Healthcare groups resist cybersecurity rules in wake of historic breach

A cyberattack on a payment processor that has crippled large parts of the US health care system is prompting calls in Washington to urgently implement cybersecurity regulations for the industry, setting up a showdown with hospital and healthcare groups that vehemently argue against this movement.

“As these companies have gotten so big, it’s creating a systemic cybersecurity risk,” Sen. Ron Wyden, D-Oregon, he said Thursday during a Senate Finance Committee hearing with Health and Human Services Secretary Xavier Becerra, whose agency is responsible for overseeing the healthcare industry’s digital security standards.

The February 21 attack on Change Healthcare, a company whose technology behind affects 1 in 3 US patient records, paralyzed payment processing for prescriptions and other health services across the country, leaving many healthcare practices financially strapped, some on the brink of ruin.

The incident has reinvigorated conversations among policymakers in Washington about how to improve the health care industry’s security posture. HHS has proposed a voluntary set of cybersecurity standards and is working to develop mandatory rules, but they are unlikely to go into effect soon.

Until there are mandatory rules, industry critics like Wyden want stronger action. “The next step must be fines and accountability for negligent CEOs, allowing HHS to protect patients and our national security,” he said Thursday.

HHS is working to develop its mandatory cybersecurity rules through the Centers for Medicare and Medicaid Services. An update to the Health Insurance Portability and Accountability Act’s security rules is expected to include cybersecurity requirements. According to a senior administration official speaking on condition of anonymity, the Biden administration plans to release a notice of proposed regulation sometime this month or next that would establish minimum cybersecurity standards for the healthcare industry .

That push puts the Biden administration on a collision course with the healthcare industry.

Richard J. Pollack, the head of the American Hospital Association, wrote in a letter to Wyden and the ranking member of the Senate Finance Committee, Sen. Mike Crapo of Idaho, earlier this week that his trade group “cannot support proposals for mandatory cybersecurity requirements that are imposed. hospitals as if they were to blame for the success of hackers in perpetrating a crime.”

Hospitals and healthcare organizations have invested huge sums in cybersecurity, Pollack said in his letter. He added that most attacks are carried out using third-party technology or other vendors, so it would be unfair to hold cash-strapped hospitals accountable.

“Imposing fines or cutting Medicare payments would diminish hospital resources needed to fight cybercrime and would be counterproductive to our shared goal of preventing cyberattacks,” the letter added. The Biden administration’s budget proposals that link cybersecurity investment to mandatory minimum standards are “misguided and … will not improve the overall cybersecurity posture of the healthcare industry.”

President Joe Biden’s budget released this week called for $1.3 billion to support hospital cybersecurity efforts, along with a proposal to financially penalize hospitals that don’t comply, but it’s unclear whether Congress will take up that proposal .

A spokesman for UnitedHealth Group, Change Healthcare’s parent company, did not respond to questions about the company’s position on mandatory minimum cybersecurity standards.

The senior administration official said that while the White House is sensitive to the fact that the new cybersecurity standards will impose additional costs on a healthcare industry that to some extent is still recovering from the COVID-19 pandemic , the steps the administration hopes the industry will take to represent the building blocks of more secure digital systems.

The critical nature of the industry — between the services it offers and the sensitivity of the data it has — should give companies in the sector an impetus to build more secure systems. “The industry is not able to defend itself effectively,” the official said, adding that a series of recent attacks on the healthcare industry illustrates the urgency of implementing minimum cybersecurity standards.

Meanwhile, consolidation within the industry means that when a company like Change Healthcare is hit by ransomware, it takes out a central player with cascading effects that “have an outsized national impact,” the official added.

Sen. Mark Warner, the influential Virginia Democrat who heads the Senate Intelligence Committee, has also called for action, saying he plans to introduce legislation that would provide expedited payments to suppliers and vendors “as long as they meet the minimum cyber security standards”.

Citing the “unprecedented magnitude of this cyberattack,” HHS announced an investigation this week into whether a breach of protected health information occurred and whether Change Healthcare and its parent company, UnitedHealth Group, complied with federal laws health data privacy. Three federal lawsuits related to the breach have also been filed.

Wyden said in a statement to CyberScoop after Thursday’s hearing that he is “not surprised” that the industry opposes mandatory technical standards.

“Private sector opposition to effective cybersecurity rules is the number one reason why our critical infrastructure, especially the healthcare sector, is woefully unprepared for even unsophisticated cyberattacks,” Wyden said.

Applying minimum cybersecurity standards to the healthcare industry is possible, but complicated, experts say. While attacks on healthcare facilities have exploded in recent years, it can be difficult for small and mid-sized healthcare entities to spend significant sums on cybersecurity. Personnel and equipment costs, along with day-to-day expenses, can limit investments in cybersecurity.

Beau Woods, a former senior adviser at the Cybersecurity and Infrastructure Agency, said there is a tension between healthcare organizations who think tackling cyber security would add huge burdens and the reality that healthcare organizations are subject to a large number of breaches.

Woods, who co-founded I Am the Cavalry, a volunteer group of cybersecurity experts who help healthcare organizations, cautioned that this resource constraint does not mean “the status quo is acceptable.”

The ongoing conversation about standards and mandates has evolved in recent years, said Dr. Toby Gouker, director of government health security at First Health Advisory, a health industry security advisory firm. Any request for mandatory standards must be matched with funding, he said.

“There’s going to be an extreme level of resistance from health care, if the mandates also go without some sort of financial incentive,” Gouker said.

Some have argued for a new regulatory body to enforce standards for health technology stakeholders or financial support to invest in cybersecurity staff and technology.

A former member of Congress familiar with previous cybersecurity rulemaking processes told CyberScoop that the mandates will be more likely to be accepted if they focus on outcomes, with the ability to verify with third parties that they are being meeting the standards.

But, the former employee said, given it’s an election year, don’t expect anything to happen anytime soon.

“I think the industry is just going to say ‘let’s do it for the rest of the year and see where we are next year,'” Staff said.

Written by AJ Vicens and Elias Groll

#Healthcare #groups #resist #cybersecurity #rules #wake #historic #breach
Image Source :

Leave a Comment