Prominent US senator sees new momentum for healthcare cybersecurity push

pppLeadershipppCybercrimeppNationstateppElectionsppTechnologyppCyber DailyppClick Here Podcastpp Free Newsletterpp As US hospitals struggle to pay their employees amid a cyberattack that knocked out a major payment vendor a powerful Democratic senator is seizing the moment to push for better security in the sorely vulnerable healthcare sector pp Sen Mark Warner DVA has introduced legislation that would require hospitals and their technology vendors to implement cybersecurity best practices before the government offers them any emergency payments Its a proposal that reflects his immense frustration with an industry that he says has consistently underinvested in vital digital defenses negligence that burst into the spotlight in February when Change Healthcare the largest medical claims processor in the US shut down its systems after suffering a ransomware attack cutting off payments to already cashstrapped hospitals and plunging the industry into crisis pp We need to get some minimum cybersecurity standards into healthcare Warner told Recorded Future News in a recent interview Weve been talking about this for some time without a lot of action pp As chairman of the Senate Intelligence Committee Warner has access to the most sensitive information about how foreign governments and cybercriminals are trying to hurt Americans by disrupting critical infrastructure While others focus on shoring up cyber defenses at water facilities and schools Warner has concentrated on healthcare facilities In late 2022 his office issued a white paper laying out policy responses to the health sectors cyber crisis Last November he launched a bipartisan Senate working group to consider legislative solutions pp Cybersecurity in healthcare is really about patient safety Warner said And with the Change hack still affecting hospitals across the country and the Biden administration planning regulations to boost the industrys cyber posture Warner believes the time is right to press his case pp Nothing moves until an incident he said and then youve got to be ready and things move quickly pp A constant barrage of cyberattacks has shown that the healthcare community is among the most poorly guarded parts of US critical infrastructure Hackers have repeatedly breached hospital chains insurers and vendors and the healthcare sector topped the list of ransomware victims in 2023 according to FBI data pp With hospitals facing a perpetual funding crunch that the COVID19 pandemic sharply exacerbated Warner wants to focus regulation on the vendors that sell technology to these facilities We have to change the incentive system to make cyber built in before the product or software otherwise goes to market pp Healthcares cyber weaknesses largely flew under the general publics radar for years But the Change Healthcare hack which could be costing providers tens of millions of dollars a day in cash flow disruptions starkly highlighted the problem and may have given lawmakers like Warner the political momentum necessary to overcome longstanding industry opposition to regulation pp The Change hack was something that got the industrys attention in a pretty dramatic way Warner said We suddenly saw something that really rocked about a third of the healthcare industry pp The Biden administration scrambled to respond as providers warned of dire cash shortages The Department of Health and Human Services HHS began making emergency payments the department opened an investigation into Changes security failures and administration officials summoned company leaders to a White House meeting with other industry representatives to stress the importance of a collective response pp Now Warner is hoping for prompt action on his legislation in the brief window of time before the emergency passes When asked whether he saw the Change crisis as an example of the old adage never let a good crisis go to waste Warner responded Thats my hope pp Warners legislation the Health Care Cybersecurity Improvement Act would require healthcare providers experiencing cashflow problems due to a cyberattack to meet minimum cybersecurity standards before receiving emergency funds from the Centers for Medicare and Medicaid Services CMS If the cyberattack targeted one of the providers vendors that vendor would also need to meet the minimum standards before the provider could receive funding pp The bill leaves it up to the HHS secretary to determine what constitutes minimum cyber standards HHS recently published healthspecific Cybersecurity Performance Goals based on broader guidance from the Cybersecurity and Infrastructure Security Agency CISA pp Warner said he chose to link cyber hygiene requirements to financial assistance to avoid the harderedged approach of simply mandating improvements with no associated benefits Weve been trying to fashion this a little bit more into a carrot he said pp But he also made it clear that no matter what approach Congress takes the status quo of unconditional federal payments is no longer acceptable The alternative of saying Okay were going to continue to reimburse regardless of putting minimum standards in place doesnt hold water pp The powerful healthcare industry has repeatedly opposed new provider regulations and Warner said his bill has already picked up kneejerk reactions from some of the trade associations that reflexively said We dont want any new mandatory standards on any subject pp The Department of Health and Human Services is planning its own regulatory changes to improve healthcare cybersecurity pp The American Hospital Association one of the industrys most influential lobbying groups declined to comment on the bill But the AHA which has harshly criticized Changes limited assistance to struggling providers previously told Warner that it opposed CMSs planned cybersecurity updates to hospitals operating regulations because of the significant financial investment and staff training that they would require pp These arguments irritate Warner who argued that theres no reason why the industry should get to treat cybersecurity differently from any other patient safety imperative pp A hospital cant say Well we cant afford our nursing ratios anymore We cant afford to have backup power Warner said We have a series of requirements already for provider operations that are built into the system And yes this is a new one But you cant just say All right well this is a whole new area and we cant do anything pp Still Warner is sensitive to cost concerns He acknowledged that the government would have to offer some level of reimbursement to help hospitals upgrade and secure their computers and other devices How you go back and retrofit equipment he said is a challenge pp In addition to hospitals fixing old equipment Warner also wants to see healthtechnology vendors designing new products with cybersecurity in mind To encourage this shift and to help hospitals buy the safest products Warner wants the government to create a bestpractice certification for health technology akin to the Energy Star label that distinguishes energyefficient appliances pp Even before the Change hack policymakers were increasingly joining Warners quest for cybersecurity improvements to the healthcare sector pp In November Warner and Sen Bill Cassidy RLA the ranking member of the Senate Health Education Labor and Pensions Committee joined Sens John Cornyn RTX and Maggie Hassan DNH in forming a working group to explore legislative options pp Theres a lot of interest in the issue among the groups members Warner said although discussions are happening mostly at the staff level at this point pp Meanwhile the Biden administration is pursuing its own healthcare cybersecurity strategy HHS is planning two regulatory changes the addition of cybersecurity requirements to the Medicare and Medicaid participation rules for hospitals and an update to the landmark healthdata security rule under the Health Insurance Portability and Accountability Act HIPAA pp Warner said he expected to soon receive a briefing from the Biden administration on these plans adding Im supportive directionally of what the administration is doing pp As the ongoing Change crisis recedes from the headlines Warner is determined to keep the issue of vulnerable hospitals and patients front and center in Congress pp Warner said hes angling to get his bill a hearing in the Senate Finance Committee whose chairman Ron Wyden DOR is an outspoken advocate for increased corporate responsibility and government vigilance on cybersecurity Wyden is already planning to haul in the CEO of Changes parent company UnitedHealth Group for a hearing this month pp Warner said he planned to discuss his bill with Wyden in the hope of scheduling a hearing soon But he acknowledged that passing the legislation would take some time pp Even if the bill becomes law Warner knows it could be a long time before hospitals and their vendors actually have to change their cybersecurity practices It took three years for the White House to start implementing Warners bill regulating federal agencies use of internet of things devices and it took CISA two years to propose a rule implementing a cyber incident reporting mandate for critical infrastructure operators that Warner helped draft pp Still Warner believes that time is running out for Congress to pass meaningful measured requirements that can head off a disaster pp The alternative will be well end up with some catastrophic event where people die and then Congress will overreact ppEric Gellerpp is a freelance cybersecurity journalist covering all things digital security He previously reported on cybersecurity for The Daily Dot Politico and The Messenger pp ppPrivacyppAboutppContact Uspp Copyright 2024 The Record from Recorded Future Newsp