More than three weeks since a cyberattack that continues to disrupt U.S. healthcare operations, Congress is still groping for a response. But paths forward have begun to emerge as awareness of the damage slowly spreads on Capitol Hill.
Many lawmakers still have no answers when asked about the Feb. 21 ransomware assault on Change Healthcare, a claims and billing processor within UnitedHealth Group's Optum subsidiary. But a growing number of them are devising plans that range from holding hearings and putting pressure on federal agencies to enacting legislation.
Related: 'Nightmare': Pharmacies, hospitals reel from Change Healthcare outage
The issue got perhaps its most focused attention Thursday, when Health and Human Services Secretary Xavier Becerra testified before the Senate Finance Committee on President Joe Biden's budget proposal. The White House called for initiatives to strengthen cybersecuity in a healthcare sector increasingly targeted by bad actors such as BlackCat, the ransomware group also known as ALPHV or Noberus that UnitedHealth Group blames for the Change Healthcare incident.
Finance Committee Chair Sen. Ron Wyden (D-Ore.) and ranking member Mike Crapo (R-Idaho) each pressed Becerra on Change Healthcare and cybersecurity during the hearing.
Crapo pressed HHS to go beyond the actions it has already taken to shore up the healthcare system during the ongoing outage, which has created logistical and financial challenges for providers and other healthcare organizations. UnitedHealth Group expects the Change Healthcare systems be to restored by Monday.
"While your department has recently taken steps — important steps — to issue guidance and flexibility to insurers, providers and contractors to mitigate the effects of this hack, the over-two-week delay resulted in avoidable uncertainty," Crapo said. "In the coming days and weeks, HHS should continue to update members and stakeholders on efforts to limit further disruption."
Other lawmakers have pressed the administration for action. For example, Senate Majority Leader Chuck Schumer (D-N.Y.) has written letters to HHS pushing for more emergency relief to providers. And Sen. Kirsten Gillibrand (D-N.Y.) and 21 other lawmakers called on HHS and the Homeland Security Department's Cybersecurity and Infrastructure Security Agency to develop a plan to address the current crisis and to prepare for future attacks.
Wyden likewise emphasized administrative efforts during the hearing, but left open the possibility that Congress would legislate. He praised the White House for proposing cybersecurity penalties and funding for hospitals in its budget plan but suggested more is necessary. "Mandatory standards are a great first step, but we've got to do more," he said.
Corporations must be made to answer for failures to protect their vital systems, Wyden said. "These companies have become so large, it is creating a systemic cybersecurity risk," he said. "The next step has got to be the fines and accountability for negligent CEOs, for example."
The American Hospital Association has already come out against federal cybersecurity rules like those Biden proposed.
"The AHA cannot support proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault for the success of hackers in perpetrating a crime," CEO Rick Pollack wrote Wyden and Crapo on Wednesday. "The administration’s budget proposal for hospitals is misguided, and it will not improve the overall cybersecurity posture of the healthcare sector."
After the hearing Thursday, Wyden issued a statement saying resistance to previous cybersecurity proposals has left the nation more vulnerable.
"Private-sector opposition to effective cybersecurity rules is the number one reason our critical infrastructure, particularly the healthcare sector, is so woefully unprepared for even unsophisticated cyberattacks," Wyden said. "I'm working with the Biden administration to turn around this sorry state of affairs."
Senate Intelligence Committee Chair Mark Warner (D-Va.) is one of the most prominent voices on Capitol Hill advocating stronger cybersecurity policy. Last week, Warner said his committee would consider legislation on the subject and called for "mandatory cyber hygiene standards" in the healthcare system. Warner will unveil proposals as soon as next week, a spokesperson said.
"As we've seen, healthcare data on the dark web is more valuable than even financial data," Warner said Thursday. "It's time for mandatory minimum cybersecurity in our healthcare system, the way we have already in utilities and in the financial sector."
Warner believes instituting harsh penalties would be an "uphill slog" and attract strong opposition. But healthcare companies could be nudged quickly toward better security if that would make them eligible for federal aid after an attack.
"If you — meaning the providers, hospitals, doctors and your vendors — meet minimum cybersecurity standards, then in these kinds of hacks, you'd have availability of that short-term financing to get you through these problem times," Warner said. "It might be a way to put an incentive in place to make sure that responsible providers are trying to build in for these cyberattacks."
No House committees have held hearings on the Change Healthcare incident, but lawmakers such as Rep. Brett Guthrie (R-Ky.) are acutely aware of the problem and looking for a way forward.
Guthrie, who chairs the Energy and Commerce Committee's Health Subcommittee, said he is pressing HHS to do more but is unsure whether the House should focus on investigative hearings or legislation. "We're gonna have to come up with some program because it's really hurting people," he said.
None of this is necessarily what providers want to hear, particularly hospitals. The AHA wants Congress to quickly enact flexibilities to allow HHS and other agencies to do more, akin to actions taken in response to the COVID-19 pandemic.
"The administration has limited tools available to assist with the Change Healthcare cyberattack, particularly because, unlike with COVID-19, the government is not operating under a declared Public Health Emergency and National Emergency," AHA Executive Vice President Stacey Hughes said in a statement Tuesday. "The Centers for Medicare and Medicaid Services only have the authority to do so for limited time periods and amounts and with very high interest rates after repayments are due. Additional flexibilities would need to be provided by Congress."
Warner, for one, did not seem sympathetic to that demand. "I don't think they ought to go back exactly to the way [CMS] provided a lot of stopgap funding during COVID," he said.