Change Healthcare cyberattack: Health leaders ask Congress for help with cybersecurity

Lawmakers held a hearing on the Change Healthcare cyberattack Tuesday, and hospital and health technology leaders asked for more federal help to protect providers and patients.

John Riggi, the national adviser for cybersecurity and risk for the American Hospital Association, testified at a House panel hearing on the Change Healthcare cyberattack.

Speaking before the House Energy & Commerce Committee’s health subcommittee, they said the government is going to have to do more to prevent incidents like the Change Healthcare ransomware attack, which has disrupted hospitals, health systems, and physician practices nationwide.

Greg Garcia, executive director for cybersecurity for the Health Sector Coordinating Council, talked about the need for a risk assessment of the health industry infrastructure.

“Pull up the floorboards and look at the plumbing, see where the joints are loose and where the leaks are,” Garcia said.

• Read more: Lawmakers express frustration over Change Healthcare cyberattack

John Riggi, the national adviser for cybersecurity and risk for the American Hospital Association, testified about the need for a comprehensive government response for cybersecurity.

“If this attack has taught us anything, it is this. What we need is a whole-of-nation approach to protect patients and providers in America, from these devastating cyberattacks,” Riggi said at the hearing.

• Read more: How cyberattacks are a threat to patient safety

Rep Anna Eshoo, D-Calif., pointed to the Biden administration’s inclusion of an additional $1.3 billion to boost cybersecurity. While Riggi said the additional funding is helpful, he said more is needed.

“We believe at this point, that is far from sufficient, in fact woefully insufficient, given the 6,000 hospitals that would have to utilize that money,” Riggi said.

Healthcare leaders testifying before the panel noted the need for federal assistance, particularly for smaller providers that simply don’t have the resources to invest sufficiently in cybersecurity.

Garcia also called for a government-industry “rapid response capability” against cyberattacks.

“What is envisioned is using government authority to declare national cyber emergencies, activate catastrophic national cyber insurance, provide fast financial support, permit temporary suspension of regulatory choke points, and provide mobile healthcare capability to assist those in dire need,” Garcia said.

“This need is particularly important for the so-called target rich and cyber poor: the small, rural critical access, federally qualified health centers, public health and other under-served, under-resourced health entities across the nation,” he added. He also called for a cyber safety net for under-served providers.

• Read more: Federal investigation launched in Change Healthcare cyberattack

Scott MacLean, board chair of the College of Healthcare Information Management Executives, also testified about the need for a federally-sponsored catastrophic cyber insurance program “to help healthcare providers offset the extremely high cost of coverage.”

The government should also help providers, including smaller hospitals and health systems, with funding for cybersecurity efforts.

“We understand providers must do their part,” MacLean said. “If we're going to move the small and underserved resources forward, funding for them must be prioritized, with the healthcare sector only as strong as its weakest link.”

MacLean also called for “safe harbors” to foster greater transparency and communication from health organizations that suffer cyberattacks.

“Victimized organizations are fearful that by sharing details it will open them up to regulatory and liability risks,” he said.

The Medical Group Management Association submitted written testimony to the House panel and asked lawmakers to provide federal agencies greater flexibility to send payments to support physician practices. Hospitals and medical groups have said they had hoped to see a faster response from the government in sending aid to providers affected by the Change Healthcare attack.

The MGMA also asked for health plans and third-party vendors to have safeguards to protect physician practices from other wide-ranging cyberattacks. They also said the panel should consider policies to require health plans to relax requirements, including filing deadlines and prior approvals, during widespread outages.

Hospitals and other providers have said they welcome voluntary cybersecurity requirements, but they oppose provisions that would impose penalties on providers who don’t meet requirements. Health providers have balked at the idea of facing fines for cyberattacks.

“Exacerbating a terrible situation by adding further penalties to medical groups beyond what is already in place would be overly punitive for practices not responsible for the attack and operating in full compliance,” the MGMA said in its testimony.

Riggi stressed that the government must recognize that most cyberattacks aimed at the healthcare industry involve foreign actors, including those supported by nation-states.

“We've worked directly with the FBI to exchange real-time threat intelligence, so hospitals can help defend themselves,” Riggi said.

“We can do everything we can possibly on defense,” he added. “That will not solve the issue, because there’s foreign bad guys out there attacking us. So again, this whole-of-nation approach is what is required.”