Congress plans new response to health cyberattacks
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Aïda Amer/Axios
Two years after the seismic Change Healthcare cyberattack, Congress is advancing a plan to safeguard against the kind of hacks that can expose millions of people's private data and cripple health systems.
Why it matters: The bipartisan plan puts the burden on the government and providers to prevent the kind of breach that reverberates across the entire industry, jeopardizing patient access to needed treatments and costing hospitals billions.
Driving the news: The Senate's health committee late last month advanced legislation to fortify health care cybersecurity in a strong 22-1 vote.
- The bill would improve coordination among government agencies and requires the Department of Health and Human Services to develop an incident response plan.
- It also would establish new grants to health entities for cyberattack planning and response and make them use multi-factor authentication and encryption — a key shortcoming exposed by the Change breach.
What they're saying: "The Change Healthcare cyberattack in 2024 had widespread impacts on patient care," said Sen. Bill Cassidy (R-La.), chair of the health committee and a lead sponsor of the measure. "This bill enhances cybersecurity across the health care system to better withstand these attacks."
- "The health care industry is under siege when it comes to cyberattacks," said Paul Luehr, a partner in the privacy and data security group at Manatt.
- The average cost of a data breach in the U.S. is around $10 million, with health care having the highest breach cost compared with other industries, according to an IBM report.
- The hackers are often overseas, limiting the ability of law enforcement to respond.
- "We're left with trying to play the best defense that we can," Luehr said. "And that's costly ... hospitals, providers, insurance companies are already investing heavily in cybersecurity."
Between the lines: Democrats put forward legislation in 2024 in the wake of the Change attack that would have taken a more aggressive approach to cybersecurity requirements and penalties, prompting objections from the health industry.
- The legislation that advanced last week is seen as more of a middle ground that could have a better chance of advancing.
- Hospitals aren't publicly commenting on specifics but could raise objections to some of the requirements in the bill. A spokesperson for the American Hospital Association declined to comment.
The big picture: The bigger obstacle is a packed congressional agenda and little time before the midterm elections.
- It's rare for a health care measure to get a standalone floor vote, so backers likely would have to attach the cybersecurity bill to a bigger legislative vehicle, like a year-end government funding deal.
- Residual bitterness over Medicaid cuts, Health Secretary Robert F. Kennedy Jr.'s vaccine policies and other unrelated health issues could also erode support for the effort.
The legislation has backing from the Healthcare Trust Institute, a coalition of health care industry groups working on health data security, as well as the Blue Cross Blue Shield Association.
- Tina Grande, HTI's president, said health data is particularly valuable on the black market compared with other types of data like financial information, making health care a prime target for attacks.
- "The urgency behind this [legislation] is in part related to the fact that, in some cases, a cyberattack in health care could be a life or death situation," she said.
- David Merritt, a senior vice president at BCBSA, said health care organizations are "under a constant threat of cyberattacks, which can disrupt patient care and expose confidential health information."
The bottom line: Congress is at last making progress on addressing health care cyberattacks. The question is whether it will get swamped by more pressing issues.
