Providers pitch their post-Change cybersecurity policy fixes to sympathetic Congress

Healthcare providers held the receptive ears of lawmakers during a congressional hearing Tuesday morning exploring cybersecurity and related policy changes to be made in the wake of the Change Healthcare attack.

Leadership of the House Energy and Commerce Committee’s Subcommittee on Health and several others often prefaced their questions to witnesses with the circumstances of their constituent healthcare organizations during the disruption—interrupted cash flows, high interest loans, substantial administrative burden, fragmented care coordination and resulting confusion for patients.

“This really deserves a strong response from the Congress, the outrageousness of this,” Rep. Anna Eshoo, D-California, the subcommittee’s ranking member, said. “It’s too important; it’s an entire sector.”

The lawmakers often extended their sympathy to the session’s attendees. Among these were an orthopedic surgeon who described substantial disruption within his office along with hospital industry representatives who described insufficient information and crisis support from both the government and Change Healthcare’s parent company UnitedHealth Group.

“One of the things that concerns me so much about all of this is, everything that we’ve talked about seems geared toward blaming the victim,” Rep. Michael Burgess, M.D., R-Texas, said to a witness surgeon, Adam Bruggeman, M.D. “You are the victim in this, this is not your fault, you did not leave the data out on the sidewalk for someone to drift by and pick it up like it was an abandoned wallet. You were attacked. The government should be helping you with that. Change Healthcare should be helping with that.”

UnitedHealth Group was invited to participate the session but did not attend. The company released its quarterly earnings earlier Tuesday morning and held a call with investors, during which it announced an uncharacteristic $1.4 billion loss but noted it’s still on pace to meet its 2024 guidance window.

Still, lawmakers repeatedly described UnitedHealth Group’s decision not to attend as “extremely disappointing” and “appalling,” though the company has committed to appearing before lawmakers at a later date. Partway through the hearing, the subcommittee also paused to enter media coverage of UnitedHealth Group’s earnings results and subsequent share price bump into the record.

Reps warm to greater third-party cybersecurity liability, antitrust

Late last year, the Biden administration began establishing a series of cybersecurity performance goals and other enforcement incentives to improve healthcare providers’ adoption of cybersecurity best practices.

Subcommittee Chair Brett Guthrie, R-Kentucky, said he appreciated the administration’s work but said he “can’t help but wonder if we could have avoided the most recent event if these steps were taken much sooner. While I don’t ever believe it is ever too little too late, we have our work cut out for us.”

With payers out of the room, the legislators appeared broadly receptive to the recommendations provider and cybersecurity witnesses had to build on that prevention and response policy.

Among these were financial safety nets for small or rural providers and federal incentives to establish and maintain minimum cybersecurity standards roughly in line with the Biden administration’s recent proposals. Witnesses also said that the funds floated in the president’s budget to fuel the cybersecurity performance goals were a good starting point but far from sufficient for the roughly 6,000 hospitals to which it would apply.

More broadly, many representatives were happy to entertain measures that would shift the liability away from providers and onto third parties, whether that be payers or the software and device manufacturers on whom providers rely.

John Riggi, the American Hospital Association’s national adviser for cybersecurity and risk, often noted that strengthened cybersecurity requirements for hospitals wouldn’t have prevented the attack that brought his sector to its knees. He pointed to data showing that more than 95% of 2023’s major data breaches were tied to non-hospital entities, including the government.

“To make meaningful progress in the war on cybercrime, Congress and the administration should focus on the entire healthcare sector, not just hospitals,” he said.

Scott MacLean, board chair of the College of Healthcare Information Management Executives, was of a similar mindset. He noted that “the number of technological factors and undiscovered vulnerabilities outside of our providers control is significant. It is an enormous challenge for our sector, and it cannot be solved by imposing costly mandates on providers.”

MacLean told Rep. John Sarbanes, D-Maryland, that his group’s member organizations are currently held to a higher privacy and security standard than their supplier partners. Bruggeman added that most software vendors “limit their liability dramatically” in contracts and are able to do so due to the greater leverage many hold over practices and smaller hospitals.

“I’m looking at a limitation of liability clause: It’s essentially a contract of adhesion in these situations, where one party has way more bargaining power than the other party,” Sarbanes responded while looking over a “fairly typical” limitation of liability clause he brought to the hearing. “You’re on the downside of that, the receiving end of that unfair liability distribution. … [It] really is outrageous when you think about what just happened, how much power and impact and influence is being consolidated in one vendor, and then the cascading impact it has on the provider community.”

The lawmakers broadly saw the attack and systems outage as evidence against consolidation. Healthcare, they agreed, is similar to other industries that already have requirements against concentrated ownership to reduce the risk to vital national infrastructure.

Each of the witnesses and several of the representatives said they would recommend increased consideration of cybersecurity risk when regulators like the Federal Trade Commission weigh a proposed merger.

Several hearing attendees also warned that events like the Change Healthcare disruption could actually fuel increased consolidation by forcing financially threatened providers into the arms of larger entities. When asked by Rep. Earl Carter, R-Georgia, whether UnitedHealth Group was “exploiting physicians’ cash shortfalls” to secure new acquisitions, Bruggeman and Riggi pointed to the fact that UnitedHealth Group’s Optum successfully petitioned for emergency approval to acquire Oregon medical practice the Corvallis Clinic last month.

“How alarming is this? I’m at a loss for words. I just cannot believe this,” Carter responded. “We’ve got to address this situation.”

“Couldn’t agree more,” Health Subcommittee Vice Chair Larry Bucshon, M.D., said.