Senate Finance Committee Chair Ron Wyden (D-Ore.) issued a withering critique of the Health and Human Services Department's handling of cybersecurity Wednesday, blaming a lax regulatory stance for creating the environment that allowed the massive Change Healthcare hack to happen.
HHS must take a firmer hand and insist that healthcare entities are better protected against cyberattacks such as the one that befell the UnitedHealth Group unit in February and disrupted healthcare operations and finances for months, Wyden wrote in a letter to Secretary Xavier Becerra.
Related: Lawmakers slam UnitedHealth chief over Change Healthcare attack
"The current epidemic of successful cyberattacks against the healthcare sector is a direct result of HHS’ failure to appropriately regulate and oversee this industry, harming patients, providers and our national security," Wyden wrote. "I urge HHS to use all of its authorities to protect U.S. healthcare providers and patients from cybersecurity risk."
The Change Healthcare incident is just one of hundreds of recent attacks, and an illustration of HHS' shortcomings, Wyden wrote.
"HHS’ failure to regulate the cybersecurity practices of major healthcare providers like [UnitedHealth Group] resulted in what the American Hospital Association has described as the worst cyberattack against the healthcare sector in U.S. history," Wyden wrote.
HHS did not immediately respond to a request for comment.
Wyden has also leveled blame at UnitedHealth Group, telling CEO Andrew Witty last month that the company "flunked" basic cybersecurity because hackers exploited a Change Healthcare server that did not use multi-factor authentication. Wyden asked the Federal Trade Commission and the Securities and Exchange Commission to investigate whether UnitedHealth Group violated federal cybersecurity rules.
The senator, whose committee has authority over HHS and programs such as Medicare and Medicaid, also offers a slate of actions he argues the department should take, including requiring healthcare companies to deploy multi-factor authentication.
President Joe Biden's fiscal 2025 budget proposal calls for $1.3 billion in extra Medicare payments to bolster cybersecurity in hospitals. Under the White House plan, which is similar to legislation Sen. Mark Warner (D-Va.) introduced, hospitals would receive additional money to shore up their defenses and would have to meet minimum cybersecurity standards to avoid payment penalties in the future.
Wyden wants broader, more immediate action."HHS must act now," he wrote. "It is clear that HHS’ current approach to healthcare cybersecurity — self-regulation and voluntary best practices — is woefully inadequate and has left the healthcare system vulnerable to criminals and foreign government hackers."
Wyden proposes several steps, starting with establishing minimum standards for what are known as "systemically important entities" that touch large swaths of the healthcare system, such as Change Healthcare, a billing and data clearinghouse.
Next, HHS should require that healthcare entities implement strong resiliency systems so that if they are hacked, they can rebuild networks within 72 hours, Wyden wrote. The Change Healthcare system was down for more than six weeks, which wreaked havoc on provider payments and other operations. HHS and health insurance companies also should be prepared to advance money to affected providers, as they did in response to the Change Healthcare incident, he wrote.
Wyden also called on HHS to run periodic security audits and provide technical assistance to providers.