Health Department must change ‘woefully inadequate’ approach to cybersecurity, senator says

The head of the U.S. Senate Finance Committee says that the U.S. Department of Health & Human Services needs to reconsider its approach to cybersecurity.

Sen. Ron Wyden, D-Oregon, the chairman of the Senate Finance Committee, says the U.S. Department of Health and Human Services has failed to regulate and oversee cybersecurity in the health industry.

U.S. Sen. Ron Wyden, D-Oregon, is calling on the health department to require healthcare organizations to meet some basic cybersecurity standards. In a letter to the health department this week, Wyden said the department’s failure to require tougher standards has contributed to cyberattacks that have plagued the industry.

“It is clear that HHS’ current approach to healthcare cybersecurity — self-regulation and voluntary best practices — is woefully inadequate and has left the health care system vulnerable to criminals and foreign government hackers,” Wyden wrote. “HHS must follow the lead of other federal regulators in mandating cybersecurity best practices necessary to protect the health care sector from further, devastating, easily-preventable cyberattacks.”

In the letter, Wyden pointed to the cyberattack on Change Healthcare, a subsidiary of UnitedHealth Group. The attack has affected hospitals and health providers nationwide, and said the department’s insufficient oversight was a contributing factor in the upheaval.

“HHS’ failure to regulate the cybersecurity practices of major health care providers like UHG resulted in what the American Hospital Association has described as the worst cyberattack against the healthcare sector in U.S. history,” Wyden said in the letter.

The finance committee held a hearing on the Change Healthcare cyberattack last month, and senators criticized UnitedHealth for insufficient protections. At the hearing, UnitedHealth CEO Andrew Witty said the breach occurred in a system that lacked multi-factor authentication, a standard protection used by many companies.

As Wyden noted in his letter, “HHS does not require health care companies to use MFA, nor does HHS require covered entities or business associates to adopt any other specific cybersecurity best practices.”

Wyden acknowledged that the health department is in the process of updating cybersecurity regulations. But he said there needs to be some tougher standards.

“HHS should require minimum, mandatory technical cybersecurity standards for systemically important entities (SIEs), including clearinghouses and large health systems,” Wyden wrote. “These technical standards should address how organizations protect electronic information as well as ensure the health care system’s resiliency to these attacks by continuing its critical functions including maintaining access to medical records, providing medical care, and supporting community health.”

Wyden also called on the department to ensure that “systemically important entities,” such as Change Healthcare, can resume operations quickly after a breach. He suggested a standard of rebuilding infrastructure within 48-72 hours, and said it was “not acceptable” that Change Healthcare was down for six weeks.

The health department must conduct regular audits of healthcare organizations to assess their cybersecurity, Wyden said. The department hasn’t conducted an audit since 2017, he noted.

The health department should also provide hospitals and other healthcare providers with technical assistance on cybersecurity, Wyden said.

During the hearing on the Change Healthcare cyberattack, Wyden said cybersecurity in the healthcare industry is a national security issue. He used that language again in his letter to the health department.

“The current epidemic of successful cyberattacks against the health care sector is a direct result of HHS’s failure to appropriately regulate and oversee this industry, harming patients, providers, and our national security,” Wyden said.

Some healthcare leaders have called on Congress and the federal government to offer more help with cybersecurity. Healthcare groups also said the government responded too slowly to help providers affected by the Change Healthcare attack.

John Riggi, the national adviser for cybersecurity and risk for the American Hospital Association, testified about the Change Healthcare attack and the need for a comprehensive government response for cybersecurity at a House health subcommittee hearing in April.

“If this attack has taught us anything, it is this. What we need is a whole-of-nation approach to protect patients and providers in America, from these devastating cyberattacks,” Riggi said at the hearing.

Greg Garcia, executive director for cybersecurity for the Health Sector Coordinating Council, called for a government-industry “rapid response capability” against cyberattacks at the April hearing.

“What is envisioned is using government authority to declare national cyber emergencies, activate catastrophic national cyber insurance, provide fast financial support, permit temporary suspension of regulatory choke points, and provide mobile healthcare capability to assist those in dire need,” Garcia said.

While hospital and healthcare leaders have asked the government for help, they have also urged lawmakers and the health department to refrain from imposing stiff financial penalties for cyberattacks.

Scores of hospitals and health systems have suffered cyberattacks in recent years.

The Ascension health system continues to work to recover from a cyberattack last month, which has disrupted care and caused some hospitals to divert ambulances. This week, Ascension said it has restored electronic health records at several of its markets. The system expects to have full restoration of electronic records by June 14.