The first piece of legislation responding to the Change Healthcare outage debuted in Congress Friday, more than a month since a ransomware attack that has roiled the sector.
The Health Care Cybersecurity Improvement Act of 2024 would expand the Health and Human Services Department's authority to make advance and accelerated Medicare reimbursements during emergencies stemming from cyberattacks. But providers and their business partners would have to meet minimum cybersecurity standards to qualify.
Related: Change Healthcare attack: What to know about cybersecurity
Hospitals and other providers have been struggling with severe payment disruptions since Change Healthcare, a unit of UnitedHealth Group subsidiary Optum, fell victim to a ransomware attack on Feb. 21.
Hospitals, physicians, pharmacists and others have pleaded with HHS to be aggressive in providing advance payments to tide them over while UnitedHealth Group restores damaged Change Healthcare systems handling tasks such as claims, billing, reimbursements and prior authorizations.
The Centers for Medicare and Medicaid Services is offering advance Medicare payments and has invited states to seek approval to follow suit under Medicaid. UnitedHealth Group and some insurers are doing the same. CMS has distributed more than $2.5 billion in such payments so far, HHS Secretary Xavier Becerra testified to Congress on Wednesday.
But providers have expressed dissatisfaction with the available assistance and urged HHS to go further and to ramp up the pressure on insurers to be more generous during the crisis.
The American Hospital Association, the Federation of American Hospitals and other healthcare groups also have pressed Congress for more help. In particular, they advocate that Congress give federal agencies more flexibility during cyber emergencies, akin to the powers HHS can exert during disease outbreaks such as the COVID-19 pandemic.
Becerra noted his department's limitations during congressional hearings Wednesday after dozens of lawmakers wrote him asking for guidance on what new statutory authority may be needed. No such legislation has been forthcoming to address the current situation, however.
Senate Intelligence Committee Chair Mark Warner (D-Va.), who introduced the Health Care Cybersecurity Improvement Act, wants to nudge healthcare providers, vendors and other entities to intensify their cybersecurity efforts to make breaches less common, he said in a news release Friday.
“I’ve been sounding the alarm about cybersecurity in the healthcare sector for some time," Warner said. “The recent hack of Change Healthcare is a reminder that the entire healthcare industry is vulnerable and needs to step up its game. This legislation would provide some important financial incentives for providers and vendors to do so.”
Under the legislation, HHS would have expanded authority to make advance payments via Medicare Part A and Part B, and would develop minimum cybersecurity standards that providers would need to meet to receive those reimbursements. Moreover, intermediaries with which providers do business would have to adhere to the same standards.
Warner's carrot-and-stick approach to improving healthcare cybersecurity and enhancing federal support for affected healthcare organizations doesn't sit well with the hospital industry.
Federation of American Hospitals president and CEO Chip Kahn sharply criticized the legislation. "This is really an example of sort of beating somebody when they're down," he said.
"If he wants to have a cyber bill that's going to set standards and require higher levels of certification, fine," Kahn said. "But why should that be tied necessarily to whether somebody gets an advance payment for something that happens to somebody else?"
The American Hospital Association blasted a White House plan to create federal rules for healthcare cybersecurity and link them to Medicare reimbursement bonuses and penalties. "The AHA cannot support proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault for the success of hackers in perpetrating a crime," President and CEO Rick Pollack wrote Senate Finance Committee Chair Ron Wyden (D-Ore.) and Mike Crapo (R-Idaho) on March 13.
Kahn said hospitals and other providers are acutely aware that cybersecurity is vitally important and are committed to protecting patients and data. But they should not be punished when a third party they believed had met proper standards suffers a successful attack, he said. Change Healthcare, he noted, was certified.
"We have a system of certifications that everybody relies on third parties. If it's not strong enough on third parties, then let's provide incentives to stiffen the certifications," Kahn said.
Warner's bill is likely just the first salvo from Capitol Hill on the cybersecurity issue. And although Warner has influence as a member of the Finance Committee, which has jurisdiction over CMS, he doesn't set its agenda. While Wyden has expressed interest in creating healthcare cybersecurity standards, he has not authored legislation.
Other lawmakers remain unsure whether to respond to the Change Healthcare incident by continuing to press HHS, holding investigative hearings or making new law.
