SecureWorld News

Dissension Emerges as Healthcare Grapples with Cybersecurity Regulations

Written by Drew Todd | Tue | Mar 19, 2024 | 11:49 PM Z

The recent ransomware attack on Change Healthcare, a major payment processor, has intensified the urgency for cybersecurity regulations in the healthcare sector, with industry resistance colliding with calls from lawmakers and cybersecurity experts for immediate action.

In the wake of the crippling cyber assault on Change Healthcare, which disrupted critical payment processing systems for pharmacies and medical providers nationwide, voices in Washington are pushing for mandatory cybersecurity standards. Senator Ron Wyden, D-Ore., emphasized the need for specific cybersecurity rules and accountability measures, citing the devastating impact of recurring hacks on patient care and national security.

"The government needs to prevent this kind of devastating hack from happening over and over again," Wyden told The Washington Post. "I want to work with the Biden administration to ensure there are mandatory, specific cybersecurity rules in place as soon as possible, and to ensure accountability for CEOs."

Despite years of warnings about the vulnerability of the U.S. healthcare system to cyber threats, progress on implementing robust security measures has been sluggish. Lobbying efforts from the private sector have hindered regulatory advancements, leaving hospitals and healthcare entities exposed to increasingly sophisticated attacks.

Senator Wyden's call for mandatory cybersecurity regulations aligns with efforts from the Biden Administration to establish minimum standards for the healthcare sector. However, industry groups like the American Hospital Association have pushed back against mandatory measures, arguing that hospitals should not be held accountable for cybercriminal activities beyond their control.

The recent attack on Change Healthcare highlights the inadequacy of current defensive efforts, with experts emphasizing the need for strict security requirements across the healthcare ecosystem. This includes comprehensive standards for critical components of the healthcare infrastructure, along with support for smaller providers lacking dedicated cybersecurity resources.

[RELATED: Hospitals Seek Federal Help as Change Healthcare Ransomware Attack Disrupts Payments]

However, the prospect of mandatory cybersecurity regulations has met staunch opposition from hospital and healthcare groups. Richard J. Pollack, head of the American Hospital Association, argues that imposing fines or penalties on hospitals for cyberattacks would be unfair, particularly given the financial strain many institutions are already facing.

In a letter to Wyden and Senate Finance Committee ranking member Sen. Mike Crapo of Idaho, Pollack stated: "Imposing fines or cutting Medicare payments would diminish hospital resources needed to combat cybercrime and would be counterproductive to our shared goal of preventing cyberattacks. The Administration's budget proposal for hospitals is misguided, and it will not improve the overall cybersecurity posture of the healthcare sector."

Despite industry resistance, the White House is moving forward with plans to introduce minimum cybersecurity standards for the healthcare sector. These standards, expected to be rolled out through updates to the Health Insurance Portability and Accountability Act (HIPAA), aim to establish a baseline for digital security in the industry.

The complexity of the healthcare ecosystem, compounded by separate regulators and diverse technology platforms, presents a significant challenge in securing sensitive patient data and critical infrastructure. Attacks often originate through third-party vendors or service providers, highlighting the interconnected nature of the healthcare supply chain.

Efforts from federal agencies like the Cybersecurity and Infrastructure Security Agency (CISA) to provide assistance and guidance to healthcare providers have been hindered by resource constraints and organizational barriers. Collaborative initiatives, such as the Cyber Threat Intelligence League, have shown promise in identifying vulnerabilities and mitigating risks, but systemic issues persist, particularly in smaller, under-resourced healthcare organizations.

As the healthcare industry grapples with the aftermath of the Change Healthcare supply chain attack and the ongoing threat of ransomware, the need for comprehensive cybersecurity regulations has never been more pressing. While industry resistance and bureaucratic hurdles remain significant challenges, the stakes for patient care and critical infrastructure demand decisive action from policymakers and stakeholders alike.

Follow SecureWorld News for more stories related to cybersecurity.