Citing cases where cyberattacks targeted health care systems in the United States, U.S. Sen. Gary Peters (D-MI) recently wrote to the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) requesting cybersecurity boosts for the sector.
“The recent cyberattack on a UnitedHealth Group subsidiary, Change Healthcare, has disrupted their ability to process medical claims, impacting millions of Americans trying to fill their prescriptions and access health care services,” Peters wrote. “HHS should heavily encourage health care entities impacted by the attack to take advantage of available technical and financial resources and assistance from CISA, CMS, and other organizations.”
A ransomware attack struck Change Healthcare on Feb. 21, 2024, disrupting operations as the organization shut down many of its systems in response. This led to an inability to care for patients, as well as patients being billed for previously covered medication and millions unable to acquire refills.
This is far from the first push for greater cybersecurity in the health care sector that Peters has undertaken as chair of the Homeland Security and Governmental Affairs Committee. Last year, he convened a hearing on this very threat. His Cyber Incident Reporting Act – developed in concert with U.S. Sen. Rob Portman (R-OH) – became law in 2022, requiring critical infrastructure owners and operators to report substantial cyberattacks or ransomware payments.
Now, he wants to see the government take more initiative as well.
“Public outreach and engagement are an important part of increasing cybersecurity across the health care sector,” Peters said. “CISA and HHS in coordination should conduct a campaign to engage and inform health care entities and the public of cybersecurity best practices and resources available to them.”
He requested that HHS and CISA detail their steps to prevent another cyber incident, the nature of how they measure and implement sector-specific cybersecurity performance goals, the assistance offered to impacted entities, information sharing, methods of coordination and more. Without rapid measurable improvements in cybersecurity for the health care sector, Peters added, incidents like the one that hit Change Healthcare will continue to affect patient outcomes and result in significant financial, administrative and logistical issues.