The Centers for Medicare and Medicaid Services is planning oversight of third-party healthcare vendors in the wake of the Change Healthcare cyberattack, said Jonathan Blum, the agency's principal deputy administrator.
Blum, who also serves as chief operating officer for CMS, said at Modern Healthcare's Leadership Symposium Thursday that the agency is working to determine what levers it can pull to ensure severe disruptions in care like those linked to the cyberattack on the UnitedHealth Group subsidiary aren’t repeated.
“We will step in to help,” Blum said.
Related: Change Healthcare cyberattack: CMS to end relief funding program
Cyberattacks are a growing threat in healthcare. Almost 133 million individuals were affected by healthcare data breaches last year, more than double the number of those affected in 2022 and a number equivalent to about 40% of the U.S. population. The full scope of the cyberattack on health payment processing company Change Healthcare hasn’t been disclosed.
CMS declined to provide any details of its oversight strategy, but said it is collaborating with other partners across the Health and Human Services Department to “promote high-impact cybersecurity practices and enhance accountability for healthcare organizations and their vendors.”
John Riggi, national advisor for cybersecurity and risk at the American Hospital Association, was among those at the event who said he welcomed the support so long as it was done correctly.
“We need the federal government to step in, and where they're contemplating cybersecurity regulation to impose upon healthcare, it has to be smart, and it should apply to all the third-party entities dealing with healthcare and possibly providers,” Riggi said.
Greg Garcia, executive director for cybersecurity for the Healthcare Sector Coordinating Council, said industries that support critical infrastructure — like healthcare — need to be held to higher cybersecurity standards.
“The question would be how CMS would actually enforce regulation in a way that is meaningful and cost effective for all the partners,” Garcia said.
Rick Pollack, president and CEO of the American Hospital Association, said cybersecurity oversight would likely have to be done through legislation. The agency would need to make its policies consistent with cyber-productivity goals, apply them to the entire healthcare sector and include financial incentives rather than penalties, he said.
The federal government has been fairly active in helping navigate the year’s cyberattacks, and has been preparing for future ones.
A proposed rule under the Cybersecurity and Infrastructure Security Agency would require health plans, healthcare clearinghouses and other healthcare providers who electronically transmit certain health information to report certain cyberattacks to the agency.
That rule would implement a section of the Cyber Incident Reporting for Critical Infrastructure Act of 2022.
CMS extended the independent dispute resolution process for payment disputes between insurers and providers to help ease backlogs in claims-based disputes and began notifying companies of breaches in June.
HHS released flexibilities in early March to help ease the payment problems stemming from claims processing issues in the wake of the Change healthcare cyberattack, though CMS stopped accepting new applications for accelerated or advance payments after July 12.
Michael McAuliff contributed.