The health insurance trade group AHIP explained that it and its members are still more focused on recovering from the Feb. 21 hack than on a legislative strategy.
What AHIP is sure of is that any federal response should involve not just lawmaking, but a great deal of work between industry and regulatory agencies.
"This is bigger than all of us," said Danielle Lloyd, senior vice president of private market innovations and quality initiatives at AHIP. "The scale and the scope of these ongoing cyberattacks are just at a magnitude that this is going to take the federal government, the states and the entire healthcare system working together to better protect Americans. All of these stakeholders are going to have a role.”
Related: Providers still navigating Change outage as systems are restored
Congress is in a similar place, and only two significant bills to address healthcare cybersecurity have emerged since the Change Healthcare breach.
The first is a proposal from Sen. Mark Warner (D-Va.). His legislation would require providers and third-party technology partners to meet minimum security standards set by the Health and Human Services Department if they want to qualify for advance Medicare payments and other aid, which HHS offered during the current crisis with no strings attached.
A broader draft privacy bill from House Energy and Commerce Chair Cathy McMorris Rodgers (R-Wash) and Senate Commerce Committee Chair Maria Cantwell (D-Wash.) would offer less carrot and more stick by empowering the Federal Trade Commission, state attorneys general and private citizens to bring federal lawsuits against hacked companies that did not adhere to cybersecurity standards.
Lawmakers could widen their approach after hearing from stakeholders and experts this month. The Energy and Commerce Committee is holding a session Tuesday titled "Examining Health Sector Cybersecurity in the Wake of the Change Healthcare Attack." The Senate Finance Committee is expected to conduct a similar hearing April 30.
Finance Committee Chair Ron Wyden (D-Ore.) previewed his intentions at the American Hospital Association annual meeting Monday. "Today, there are no federal required cybersecurity standards for the healthcare industry. Nothing. No requirements. Voluntary. I'm here to tell you that's got to change," he said.
The bills offered to date and policies President Joe Biden proposed in his fiscal 2025 budget request have already spurred opposition within the healthcare sector.
Hospitals, which have endured crippling impacts from the Change Healthcare breach, are most resistant to measures that would impose "significant or unfunded mandates on hospitals," AHA Executive Vice President Stacey Hughes said at the trade group's event Monday.
"We just experienced the most significant cyberattack in the history of the healthcare sector," AHA President CEO Rick Pollack said at the conference. "Unfortunately, various proposals have emerged from both the White House and on Capitol Hill with mandatory requirements on hospitals but with very limited financial support to comply and heavy penalties for noncompliance."
Likewise, Beth Feldpush, senior vice president of policy and advocacy for America's Essential Hospitals, said protecting hospitals must be the primary goal.
"We urge lawmakers to recognize how an event like this disproportionately harms our hospitals due to their fragile financial position, and to prioritize support for the safety net," Feldpush, whose trade group represents safety net facilities, wrote in an email. "We also caution against mandates that increase the financial or regulatory burden on essential hospitals, which already operate with narrow or no margins."
Wyden acknowledged the hospital sector is not aligned with him on healthcare cybersecurity policy. "Y'all have clapped for me a couple of times. You may not be clapping for me by the time I'm done with this," he said at the AHA meeting. "Everybody's got to accept change. You can't just say it's the other person down the block, and they're the only person responsible. All parties are going to have to play a role in healthcare, to be held accountable and comply with minimum cybersecurity standards."
Some players see a role for themselves that Congress can ensure with adequate financial support. The Medical Group Management Association argues that although insurers, clearinghouses and vendors need to do better, doctors also have responsibilities.
"Physician practices must work to ensure they have adopted ironclad cybersecurity policies and procedures to best protect the data of their patients and their ability to provide high-quality care," MGMA Senior Vice President of Government Affairs Anders Gilberg said in a statement. Many doctors offices will need help to do that, he said.
"It’s important to note that physician practices have access to different levels of cybersecurity resources depending on their size," Gilberg said. Biden's budget plan calls for $1.3 billion to bolster hospital cybersecurity, and doctors should get a similar helping hand, he said. "Ensuring that all physician practices are afforded resources similar to those of the hospitals is critical,” he said.
One possibility that has not yet surfaced in congressional discussion is pressuring federal law enforcement and regulatory agencies to intensify efforts to stop would-be hackers and prosecute those who carry out attacks. Hospitals see that as a must, Hughes said in a statement.
"To make meaningful progress in the war on cybercrime, Congress should demand that the federal government focus on the entire healthcare sector and not just hospitals," Hughes said. "Furthermore, for any defensive strategy imposed on the healthcare sector, Congress needs to call on federal agencies to protect American hospitals and our patients by deploying an equally aggressive offensive cyber strategy to combat this ongoing and unresolved national security threat."
Some healthcare technology experts believe the existing bills are on the right track, especially since sectors such as finance and utilities have met tougher mandatory standards for years.
Lee Kim, senior principal for cybersecurity and privacy at the Healthcare Information and Management Systems Society, said Warner's bill would be a positive step, and compared it to liability insurers that refuse to pay claims from cyberattacks when policyholders have failed to protect themselves.
"It is important for both the hospital and third party to both adhere to such approved standards," Kim wrote in an email. "It's finally time for healthcare providers and their third parties to meet minimum baseline requirements to evidence that they are following adequate cybersecurity measures."
Correction: A previous version of this story incorrectly stated that UnitedHealth Group is an AHIP member.