U.S. Senator Ron Wyden, who late last month asked federal agencies to investigate flaws in UnitedHealth Group’s cybersecurity measures that led to the massive ransomware attack that disrupted hundreds of hospital and pharmacy operations, now is pushing the Health and Human Services (HHS) Department to require such large health care organizations to immediately implement protections.
In a letter sent his week to HHS Secretary Xavier Becerra, the Oregon Democrat chastised the department for allowing hospitals and other health care facilities implement their own cybersecurity measures, albeit with guidance from the federal government. At a time when the health care industry is under attack by ransomware and other cyberthreats and the UnitedHealth case illustrated how devastating such an attack can be, the federal government needs to play a larger role, he wrote.
“HHS’ failure to regulate the cybersecurity practices of major health care providers like UHG resulted in what the American Hospital Association has described as the worst cyberattack against the healthcare sector in U.S. history,” wrote Wyden, chair of the powerful Senate Finance Committee. “It is clear that HHS’ current approach to healthcare cybersecurity – self-regulation and voluntary best practices – is woefully inadequate and has left the health care system vulnerable to criminals and foreign government hackers.”
In late February, an affiliate of the notorious BlackCat/ALPHV ransomware-as-a-service (RaaS) gang hacked into the systems of Change Healthcare, a UnitedHealth subsidiary, and stole about 4TB of data that included such personal information as payment details and insurance records, as well as information about military personnel and government employees.
UnitedHealth, the country’s largest health care company in the United States with more than 152 million customers, said the stolen information could affect “a substantial proportion of people in America.” Change processes payments, medical and insurance claims, and prescription orders for hundreds of thousands of hospitals, health care clinics, and pharmacies.
Many of those organizations saw their operation grind almost to a halt in the wake of the attack, with medical procedures postponed, prescriptions going unfilled, and facilities going unpaid.
In his earlier letter to the Federal Trade Commission (FTC) and Securities and Exchange Commission (SEC), Wyden claimed that UnitedHealth was negligent in its cybersecurity procedures, noting that UnitedHealth CEO Andrew Witty admitted that it was company policy to have multifactor authentication (MFA) on all external-facing systems, but that it wasn’t hadn’t been implemented organization-wide.
In addition, UnitedHealth failed to ensure its systems could be recovered quickly in case of such an attack, which meant that the company had to shut down and then rebuild the systems.
“The devastating ransomware attack would have been prevented had the company used MFA, a basic cybersecurity defense which federal agencies are required to use, and required of several industries regulated by other agencies,” Wyden wrote to Becerra. “However, HHS does not require health care companies to use MFA, nor does HHS require covered entities or business associates to adopt any other specific cybersecurity best practices.”
He noted that HHS last year announced plans to update cybersecurity regulations for the health care sector, which haven’t been “meaningfully updated” since 2003, but said the department need to go beyond that given its central role in an industry that is an increasing target of hackers.
In 2022, health care organization reported more than 600 breaches that affected almost 42 million American, the senator wrote. In addition, the FBI said the health care and public health sector was the top critical infrastructure industry targeted by ransomware gangs. He placed the blame for the “current epidemic of successful cyberattacks” against the health care industry on HHS’ poor regulatory oversight.
“The harms resulting from hacks are not limited to the theft of sensitive patient data,” Wyden wrote. “Researchers have found that cyberattacks can result in delays in access to care and impair health care providers’ ability to access electronic medical records at the point of care. A recent study found that these events can also result in higher mortality rates for Medicare patients already admitted in a hospital impacted by ransomware.”
HHE should require minimum – and mandatory – technical cybersecurity standards for organizations like large health systems and clearinghouses that would touch on how they protect electronic data and ensure the resiliency of systems. To meet these standards, the companies should be required to participate in the Medicare program.
The entities should be able to rebuild their IT infrastructure from scratch within two to three days and HHS needs to stress test the companies to ensure they meet the requirements.
“It is not acceptable for an SIE [systemically important entity] like Change Healthcare to be down for more than 6 weeks,” Wyden wrote.
HHS also must periodically conduct cybersecurity audits of these companies and their business associates – the department last ran an audit in 2017, due to a lack of resources, the senator noted – and should help health care providers with their cybersecurity efforts.
The American Hospital Association (AHA) has been aggressive pushing back against efforts to place more regulations and penalties on hospitals. In a statement to the U.S. House Subcommittee on Health in April, the AHA said that hospitals and health systems have invested billions of dollars bolstering cybersecurity capabilities and that the trade association had worked closely with federal agencies to prevent and mitigate cyberattacks.
However, the weakness in cybersecurity have more to do with business associates other non-health care organizations than with the hospitals themselves, the AHA wrote. Last year, more than 95% of significant health sector breaches came via those outside organizations.
“The AHA opposes proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault for the success of hackers in perpetrating a crime,” the association wrote. “The now well-documented source of cybersecurity risk in the health care sector, including the Change Healthcare cyberattack, is from vulnerabilities in third-party technology, not hospitals’ primary systems.”
Recent Articles By Author