As U.S. hospitals struggle to pay their workers amid a cyberattack that knocked out a major payment services provider, a powerful Democratic senator seizes the opportunity to advocate for better security in the extremely vulnerable health sector.
Sen. Mark Warner (D-VA) introduced legislation that would require hospitals and their technology providers to implement cybersecurity best practices before the government offers them emergency payments. It’s a proposal that reflects his immense frustration with an industry that he says has consistently underinvested in vital digital defenses — a neglect that burst into the spotlight in February when Change Healthcare, the most large medical claims processor in the United States, shut down its systems after suffering a ransomware attack, cutting off payments to already cash-strapped hospitals and plunging the industry into crisis.
“We need to impose minimum cybersecurity standards in health care,” Warner told Recorded Future News in a recent interview. “We’ve been talking about this for a while without much action.”
As chairman of the Senate Intelligence Committee, Warner has access to the most sensitive information about how foreign governments and cybercriminals attempt to harm Americans by disrupting critical infrastructure. While others focus on strengthening cyber defenses at water facilities and schools, Warner has focused on healthcare facilities. At the end of 2022, his office published a white paper define policy responses to the health sector cyber crisis. Last November, he launched a bipartisan Senate task force consider legislative solutions.
“Cybersecurity in healthcare is really about patient safety,” Warner said. And with the Change hack still affecting hospitals across the country and the Biden administration planning regulations to strengthen the industry’s cyber posture, Warner believes now is the time to make his case.
“Nothing moves until an incident,” he said, “and then you have to be ready, and things move quickly.”
Change is in the air
A constant barrage of cyberattacks showed that the health care community is among the most poorly guarded elements of America’s critical infrastructure. Hackers repeatedly breached hospital chains, insurers And sellersand the healthcare sector tops the list of ransomware victims in 2023, according to FBI data.
As hospitals face a perpetual funding crisis that the COVID-19 pandemic has greatly exacerbated, Warner wants to focus regulation on vendors who sell technology to these facilities. “We need to change the incentive system to incorporate cybersecurity…before the product or software goes to market.” »
The healthcare sector’s cyber weaknesses have gone largely unnoticed by the general public for years. But the Change Healthcare hack, which it could cost suppliers dearly tens of millions of dollars a day in cash flow disruptions, brought the problem into stark relief — and perhaps gave lawmakers like Warner the political momentum needed to overcome long-standing opposition from the industry to regulation.
“The Change hack attracted industry attention quite dramatically,” Warner said. “We suddenly saw something that really shook about a third of the healthcare industry. »
The Biden administration rushed to respond as providers warned of severe liquidity shortages. The Department of Health and Human Services (HHS) has begun to emergency paymentsthe Department opened an investigation over Change’s security breaches and administration officials summoned company executives to a meeting at the White House with other industry representatives to highlight the importance of a collective response.
Now, Warner is hoping for quick action on his legislation in the short time before the state of emergency is enacted. Asked if he saw the Change crisis as an example of the old adage “never let a good crisis go to waste,” Warner replied: “That’s my hope. »
Carrots, costs and certifications
Warner’s legislation, the Healthcare Cybersecurity Improvement Act, would require healthcare providers experiencing cash flow problems due to a cyberattack to meet “minimum cybersecurity standards” before receiving emergency funds from the Centers for Medicare and Medicaid Services (CMS). If the cyberattack targeted one of the vendor’s suppliers, that vendor will also need to meet the minimum standards before it can receive funding.
The bill leaves it up to the Secretary of HHS to determine what constitutes minimum cybersecurity standards. HHS recently released health-specific information Cybersecurity performance goals based on broader directions of the Cybersecurity and Infrastructure Security Agency (CISA).
Warner said he chose to tie cyber hygiene requirements to financial aid to avoid the harsher approach of simply imposing improvements without associated benefits. “We tried to spin this a little bit more like a carrot,” he said.
But he also made clear that no matter what approach Congress takes, the status quo of unconditional federal payments is no longer acceptable. “The alternative of saying, ‘Okay, we’re going to continue to repay, even if minimum standards are put in place,’ doesn’t hold water.”
The powerful health care industry has repeatedly opposed new regulations on providers, and Warner said his bill has already “elicited knee-jerk reactions from some professional associations who reflexively said: ‘ We don’t want new mandatory standards on any subject.’ »
The Department of Health and Human Services is planning its own regulatory changes to improve healthcare cybersecurity.
The American Hospital Association, one of the industry’s most influential lobbying groups, declined to comment on the bill. But the AHA — which has harshly criticized Change’s limited help for struggling providers — previously told Warner that he opposed CMS’s planned cybersecurity updates to hospital operating regulations because of the “significant financial investment” and staff training they would require.
These arguments irritate Warner, who says there is no reason for the industry to treat cybersecurity any differently than any other patient safety imperative.
“A hospital can’t say, ‘Well, we can’t afford our nursing ratios anymore.’ We can’t afford to have backup power,” Warner said. “We already have a set of requirements for vendor operations that are built into the system. And yes, it’s a new one. But you can’t just say, “Okay, well, this is a whole new area and there’s nothing we can do.”
Warner remains sensitive to cost concerns, however. He acknowledged that the government should offer “some level of reimbursement” to help hospitals upgrade and secure their computers and other devices. “How to go back and modernize the equipment,” he said, “is a challenge.”
In addition to hospitals repairing old equipment, Warner also wants to see health technology providers design new products with cybersecurity in mind. To encourage this change and help hospitals purchase the safest products, Warner wants the government to create a best practices certification for health technology, similar to the Energy Star label that distinguishes energy-efficient devices.
Growing interest
Even before the Change hack, policymakers were increasingly joining Warner’s quest to improve the healthcare sector’s cybersecurity.
In November, Warner and Senator Bill Cassidy (R-LA), ranking member of the Senate Health, Education, Labor and Pensions Committee, joined Senators John Cornyn (R-TX) and Maggie Hassan ( D-NH) in form a working group to explore legislative options.
“There’s a lot of interest” in this issue among group members, Warner said, although discussions are happening “primarily at the staff level at this point.”
Meanwhile, the Biden administration is pursuing its own healthcare cybersecurity strategy. HHS is plan two regulatory changes: Adding cybersecurity requirements to the Medicare and Medicaid participation rules for hospitals, and an update to the landmark health data security rule under the Health Insurance Portability and Accountability Act (HIPAA).
Warner said he expected to receive a briefing from the Biden administration on those plans soon, adding, “I support, directionally, what the administration is doing.”
Next steps
As the current crisis shifts away from the headlines, Warner is determined to keep the issue of hospitals and vulnerable patients at the forefront in Congress.
Warner said he hopes his bill will be heard by the Senate Finance Committee, whose chairman, Ron Wyden (D-OR), is a staunch defender for increased corporate responsibility and government vigilance in cybersecurity. Wyden is already planning to summon the CEO of Change’s parent company, UnitedHealth Group, for a hearing this month.
Warner said he plans to discuss his bill with Wyden in hopes of scheduling a hearing soon. But he acknowledged that passing the law “would take some time.”
Even if the bill becomes law, Warner knows it could be a long time before hospitals and their vendors are forced to change their cybersecurity practices. It took three years for the White House to begin implementing Warner’s bill regulating federal agencies’ use of Internet of Things devices, and it took CISA two years to propose a rule implementing is implementing a cyber incident reporting mandate for critical infrastructure operators that Warner helped draft.
Warner believes, however, that time is running out for Congress to pass meaningful, measured requirements that could avert catastrophe.
“The alternative would be that we ended up with a catastrophic event where people died, and then Congress would overreact.”