Wyden urges HHS to require healthcare cybersecurity standards

Dive Brief:

• Sen. Ron Wyden, D-Ore., is urging the HHS to require large healthcare organizations to improve their cybersecurity practices as increasing attacks and data breaches rock the industry.

• In a letter to Secretary Xavier Becerra, the chairman of the Senate Committee on Finance said the agency’s approach to regulating healthcare cybersecurity is “woefully inadequate,” leaving the sector vulnerable to attack.

• Wyden pointed to the major cyberattack on UnitedHealth’s Change Healthcare subsidiary early this year, which he said could have been prevented if the technology firm had used the basic cybersecurity practice of multifactor authentication.

Dive Insight:

Cybersecurity is a growing challenge for the healthcare sector, and the industry has already faced several significant cyberattacks this year.

The ransomware attack against Change, a major medical claims processor that manages billions of transactions annually, disrupted day-to-day healthcare operations and slowed payments to providers for weeks.

During testimony in front of Congress last month, UnitedHealth CEO Andrew Witty said a portal hackers used to attack Change didn’t have multifactor authentication, which requires a second method to verify a user’s identity beyond a password.

In a letter published last week, Wyden urged leaders at the Federal Trade Commission and the Securities and Exchange Commission to investigate UnitedHealth’s “negligent” cybersecurity practices.

Change is far from the only healthcare organization facing cyber threats. Multi-state health system Ascension is recovering from a ransomware attack launched last month, while Lurie Children’s Hospital said in late May it had finished reactivating its patient-facing systems, months after it first reported a cyberattack.

In his latest letter, Wyden argued federal regulators need to do more to stop the spate of cyberattacks — which can have serious impacts on patient safety and privacy.

“The current epidemic of successful cyberattacks against the health care sector is a direct result of HHS’s failure to appropriately regulate and oversee this industry, harming patients, providers, and our national security,” he said.

The letter comes as the HHS has signaled plans to add enforceable standards. The agency released voluntary cybersecurity goals for the healthcare sector early this year, and the Biden administration’s proposed 2025 budget included funds for providers to boost their cyber protections — with eventual penalties on those that fail to implement them. Hospital groups have previously pushed back on cyber requirements, arguing fines and Medicare payment cuts would reduce resources needed to combat cyberattacks.

Story continues

Regulators also plan to update the HIPAA privacy and security rule, but Wyden argued the agency could go further.

He urged the HHS to implement minimum, mandatory cybersecurity standards for healthcare organizations, including large health systems and claims clearinghouses. Providers that participate in the Medicare program should meet these requirements too, he wrote.

They should also have to meet resiliency standards — so they can resume operations within days after a cyberattack — and the HHS should conduct periodic audits of healthcare organizations’ cybersecurity practices. In addition, the agency should offer technical assistance to providers, especially those with few resources.

This story was originally published on Healthcare Dive. To receive daily news and insights, subscribe to our free daily Healthcare Dive newsletter.