Becerra to stakeholders: It's time to take accountability for cybersecurity

Cybersecurity concerns sucked up much of the air in the room during President Joe Biden's proposed 2025 fiscal year budget briefing amid the ongoing Change Healthcare cyberattack drama.

Department of Health and Human Services (HHS) officials said Monday the new budget invests $141 million for cybersecurity initiatives, including $12 million to the department's internal agency, the Administration for Strategic Preparedness and Response.

The budget also establishes a $1.3 billion Medicare incentive program to help hospitals adopt recently released cybersecurity practices, said HHS Deputy Secretary Andrea Palm. It is modeled on certified health information technology programs established more than a decade ago.

Funds would go to a predetermined 2,000 hospitals deemed to be most in need of cybersecurity assistance, the American Hospital Association (AHA) said in a news release.

Change Healthcare, a unit of UnitedHealth Group, was breached starting Feb. 21. Since then, its systems have been offline as the industry reels. Insurers have said they've seen a 20% reduction of claims data from providers since the attack took place, and providers have called on support from the federal government and payers to get them through the crisis.

The feds sent a letter to UnitedHealth Group and other payers, urging UHG to expedite payments to providers and to "meet the moment."

HHS Secretary Xavier Becerra applied more pressure to those affected by the Change Healthcare hack in his remarks this week, choosing to strike an unsparing tone yet looking forward to the future. In no uncertain terms, he said the relationship must be a two-way street.

"We have done everything we can to make sure that no provider says 'I can't get paid. It's hard for me to take in any patient,'" he said. "At the same time, we're going to do everything we can to hold those accountable. This harkens back to the whole infant formula fiasco, where once again market failure led Americans to have to experience real grief, and in some cases, absence of the thing that they needed most to feed their children.

"Private sector has to step up," he added. "If they don't want the federal government to be part of that process as a partner, whether it's through oversight or regulation, then they have to step up. They can't just throw up their hands and say 'well, we were cyberattacked and now we need to be bailed out.'"

Supply chain issues caused a shortage in baby formula in 2022, leading to the White House, the Food and Drug Administration and HHS all to release guidance on how parents should best manage the situation.

In January, the department released the first step of its strategic plan to incentivize hospitals to address systemic cybersecurity challenges. It addresses common attack vectors against hospitals HHS has spotted as well as publishes voluntary cybersecurity goals covering protection, response and mitigation that providers should meet. The initiative has earned support from the Federation of American Hospitals and the AHA.

HHS has said it has seen a 93% increase in data breaches reported to the agency from 2018 to 2022, putting the hospital ecosystem at great risk.

Starting in fiscal year 2029, hospitals that don't meet security standards could be penalized up to 100% of the annual market basket rate increase, the AHA said. Becerra is open to Congress implementing this policy but is willing to use the agency to enact change where it is needed.

"We are intent on getting the healthcare sector to recognize how critical it is that they take up whatever measures they can because they are subject to be attacked, as we see now with Change Healthcare," he said.

The warning behind his remarks grew stronger still, alerting small providers that although the transition may be rocky, it is necessary.

"It is not cheap," he conceded. "For smaller players, especially in rural and underserved communities, it can be difficult to adopt some of these new technologies. We understand it can be a dicey proposition, but it's not an option. At some point, we will transition from supporting to saying 'You had your chance. Now you're making it difficult for everyone' by not being protected."