After Change Healthcare suffered what some have called the worst cyberattack in the health industry’s history, new legislation introduced would allow for accelerated payments to vendors during a cyber incident if vendors meet minimum cybersecurity standards.
U.S. Sen. Mark Warner (D-Va.) introduced the Health Care Cybersecurity Improvement Act, following the ransomware attack that paralyzed billing services for providers nationwide, leaving many in danger of becoming financially insolvent.
“I’ve been sounding the alarm about cybersecurity in the health care sector for some time. It was only a matter of time before we saw a major attack that disrupted the ability to care for patients nationwide,” said Warner, a member of the Senate Finance Committee and co-chair of the Senate Cybersecurity Caucus.
“The recent hack of Change Healthcare is a reminder that the entire health care industry is vulnerable and needs to step up its game. This legislation would provide some important financial incentives for providers and vendors to do so.”
The American Hospital Association sent a detailed letter to the chairman and ranking member of the Ways and Means Committee outlining the damage caused by the cyberattack on Feb. 21, describing the breach as “the most significant and consequential cyberattack on the U.S. health care system in American history.”
AHA President and CEO Richard J. Pollack noted Change Healthcare is the predominant source of more than 100 “critical functions” that manage clinical criteria used to authorize a large portion of patience care and coverage. The UnitedHealth Group subsidiary also processes billions of claims, supports clinical information exchange and processes drug prescriptions.
“Significant portions of Change Healthcare’s functionality have been crippled,” the letter says. “As a result, patients have struggled to get timely access to care and billions of dollars have stopped flowing to providers, thereby threatening the financial viability of hospitals, health systems, physician offices and other providers.”
The letter goes on to say the primary source of cyber risk exposure facing the healthcare sector originates from “third-party technology and service providers, and not a hospital’s primary systems.”
The AHA said a review of top data breaches in 2023 shows that over 95% of the most significant health sector data breaches – defined by those where over 1 million records were exposed – were related to “business associates” and other non-hospital health care entities, including CMS, which had a breach included in the Top 20 largest data breaches in 2023.
The AHA said it would not support legislation for mandatory cyber requirements on hospitals because of this risk, also saying mandatory requirements would take money away from prevention efforts.
Warner’s office acknowledges that “in rare situations” Medicare Part A providers and Part B suppliers face cash flow challenges due to specified circumstances beyond their control -- for instance, during the COVID-19 pandemic.
Since the 1980s, the Centers for Medicare & Medicaid Services (CMS) has provided temporary financial relief to participants in these programs through Accelerated and Advance Payment (AAP) programs, during which these providers and suppliers receive advance payments from the federal government that are later recovered by withholding payment for subsequent claims.
The Health Care Cybersecurity Improvement Act of 2024 would modify the existing Medicare Hospital Accelerated Payment Program and the Medicare Part B Advance Payment Program by:
- Requiring the Secretary to determine if the need for payments results from a cyber incident;
- If it does, requiring the health care provider receiving the payment to meet minimum cybersecurity standards, as determined by the Secretary, to be eligible; and
- If a provider’s intermediary was the target of the incident, the intermediary must also meet minimum cybersecurity standards, as determined by the Secretary, for the provider to receive the payments.
These provisions would go into effect two years from the date of enactment.