In the wake of the cyberattack on Change Healthcare, a key senator is urging federal regulators to take immediate steps to require major healthcare companies to beef up their cybersecurity.
Sen. Ron Wyden, D-Oregon, sent a letter to the Department of Health and Human Services (HHS) on Wednesday saying the agency should immediately issue new security requirements such as minimum cybersecurity and resiliency standards. He also said these firms should be required to conduct routine technology audits and offer technical assistance to providers, especially those that have few resources.
Hackers breached a server at Change that did not have multifactor authentication on and spent nine days within the system before deploying ransomware in late February. Wyden noted that HHS does not require major healthcare companies to have multifactor authentication in place.
"It is clear that HHS’ current approach to healthcare cybersecurity—self-regulation and voluntary best practices—is woefully inadequate and has left the health care system vulnerable to criminals and foreign government hackers," Wyden wrote. "HHS must follow the lead of other federal regulators in mandating cybersecurity best practices necessary to protect the health care sector from further, devastating, easily-preventable cyberattacks."
Wyden acknowledged HHS did announce last year that it intends to update the cybersecurity regulations in healthcare, which have been in place since 2003. However, he said the agency can go beyond that.
He added that the agency's lax oversight in this area has been a major contributor to the rise of cyberattacks in healthcare. In 2022, for example, there were more than 600 breaches that impacted about 42 million people, Wyden said.
"The current epidemic of successful cyberattacks against the health care sector is a direct result of HHS’s failure to appropriately regulate and oversee this industry, harming patients, providers, and our national security," he wrote.
Wyden has been highly critical of UnitedHealth Group and HHS in the aftermath of the cyberattack and last week sent a letter to the heads of the Federal Trade Commission and the Securities and Exchange Commission pushing them to hold the company's executives accountable for the hack.