UnitedHealth Hack Fuels Bids to Shield Americans’ Medical Data

Bgov

June 4, 2024 3:49 pm

Cyberattacks compromising the health information of millions of Americans are prompting Congress and the Biden administration to take action to better protect highly sensitive personal data that’s profitable for hackers.

Up to a third of Americans had their private health information exposed in the cyberattack on Change Healthcare in recent months. The breach is believed to be the largest in health care in US history and has cost parent company UnitedHealth Group Inc. up to $1.6 billion in profits this year.

Lawmakers and regulators have been scrambling in their response. In May, Senate lawmakers grilled UnitedHealth Group CEO Andrew Witty over the attack, pressing the embattled executive on why the company left so much health information vulnerable and what should be done to avoid a repeat. Shortly after, the White House said it was weighing standards for hospitals to better protect patient information.

Now, senators on both sides of the aisle are keeping an open line with Witty and weighing legislation to better protect health information. They’ve also upped the pressure on the Biden administration’s labor and health departments to take on a greater role in both preventing and responding to cyberattacks.

The Department of Labor didn’t immediately respond to a request for comment. However, a Health and Human Services Department spokesperson said the agency is considering issuing new enforceable cybersecurity standards for the health-care sector, a move that could face a backlash from hospitals.

Trade group American Hospital Association has been vocal in its opposition to mandatory cybersecurity requirements for hospitals. In a May interview, the AHA’s national adviser for cybersecurity and risk, John Riggi, said that should the government take regulatory action, “hospitals alone should not be singled out.”

“The government needs to do more on offense against the fundamental source of cyber risk, foreign hackers and ransomware gangs attacking health care, ” Riggi said. “That’s not hospitals’ job. That’s the US government’s job.”

Lawmaker Response

The FBI said in a report that in 2023, the health-care and public health sector flagged the most ransomware attacks, with organizations having filed almost 250 complaints with the agency. That’s more than critical manufacturing, which flagged fewer than 220, and government facilities, the third-most hit sector in the report, which came in at 156.

The full extent of Change’s breach has yet to be determined. The company processes pharmacy requests and insurance claims for over 340,000 physicians and 60,000 pharmacies. The hack was discovered Feb. 21, and the company severed connections that distribute data and money across the health-care system, leading to a backlog of payments and claims.

Lawmakers are casting a wide net in their response. Some, like senators Ron Wyden (D-Ore.), who chairs the Senate Finance Committee before which Witty testified, and Bill Cassidy (R-La.), a member of that committee, are pushing for legislation to better protect critical health-care infrastructure.

Wyden said he’s working on proposing “minimum standards” for cybersecurity in health care. He said the details wouldn’t be revealed until later as part of legislation.

Wyden also called for the Federal Trade Commission and the Securities and Exchange Commission to investigate UnitedHealth to determine if laws were broken, Bloomberg News reported.

Cassidy said there’s two tracks for responding to Change: looking at what happened at the company, as well as examining the broader health industry.

Witty, Cassidy said, has remained available since the hearing to answer questions. Cassidy said one issue that’s been brought to his attention is that UnitedHealth was unable to do a full security analysis of Change before purchasing the company.

Cassidy said he is also concerned there are too many larger companies operating in the health-care space. “Should we have any organization that, if it goes down, everything else is affected?” he asked.

While he isn’t currently putting forth legislation, Cassidy said Congress should act. The lawmaker, who also is the top Republican on the Senate Health, Education, Labor and Pensions Committee, said if he becomes HELP chairman in the next Senate, cyber “will be a big priority.”

“It’s better that Congress take information from all stakeholders—as opposed to what inevitably is a narrower view of a particular administration,” Cassidy said.

Agency Activity

The Biden administration is facing increasing pressure to take direct action on cyber safety.

Earlier this month, House Committee on Education and the Workforce Chairwoman Virginia Foxx (R-N.C.) wrote to the Department of Labor to ask what the Employee Benefits Security Administration is doing to investigate cyberattacks.

Foxx’s committee’s jurisdiction includes private employer health-care benefits. She wrote the committee is concerned about how the Employee Benefits Security Administration “is working to curb” risks for employer-sponsored benefit plans.

Her letter included a list of questions about the EBSA’s cybersecurity role, such as how many cybersecurity investigations the group has conducted since February 2021 and whether the agency has ever been “compromised by cybercriminals.” Foxx asked for responses by May 30.

“The Change Healthcare hack immediately affected workers’ and their families’ access to health care. Prescriptions could not be filled. Health care claims and payments were halted. Pharmacies, military hospitals, and clinics attempted workarounds to mitigate disruptions,” Foxx wrote.

In a March statement, the HHS said it was in regular contact with UnitedHealth leadership and others to ensure the effectiveness of the company’s response.

Days later, the HHS and DOL published a letter to health care leaders saying the agencies urge UnitedHealth, insurance companies, and other payers to take actions, though they stopped short of enforcement.

The HHS in May said that hospitals can require UnitedHealth notify patients if their data was compromised in the February attack.

The department is considering enforceable actions informed by voluntary performance goals for health sector groups released in January, according to an agency spokesperson.

Among those goals are things like reducing email security risks, adding multifactor authentication, and setting security requirements for outside vendors.

The HHS spokesperson declined to provide additional information on enforcement specifics, including who in the agency would be responsible.

Enforcement

Greg Garcia, executive director for cybersecurity of the Health Sector Coordinating Council, an advisory group that works with the government, said enforcement is “a difficult thing to do,” but would make a difference in improving health sector cybersecurity.

Garcia said a federal rule —which implements standards under the Health Insurance Portability and Accountability Act—currently requires health providers to have incident response plans, and that it’s enforced by the HHS Office for Civil Rights. In the event of cyber incidents, the HHS “depends on intel from industry, law enforcement,” and others, Garcia said, though “the interagency process and its information sharing protocols with industry are always a work in progress.”

An HHS spokesperson noted that the civil rights office investigates complaints filed with the group and conducts compliance reviews. Investigations may result in civil fines. The spokesperson also said the office submitted requests for Congress to increase the amount of fines it can impose in a calendar year, with the goal being to promote HIPAA compliance to protect sensitive patient data.

Still, Garcia noted the Change attack was due to problems with “basic cyber hygiene”—a lack of multifactor authentication—and that “no amount of cyber security controls will totally prevent cyberattacks.”

Cybersecurity is a “collective responsibility” that health providers can’t shoulder alone and the government does have a role to play, said Garcia, who has worked with the HHS on cybersecurity matters. Congress could help by giving the HHS and other agencies broad authority to fund or oversee better incentives for the private sector, he said.

He added that third party service providers are also responsible. “Change Healthcare is a third party service provider, and they screwed up and the fallout impacts their customers existentially,” Garcia said.

Under its 2025 fiscal year budget request, the HHS would create a $1.3 billion Medicare incentive program for encouraging hospitals to take up cybersecurity practices. The department noted there was a 95% increase in large breaches reported to the agency from 2018 to 2022.

The AHA’s Riggi said any minimum standard placed on hospitals alone wouldn’t solve health-care sector cybersecurity risks. Focusing solely on hospitals wouldn’t have prevented the Change attack, Riggi said.

“We need to secure the entire health-care system,” he said.