House Hearing on Cyber Issues Turns to Change Healthcare Attack

On Tuesday, April 16, the House of Representatives’ Energy and Commerce Committee’s Health Subcommittee held a hearing titled “Examining Health Sector Cybersecurity in The Wake of The Change Healthcare Attack.” The ransomware attack on Change Healthcare, first reported on Feb. 21, has been disruptive throughout the healthcare sector and raised questions about cybersecurity in the healthcare sector. Meanwhile, UnitedHealth estimated that the breach’s costs could reach $1.6 billion.

“The Change Healthcare cyberattack is just the most recent case of ransomware targeting our health care system, and, due to Change’s integration with so many of the health care providers and payers, it is still impacting providers and health care organizations across the country,” said House Energy and Commerce Committee chair Rep. Cathy McMorris Rodgers in her opening remarks of the almost three-hour long meeting.

McMorris Rodgers noted that Change Health hackers have been posting stolen data from the attack. “I have heard concerns from providers, rural hospitals, and many others, all worried about what this cyberattack means for them.” She predicted that the latest breach would not be the last breach or attack.

“As our health care system becomes more consolidated, the impacts of cyberattacks—if successful—may be more widespread, pulling in even more agencies and offices within the Department of Health and Human Services (HHS),” the chair stated.

In his opening statement, Health Subcommittee chair Rep. Brett Guthrie emphasized the disruption the Change Healthcare ransomware attack had and continues to have on the health industry, “Providers—large and small—went unpaid, and in some cases still haven’t been made whole—and patients experienced delays accessing care they otherwise would be eligible to receive.”

As an example, Guthrie noted, “My office and I have personally heard from constituents impacted. In one such instance, an independent provider in my hometown of Bowling Green is still grappling with the fallout from the attack.  His practice is losing staff because they can’t make payroll while systems are still getting back online.”

Guthrie further stated, “The federal government’s response to protect against cyber threats targeting our health care system has been lagging relative to the serious threat posed by such threats, especially by adversarial nations.” Guthrie said he wondered if the recent attack could have been prevented if steps by the federal government to bolster cyber readiness had been taken sooner.

Ranking member Rep. Anna Eshoo stated that the attack revealed that United Health’s anti-competitive practices present a national security risk. She said it was good to know that HHS is working to address the cashflow crisis caused by the attack. Eshoo added that the cyber-attack laid bare the vulnerabilities of the healthcare infrastructure. “The healthcare sector is a hacker’s playground,” she cautioned.

Executive director of The Healthcare and Public Health Sector Coordinating Council’s (HSCC) Cybersecurity Working Group (CWG), Greg Garcia, testified to the committee “that there are essential utilities undergirding our critical infrastructure that, if severely disrupted or disabled, would cause a cascading and crippling impact on our national economic security and public health and safety.”

Garcia made several industry and government action recommendations, including performing a health infrastructure mapping and risk assessment. Additionally, he recommended assessing consolidation proposals for mergers and acquisitions regarding the potential for increased cyber incident risks. Garcia also called for investment in a government-industry rapid response capability and a cyber safety net for underserved providers.

Garcia concluded his testimony with the following words: “The health industry must be sensitized to the imperative that cyber safety is patient safety. All healthcare stakeholders – that means providers, payers, medical technology and health IT, pharmaceuticals, public health, and government – are responsible for cyber safety so that our nation’s clinicians can do their job.”

“To make meaningful progress in the war on cybercrime, Congress and the administration should focus on the entire healthcare sector, not just hospitals,” said John Riggi, the American Hospital Association’s (AHA) national advisory for cybersecurity and risk.

“The attack has exposed the vulnerabilities in our health care system and the disproportionate burden placed on physician practices by insurers, government payers, and third-party vendors,” Adam Bruggeman, M.D. stated. He added, “Now we are also seeing how consolidating more of our health care spending around a single point of failure can make the situation more severe, more costly, and harder to fix when something goes wrong.”

CrowdStrike’s senior director of public policy and strategy, Robert Sheldon, testified that there is a radical disparity in cybersecurity readiness and outcomes between the haves and have-nots in the field. Sheldon recommended that small and medium-sized entities leverage a managed security service provider (MSS). He mentioned that tax credits could help to promote the adoption of cyber security measures.