state of healthcare cybersecurity will continue for some time.
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.