As Frequency of Healthcare Data Breaches Surges, Healthcare Leadership Council Urges Policymakers to Act

Letter to House Energy and Commerce Committee Subcommittee on
Health Outlines Areas Ripe for Government Action

WASHINGTON, DC, APRIL 16, 2024 — The Healthcare Leadership Council (HLC), the leading health industry association representing all disciplines of American healthcare, yesterday sent a letter to leadership of the U.S. House of Representatives Energy and Commerce Committee Subcommittee on Health outlining areas ripe for government action to bolster the private sector’s ability to better prepare for and respond to cyber attacks. The letter was sent in advance of today’s hearing, “Examining Health Sector Cybersecurity in the Wake of the Change Healthcare Attack.”

“Recent events have brought much needed attention to the risks at stake as the healthcare sector defends itself from an unprecedented number of ransomware and other cybersecurity attacks,” wrote HLC president and CEO Maria Ghazal on behalf of HLC. “Criminals who attack one segment of the healthcare sector cause cross-sector disruption and jeopardize patient safety. These bad actors require a unified and strong industry-wide response, and our members are committed to collectively safeguarding patients and protecting their data.

“The Administration took swift action to help mitigate the impact of the Change Healthcare cyberattack by accelerating payments to Medicare Part A providers and announcing Medicare Part B advanced payments. However, the impact on providers, payers and patients remains significant. As the frequency of healthcare data breaches continues to increase at a staggering rate, already doubling over the last five years to more than 720 breaks annually, a standard predictable response would ensure that patients can continue to receive the necessary care, and physicians are able to be compensated, even when systems are compromised.

“Congress and federal agencies must focus further cybersecurity efforts on actions that will offer clear guidance and needed support, rather than punishing legally operating businesses victimized by criminal bad actors. While organizations that violate HIPAA or mismanage data should be held accountable, vilifying healthcare companies compromised by a security hack will only further stress critical infrastructure. We have identified the following areas that are ripe for government action:

• Ransomware Response – Healthcare organizations need guidance when facing ransomware attacks, including recommendations for appropriate responses. While the FBI advises not paying, there are often life-threatening consequences that result from such a stance which necessitate additional consideration.
• Data Breaches and Protections – Congress should consider expanding the protections established under the January 2020 HITECH Act, to offer organizations that implement a comprehensive cybersecurity program full safe harbor protection in the event of cyber incidents beyond their control. This will encourage disclosure and mutual support, a far more constructive and effective mechanism for combatting cyberattacks in the healthcare sector than the current public reporting process.
• Leadership and Coordination – There are many organizations and officials whose duties and missions involve health sector cybersecurity at some level including the Healthcare Sector Cybersecurity Coordinated Center, the Health Sector Coordination Council, and the Office of the National Cyber Director. While there is clearly a great deal of constructive activity and focus on cybersecurity among all these groups, their overlapping roles and the lack of a single dedicated office focused on health sector cybersecurity issues will slow progress in an area, and during a time, when exactly the opposite is needed.

“Given the complex challenges of not only preparing for but responding to cybersecurity incidents, we emphasize again that overall supportive efforts will encourage stakeholders to improve their cyber readiness. Companies need to be bolstered to better respond to threats.”

Contact: Kelly Fernandez at kfernandez@hlc.org, (202) 449-3452