Axios Pro Exclusive Content

Senators call for new health cyber standards

Illustration of a street sign with one sign pointing one way and another sign shaped like a health plus pointing another way

Illustration: Natalie Peeples/Axios

Senators expressed interest in new cybersecurity standards and also raised concerns about consolidation in health care during an at times contentious hearing on the Change Healthcare cyberattack.

Why it matters: Members of the Finance Committee grilled UnitedHealth Group CEO Andrew Witty about the vulnerabilities uncovered by the attack on Change, a massive payment processor that's a UnitedHealth subsidiary.

  • But while the concerns cut across party lines, the details of any legislative fix are not yet clear.

What they're saying: "No industry likes minimum standards, but just as we've put in energy and in finance, minimum cybersecurity standards, I think we need those minimum standards in health care as well," said Sen. Mark Warner, who has already introduced a bill on the issue.

  • Finance Chairman Ron Wyden expressed interest in working with Warner on the issue, and said the standards could be combined with other issues, like protecting patient privacy as well.
  • "We haven't had any senator say, 'Let's get a Democratic bill or a Republican bill.' We're going to do this together," Wyden said.
  • Witty tried to strike a conciliatory tone, saying he was "deeply sorry" for the attack. He expressed some openness to Warner when asked about new standards.
  • "We're supportive of a direction of travel which moves towards minimum standards," Witty said. "I think today there is a blend of guidance, some standards and others and I think there needs to be clarity within that."

The big picture: Some senators also honed in on the broader issue of UnitedHealth's market size, though consensus on how or whether to address that was not immediately clear.

  • Wyden called for a "comprehensive scrub of UnitedHealth's anticompetitive practices," in addition to calling on federal agencies to "fast track new cybersecurity rules."
  • Even on the Republican side of the aisle, Sen. Bill Cassidy asked Witty if United had become "too big to fail," and pointed to the "incredible" number of physicians it employs.

Witty noted that UnitedHealth doesn't own hospitals or drug manufacturing and that it directly employs "less than 1% of doctors in America," though it contracts with more.

  • Separately, Sen. Thom Tillis said the cyberhack highlighted the need for data privacy legislation, a long-running push in the broader technology policy realm.
  • "Congress has done nothing in part because its a multi-jurisdictional issue," he said. "We are making a huge mistake by not having federal rules of the road on data privacy, data breach, and how these enterprises have to mitigate things."

What's next: In addition to these larger issues, senators also pressed Witty on the more basic question of why Change Healthcare did not have multi-factor authentication in place to prevent the attack.

  • Witty noted that Change was a relatively recent acquisition and that work was underway to modernize its systems. The company still is investigating why multi-factor authentication was not yet established.
Go deeper