Federal Hearing Focuses on Next Steps for Health Care Cybersecurity

April 16, 2024

The Change Healthcare cyberattack disrupted patient care and operations across the U.S. Now, federal lawmakers are considering what to do next.

This morning, the U.S. Energy and Commerce Health subcommittee hosted a hearing with industry leaders, providers, and other advocates about health sector cybersecurity in the wake of the attack on Change Healthcare.

“We must address the outstanding issues resulting from the cyberattack on Change Healthcare for the wellbeing of our patients and communities,” John Riggi, national advisor for cybersecurity and risk at the American Hospital Association, said in written remarks.

“These include ensuring providers are reconnected to services, are able to process claims and appeal denials, have the information needed to reconcile payments and issue patient bills, and are able to access needed financial support to mitigate the considerable costs incurred by hospitals and health systems as a result of the cyberattack,” he added.

Among the key takeaways:

• Hearing goal:  The meeting brought together industry officials to discuss ways to protect sensitive health information and the health care sector from disruption.
• New standards:  Earlier this year, the federal government published voluntary cybersecurity performance goals for health care organizations as well as a new website for key cyber resources.
  • The Biden administration’s fiscal year 2025 budget includes additional regulatory incentives that are tied to essential cybersecurity practices.
• Third-party challenges:  About 95 percent of the largest health sector data breaches (involving 1 million records) were related to “business associates” and other non-hospital health care entities, Riggi noted.
• Up next:  The Senate Finance Committee is expected to hold another hearing on Change Healthcare with company leaders in the near future, per media reports.
• Quotable:  “The Change Healthcare attack that occurred on February 21 imposed a stark reminder to the health sector—and indeed to every critical industry sector—that there are essential utilities undergirding our critical infrastructure that, if severely disrupted or disabled, would cause cascading and crippling impact on our national economic security and public health and safety,” said Greg Garcia, executive director for cybersecurity, healthcare sector coordinating council, in prepared remarks.

The hearing and written remarks from this morning’s testimony are available online.

HAP continues to monitor the latest Change Healthcare cybersecurity news and advocate on behalf of our members. Earlier this month, HAP created a one-stop shop to offer the latest resources online, including exclusive member-only information (login required).