Senate Finance Committee Calls for HHS to Strengthen Healthcare Cybersecurity Regulations
The harm caused by the ransomware attack on Change Healthcare is unprecedented and while it has yet to be confirmed, it appears that more healthcare data was stolen than in any other incident to date. There are clearly lessons to be learned to ensure that an incident of this magnitude can never happen again.
The CEO of United Health Group (UHG), the parent company of Change Healthcare, has confirmed that the hacker was able to gain access to a server using stolen credentials and that the attack was made possible because multi-factor authentication (MFA) had not been implemented on the server, even though it was company policy to protect all internet-accessible servers with MFA. MFA is a standard cybersecurity practice and one that should have been implemented across the organization with no exceptions.
This week, Senate Finance Committee chair Senator Ron Wyden (D-OR) wrote to HHS Secretary Xavier Becerra calling for the HHS to implement stricter cybersecurity regulations for large healthcare organizations and for the HHS to step up enforcement. ย Sen Wyden said the failure to regulate the cybersecurity practices of major healthcare providers has contributed to the current epidemic of highly disruptive cyberattacks, such as the ransomware attack on Change Healthcare.
The HHSโ Office for Civil Rights has prioritized the investigation of the Change Healthcare cyberattack, launching an investigation before the extent of the breach was known to determine if the attack was the result of a failure to comply with the HIPAA Security Rule. The HHS investigates all breaches of more than 500 records and proposes financial penalties when cybersecurity is found lacking and when the HIPAA Rules have been violated. While large financial penalties serve as a deterrent, it can be years after the HIPAA breach before a financial penalty is announced, and action is required now to improve healthcare cybersecurity.
OCR has issued voluntary cybersecurity performance goals for the healthcare sector and is encouraging all HIPAA-regulated entities to adopt those practices, but they are voluntary. โThe agencyโs current approach of allowing the health sector to self-regulate cybersecurity is insufficient and fails to protect personal health information as intended by Congress,โ wrote Wyden. โHHS must act now to address corporationsโ lax cybersecurity practices.โ
More cyberattacks are being reported than ever before, huge numbers of health records are being compromised in hacking incidents, and these attacks are causing actual harm to patients. In the case of the attack on Change Healthcare, patients were prevented from receiving the care they needed, providers had to limit hours or close completely, prescription medications could not be obtained, and the data stolen in the attack put patients at risk of financial harm.
Wyden has called for the HHS to take โimmediate, enforceable stepsโ to require large healthcare organizations to improve cybersecurity. Specifically, Wyden has called for the HHS to implement minimum, mandatory technical cybersecurity standards for systematically important entities (SIEs), such as healthcare clearinghouses that are used by large numbers of healthcare organizations and large health systems. The HHS must also be proactive and enforce compliance.
For instance, the HITECH Act requires the HHS to conduct regular audits of HIPAA-regulated entities to assess HIPAA compliance. OCR has announced that it will be conducting audits in 2024 โ the first time since 2017 โ however, rather than conduct the audits on a broad range of HIPAA-regulated entities, Wyden has called for OCR to prioritize audits of SIEs.
Wyden also takes issue with the length of time it took Change Healthcare to rebuild its systems after the attack. The outage lasted for 6 weeks and caused major disruption to providers across the United States. Such a situation should not happen, according to Widen. He proposed a requirement for all SIEs to be able to completely rebuild their infrastructure from scratch within 48-72 hours.
Healthcare organizations of all types and sizes are being targeted by hackers, and cybersecurity needs to be improved sector wide. For smaller healthcare organizations with low resources, improving cybersecurity can be a huge challenge. The HHS has announced that it intends to provide financial assistance to low-resource hospitals to help them improve cybersecurity by adopting the HHSโs voluntary cybersecurity performance goals. Wyden has proposed the Centers for Medicare and Medicaid Services’ Quality Improvement Organizations and Medicare Learning Network programs be leveraged to provide technical cybersecurity assistance and guidance to low-resource hospitals to help them improve cybersecurity.
The problem with tackling cybersecurity with more regulations is technology moves fast and it is difficult to keep regulations up to date to allow for changes in technology. This is one of the reasons why the HIPAA Security Rule is light on detail when it comes to cybersecurity, to avoid having to issue new regulations in response to technological advances and changes in business practices.
A better approach may well be voluntary cybersecurity goals that can be updated in response to changes in technology relatively quickly. Financial incentives can then be offered to healthcare organizations to encourage adoption. Voluntary cybersecurity practices do not have to go through the same lengthy processes to update as changes to HIPAA.
What is abundantly clear, is that that something needs to be done – and fast – to improve healthcare cybersecurity as there are no indications that attacks will slow, and most likely they will continue to increase in number, sophistication, and severity. Focusing on improving cybersecurity at large healthcare organizations makes sense, as they have the financial resources to improve security and successful attacks have greater impact and cause far more harm.