Senate Finance Committee chair, Senator Ron Wyden sent a letter to the Department of Health and Human Services (HHS) through Secretary Xavier Becerra asking big healthcare organizations to improve their cybersecurity protocols. One factor in the success of cyberattacks in the healthcare industry is the inability of HHS to regulate and monitor this industry properly.
The major cyberattacks on big healthcare companies such as Ascension and Change Healthcare have resulted in massive disturbances to healthcare services throughout the United States. The attacks affected patient care and resulted in actual harm to patients. A large volume of sensitive patient information was stolen by cybercriminals putting patients at risk of identity theft and fraud.
A hacker was able to access Change Healthcare’s internal system because of lax cybersecurity strategies. The hacker used stolen credentials to get initial access. The network breach also succeeded because the server does not use multi-factor authentication (MFA). Not using MFA on a cloud server is a critical cybersecurity mistake for a healthcare company of any size.
MFA is deemed to be a fundamental cybersecurity step; but, MFA is not required under HIPAA, and several other basic cybersecurity procedures are not specifically required under the HIPAA Security Rule. The HIPAA Security Rule was approved over 20 years ago and was meant to stay applicable even with improvements in technology. The result is that the HHS depends on self-regulation and the use of voluntary cybersecurity methods. Although that approach works for smaller healthcare companies that are short of funds to spend on cybersecurity, it is not good for big healthcare companies.
The HHS’ current solution to healthcare cybersecurity of self-regulation and voluntary adoption of cybersecurity measures is not enough and has made the healthcare system prone to hacking by criminals and foreign government attackers. HHS needs to consider doing what other government regulators have mandated making cybersecurity measures necessary to protect the health care sector from further, devastating, easily-preventable cyberattacks.”
The HHS has recommended voluntary cybersecurity performance targets for hospitals. There is a plan to update the HIPAA Security Rule eventually. Considering that cybercriminals target healthcare companies and the attacks seriously affect patient care, a lot more must be done. Sen. Wyden gave a number of recommendations to make the healthcare system strong and resilient and better secure sensitive patient information. Stricter cybersecurity measures must be implemented for systematically important entities (SIEs) like large health systems and healthcare clearinghouses.
Sen. Wyden stated the HHS must build minimum cybersecurity criteria for SIEs and those criteria must be implemented. They ought to include safety measures for electronic protected health information (ePHI) and criteria for ensuring toughness against cyberattacks and business continuity in case of a successful cyberattack. The ransomware attack on Change Healthcare led to the shutdown of critical systems for a few weeks, causing extended disruption for healthcare companies throughout the country.
Sen Wyden is seeking the creation of standards to maintain access to medical records and other important functions for delivering medical care and helping community health. SIEs must completely develop their information technology infrastructure in 48 to 72 hours, and the HHS must stress test SIEs to make sure that they can satisfy those demands. “It is not right for an SIE such as Change Healthcare to be shut down for over 6 weeks.
At the beginning of 2024, Office for Civil Rights Director Melanie Fontes Rainer reported that the HHS had reactivated its HIPAA audit program. The HITECH Act demands HHS perform routine audits of HIPAA-covered entities to evaluate compliance with the HIPAA Rules; nonetheless, the HHS has just performed two HIPAA audit programs. The last audit was done in 2017. The inability to perform regular audits is because of inadequate resources, since OCR’s budget has remained low whereas its workload has gone up significantly. Now that the audit program is restarting, Sen. Wyden has advised the HHS to keep audits of SIEs a priority.
Although attacks have a big impact on SIEs, cybersecurity should be enhanced at healthcare companies of various sizes as well. Smaller healthcare companies with low resources would profit from technical support and guidance. Sen. Wyden has required the HHS to use the Centers for Medicare & Medicaid Services (CMS)’s Quality Improvement Organizations and Medicare Learning Network programs to give that support and guidance and help those companies enhance cybersecurity.
