Nearly five months after publicly criticizing UnitedHealth Group's chief executive in the wake of the devastating ransomware attack on Change Healthcare, Senate Finance Committee Chairman Ron Wyden on Thursday Introduced legislation aimed at preventing future cyber incidents that could disrupt the care industry.
The Health Infrastructure Security and Accountability Act, introduced by Mr. Wyden, D-Ore., and Senate Intelligence Committee Chairman Mark Warner (Va.), would impose mandatory requirements for health care providers, health plans, and connected entities. This will establish minimum cybersecurity standards for the country.
Change Healthcare was vulnerable to the February attack because it did not have multi-factor authentication enabled on its servers, and hackers used a set of stolen credentials to compromise the systems of a payment processor owned by UnitedHealth. can now be accessed remotely. UHG's chief information security officer said this month that the company was forced to “redo” its systems and was still feeling the effects of the attack.
“Giant companies like UnitedHealth are breaching Cybersecurity 101, and American families are suffering as a result,” Wyden said in a statement. “The healthcare industry has some of the worst cybersecurity practices in the country, even though it is critically important to the well-being and privacy of Americans.
“These common-sense reforms include prison sentences for CEOs who lie to the government about cybersecurity,” Wyden continued, “and will strengthen the cybersecurity of healthcare companies across the country and stem the wave of cyberattacks.” “We will decide on a direction to stop the outbreak,” he said. It threatens to cripple America's health care system. ”
UnitedHealth CEO Andrew Witty said at a Senate hearing in May that Change Healthcare, which the company acquired in October 2022, is in urgent need of modernization and that this particular server has not yet migrated to MFA. said. As a result, a “substantial portion” of Americans' health data was exposed, leading to massive industry-wide problems that persist to this day, including issues with insurance claim submission, payment, and patient eligibility verification.
Strengthening protections for health data is a key element of the new bill, which requires the Department of Health and Human Services to “proactively audit the data security practices of at least 20 regulated entities each year,” including those deemed particularly risky. The focus is on the health care system that Be systemically important.
“Cyberattacks against our nation's healthcare providers threaten patients' most personal data, delay needed care, and directly endanger the lives and long-term health of Americans,” Warner said in a statement. . “With hacks already targeting institutions across the country, now is the time for healthcare providers and vendors to get serious about cybersecurity and patient safety, beyond voluntary standards.”
Warner also noted in a statement that parts of the bill aim to narrow the cyber divide between the industry's haves and have-nots. Rural and urban safety-net hospitals will receive $800 million in upfront funding to ensure the implementation of enhanced cybersecurity standards, and all other hospitals will receive $500 million in vouchers.
In addition to the new audit requirements required by the bill, HHS will be able to impose higher fines on healthcare companies with lax cyber practices thanks to the removal of statutory caps on fine authorities. Become. HHS would also have the discretion to exempt small providers from the annual independent cyber stress testing required of covered entities and trading partners.
“Cybersecurity remains an evolving challenge in our health care ecosystem, and more efforts are needed to prevent cyberattacks and ensure patient safety,” said HHS Deputy Secretary Andrea Palm in a statement. mentioned in. “Clear accountability measures and mandatory cybersecurity requirements for all organizations that hold sensitive data are essential. We are grateful for the leadership of Senators Wyden and Warner, and we are committed to ensuring cyber resiliency across the healthcare ecosystem. We look forward to continuing to work together on this bill to strengthen the United States.”
The bill also aims to hold healthcare executives more accountable for cybersecurity failures, requiring them to certify annual compliance with new minimum standards.
During a Senate hearing in May in which Whitty acknowledged that UnitedHealth had paid a $22 million ransom to the ALPHV hacker group, Wyden said the attack “explained what the bad guys could do.” He concluded by expressing concern that this would set a precedent and stressing the need for legislative action. and increased industry transparency.
“If we want to turn this situation around, we're going to have to be more proactive, more proactive,” he said.