Government , Healthcare , HIPAA/HITECH
Senator Demands That HHS Ratchet Up Health Sector Cyber Regs
Lawmaker Says New Regulations Needed to Fix 'Lax' Cyber Postures of Major EntitiesThe Senate Finance Committee chair is urging the U.S. Department of Health and Human Services to get tougher on healthcare sector cybersecurity requirements. He says HHS' "failure to regulate the cybersecurity practices of major healthcare providers" has contributed to the "major epidemic" of attacks such as the highly disruptive Change Healthcare ransomware hack.
Sen. Ron Wyden, D-Ore., in a letter Wednesday called on HHS Secretary Xavier Becerra to take "immediate, enforceable steps" to require large healthcare companies to improve their cybersecurity practices.
See Also: Using the Netskope HIPAA Mapping Guide
"The agency's current approach of allowing the health sector to self-regulate cybersecurity is insufficient and fails to protect personal health information as intended by Congress," Wyden said. "HHS must act now to address corporations' lax cybersecurity practices, which have enabled hackers to steal patient health information and shut down parts of the healthcare system, causing actual harm to patient health information."
Wyden acknowledged that HHS has already announced plans to update cybersecurity regulations for the healthcare sector. That includes plans to update the 20-year old HIPAA Security Rule and potentially propose new regulations tying Medicare and Medicaid payment incentives and penalties to meeting certain "essential" and "enhanced" cybersecurity performance goals (see: ).
But "HHS can and should go further given its role as a regulator and purchaser of health coverage for more than 150 million Americans," he said.
Seeking New Requirements
Specifically, Wyden wants HHS to require "minimum, mandatory technical cybersecurity standards for systemically important entities, or SIEs, including clearinghouses and large health systems." HHS should reinforce these standards and ensure broad adoption by insisting entities that participate in the Medicare program meet these requirements, he said. That includes having SIEs meet resiliency requirements, Wyden said, so they are able to get back up and running quickly if they are infected with ransomware.
"SIEs must be capable of rebuilding their information technology infrastructure from scratch and within 48-72 hours," Wyden said. "HHS should also stress test these companies to prove they can meet those requirements. It is not acceptable for an SIE like Change Healthcare to be down for more than six weeks."
The senator is also urging HHS to move forward with plans announced earlier this year to resume periodic HIPAA audits, which are called for under the HITECH Act but have not been conducted since 2017. Wyden wants the audits to focus on the cybersecurity practices of SIEs, "even if those organizations were not previously subjected to HHS audits."
Finally, Wyden wants HHS to give technical cybersecurity assistance to healthcare providers. "The Centers for Medicare and Medicaid Services' Quality Improvement Organizations and Medicare Learning Network programs are vital tools at HHS' disposal for improving the effectiveness, efficiency and quality of healthcare services delivered to Medicare beneficiaries," he said.
"HHS should leverage these programs to provide cybersecurity technical assistance and guidance to providers, particularly those with low resources."
What's Feasible?
Some industry experts agree that the healthcare sector needs to fortify its cybersecurity, but they say new regulations are not necessarily the answer.
"In general, mandating cybersecurity minimums via regulation won't work," said Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center.
"The technology moves too quickly for regulation to keep up with what would be considered appropriate minimum security standards. Worse yet, the threat landscape evolves faster than the technology and would be impossible to keep up with in regulation."
Even the government is not immune to these sorts of attacks, as seen by recent incidents at the State Department and CISA, said Denise Anderson, president of H-ISAC. "Cybersecurity is a very complex issue and it is easy to say that having certain protocols in place will stop an attack. While certain baseline practices certainly help, they are not a panacea," she said.
The reality is that the threats will continue to evolve, and cyber defenses will at some point no longer be effective, she said. "Threat actors have found ways to defeat multifactor authentication. Where there is money to be made, threat actors will find a way."
Experts said some of Wyden's specific demands are reasonable, but others are likely unrealistic to execute.
"In light of the types of cyber incidents that are crippling the healthcare sector, Sen. Wyden's focus on resiliency makes a lot of sense," said regulatory attorney Adam Greene of the law firm Davis Wright Tremaine.
But details make the difference, others said.
The expectation to rebuild IT infrastructure from scratch within 48 to 72 hours after an attack is unfeasible, Weiss said. "Today's modern hospitals and health systems are large, complicated and dependent on many partners and suppliers," he said.
"It's taken Change Healthcare weeks, if not longer, to rebuild systems and restore services following their incident in February. A 48- to 72-hour rebuild requirement would be enormously expensive, if even possible. And who is going to pay for that? Hospitals and providers are already struggling to survive financially."
Wyden's suggestion that more cybersecurity assistance would help the sector is closer to reality for many entities. "We need more investment in cybersecurity - not only the technology to adequately protect hospitals, but the experienced people to run it," Weiss said.
"For large organizations who have more resources to apply to cybersecurity, the problem becomes more about ensuring compliance and continuous testing to secure systems from an attack," he said.
Wyden's suggestion to prioritize technical assistance through CMS quality improvement organizations and the Medicare Learning Network may be less beneficial, Greene said. "For organizations with weak cybersecurity, I think the problem is more a lack of time and resources than a lack of awareness and training," he said.
Putting greater emphasis on compliance with new regulations is not the answer because it will detract from actual cybersecurity efforts, Anderson said. "Rather, organizations should be incentivized with tax breaks and other means to help with the cost of putting measures in place."
Overall, Wyden's prioritization of new regulations aimed at shoring up cybersecurity among the largest sector entities is probably the best angle, Green said. "I appreciate that Wyden is focusing on improving security for 'systematically important entities,'" he said. "A small solo practitioner does not have the same security resources as a large national insurer, so it makes sense to treat them differently with respect to security expectations."
Last week, Wyden also sent a similarly heated letter to the U.S. Securities and Exchange Commission and the Federal Trade Commission urging the agencies to investigate UnitedHealth Group in the aftermath of the February cyberattack on Change Healthcare that disrupted the business processes of thousands of healthcare providers. The attack is expected to result in a data breach affecting one-third of the American population - or up to 100 million or more people (see: Senator Urges FTC, SEC to Investigate UHG's Cyberattack).
A Wyden spokesperson told Information Security Media Group that the senator has not yet received responses to his letters from HHS, the SEC or the FTC.
Wyden's office did not immediately respond to ISMG's request for further comment.