Although Chair Cathy McMorris Rodgers (R-Wash.) also expressed dismay, she acknowledged UnitedHealth Group previously briefed some committee members on the Feb. 21 ransomware attack.
Several legislators nevertheless joined in Pallone's criticisms.
"They should be here today and I'm appalled, frankly, as a corporate citizen that they didn't choose to participate," said Rep. Annie Kuster (D-N.H.). "I would actually encourage the chair to subpoena UnitedHealthcare," she said, using the name of the company's health insurance subsidiary.
"I hope they're watching and listening," said Rep. Mariannette Miller-Meeks (R-Iowa).
Related: Health sector wary as Congress starts Change hearings
Spokespeople for UnitedHealth Group did not respond to requests for comment. Rep. Anna Eshoo (D-Calif.), ranking member of the panel's health subcommittee, said UnitedHealth Group CEO Andrew Witty has agreed to appear for questioning in the future.
Rodgers, Pallone and other committee leaders also sent Witty a letter Monday pressing him for more information on the cyberattack and its consequences. "In order to understand better the steps UnitedHealth has taken to address this situation, we request information about the impact of the cyberattack, the actions the company is taking to secure its systems and the outreach to the healthcare community in the aftermath," the lawmakers wrote, requesting a reponse by April 29.
On more substantive matters, committee members suggested a broad-based approach involving government and healthcare companies would be required to address future cybersecurity threats.
Lawmakers and witnesses raised a number of issues related to UnitedHealth Group, such as how much the company's size and vertical integration allowed and contributed to the impacts of the cyberattack, how well or poorly it is responding, whether it is doing enough to help providers, and what lessons it has learned that may apply more broadly.
Witnesses told lawmakers that preventing significant attacks would require action from Congress, federal agencies and the entire healthcare sector.
"We are an interconnected ecosystem," said Greg Garcia, executive director of the Health Sector Coordinating Council Cybersecurity Working Group, which advises the Homeland Security Department. "There are large hospitals within a region that includes smaller health providers, and they are mutually dependent in many ways," he said. That calls for a cooperative approach to cybersecurity, he said.
So far, Congress' few healthcare cybersecurity proposals focus primarily on setting federal standards that healthcare organizations would have to meet to avoid federal and private civil penalties and to be eligible for assistance when breaches occur.
Rodgers and Senate Commerce Committee Chair Maria Cantwell (D-Wash.) address the issue in their broader privacy rights bill, while Sen. Mark Warner (D-Va.) proposed legislation specifically designed for the healthcare system. President Joe Biden's fiscal 2025 budget calls for offering $1.3 billion in enhanced Medicare payments to support hospital cybersecurity, and for reducing reimbursements to noncompliant facilities starting in 2029.
Witnesses said even more money will be needed.
John Riggi, national advisor for cybersecurity and risk at the American Hospital Association, was adamant about higher funding and characterized $1.3 billion as insufficient. "We have to do what we can, but we need resources from the government," he said.
Riggi and others said CMS needs more leeway to assist healthcare organizations victimized by cybercriminals, and that regulators need stronger tools to pressure health insurance companies to advance money to providers during crises.
Smaller hospitals and medical practices lack the financial resources to build robust cybersecurity infrastructure and require aid, Garcia said. Creating Medicare payment incentives would help, he said.
Lawmakers were sympathetic to the plight of cyberattack victims and to the need for federal security standards that apply to healthcare companies and their third-party vendors.
"We need to be very deliberate with it, through the balance of incentives and penalties," said Rep. Brett Guthrie (R-Ky.), chair of the health subcommittee.
At the AHA annual meeting in Washington on Monday, Senate Finance Committee Chair Ron Wyden (D-Ore.) said accountability would be part of his prescription for healthcare cybersecurity. Wyden's committee is planning a hearing on the subject later this month featuring Witty.
Several committee members questioned whether UnitedHealth Group, which acquired Change Healthcare in 2022, is simply too large.
"It needs to be busted up," said Rep. Buddy Carter (R-Ga.), a former pharmacist. "We've got to address the situation," he said. Health Subcommittee Vice Chair Dr. Larry Bucshon (R-Ind.) responded, "I couldn't agree more."
In their letter to Witty, Rodgers and the other committee leaders raised similar points. "The healthcare system is rapidly consolidating at virtually every level, creating fewer redundancies and more vulnerability to the entire system if an entity with significant market share at any level of the system is compromised," they wrote.
Witnesses agreed that big, vertically integrated healthcare companies are a national security vulnerability when they are insecure. "It's a great national security issue, especially when you have an organization like United that touches every hospital in the country [and] has access to one in three healthcare records. It has sensitive data on the military," Riggi said.
"We should look at and study whether or not vertical integration is leading to or is some component of the increase in cyberattacks," said Dr. Adam Bruggeman, an orthopedic surgeon with Houston-based Texas Spine Center. Large companies have more points of entry that can be exploited and possess the financial means to pay ransoms, which make them attractive targets, he said.
Riggi, a former FBI agent, said federal authorities must take the fight to cybercriminals, many of whom are based in other countries. "This is not purely a defensive issue," he said. "We need to encourage offensive operations by the U.S. government against these foreign hackers."
