Healthcare Leadership Council Calls on Policymakers to Establish a Standard Predictable Response to Help the Private Sector Navigate Mounting Cyberattacks

HLC: “Congress and federal agencies must focus further cybersecurity efforts on actions that will offer clear guidance and needed support, rather than punishing legally operating businesses victimized by criminal bad actors.”

WASHINGTON, DC, May 1, 2024 — The Healthcare Leadership Council (HLC), the leading health industry association representing all disciplines of American healthcare, today sent a letter to leadership of the Senate Finance Committee urging policymakers to establish a standard predictable response to cyberattacks in light of the ongoing escalation of cyberattacks. The letter was sent in advance of today’s Senate Finance Committee hearing, “Hacking America’s Health Care: Assessing the Change Healthcare Cyber Attack and What’s Next.”

“Recent events have brought much needed attention to the risks at stake as the healthcare sector defends itself from an unprecedented number of ransomware and other cybersecurity attacks,” wrote HLC president and CEO Maria Ghazal on behalf of HLC. “Criminals who attack one segment of the healthcare sector cause cross-sector disruption and jeopardize patient safety. These bad actors require a unified and strong industry-wide response, and our members are committed to collectively safeguarding patients and protecting their data.

“The Administration took swift action to help mitigate the impact of the cyberattack on Change Healthcare by accelerating payments to Medicare Part A providers and announcing Medicare Part B advanced payments. However, the impact on providers, payers and patients remains significant. As the frequency of healthcare data breaches increases at a staggering rate, already doubling over the last five years to more than 720 breaks annually, a standard predictable response would ensure that patients can continue to receive the necessary care, and physicians are able to be compensated, even when systems are compromised.

“Congress and federal agencies must focus further cybersecurity efforts on actions that will offer clear guidance and needed support, rather than punishing legally operating businesses victimized by criminal bad actors. While organizations that violate HIPAA or mismanage data should be held accountable, vilifying healthcare companies compromised by an unlawful security hack will only further stress critical infrastructure. We have identified the following areas that are ripe for government action:

  • Ransomware Response – Healthcare organizations need guidance when facing ransomware attacks, including recommendations for appropriate responses. While the FBI advises not paying, there are often life-threatening consequences that result from such a stance which necessitate additional consideration.
  • Data Breaches and Protections – Congress should consider expanding the protections established under the January 2020 HITECH Act, to offer organizations that implement a comprehensive cybersecurity program full safe harbor protection in the event of cyber incidents beyond their control. This will encourage disclosure and mutual support, a far more constructive and effective mechanism for combatting cyberattacks in the healthcare sector than the current public reporting process.
  • Leadership and Coordination – There are many organizations and officials whose duties and missions involve health sector cybersecurity at some level including the Healthcare Sector Cybersecurity Coordinated Center, the Health Sector Coordination Council, and the Office of the National Cyber Director. While there is clearly a great deal of constructive activity and focus on cybersecurity among all these groups, their overlapping roles and the lack of a single dedicated office focused on health sector cybersecurity issues will slow progress in an area, and during a time, when exactly the opposite is needed.

“Given the complex challenges of not only preparing for but responding to cybersecurity incidents, we emphasize again that overall supportive efforts will encourage stakeholders to improve their cyber readiness. Companies need to be bolstered to better respond to threats.”