The Biden administration and US lawmakers are turning up the pressure on UnitedHealth group to ease medical providers’ pain after the ransomware attack on Change Healthcare, by expediting payments to hospitals, physicians and pharmacists – among other tactics.
“A hack of this magnitude is inexcusable and every American who is impacted has a right to be outraged,” US senator Ron Wyden thundered last Friday. “It is completely unacceptable that neither UnitedHealth Group, nor federal agencies were prepared for the fallout despite years of evidence that the health care sector is a prime target for criminal hackers.”
Change Healthcare’s software processes 15 billion transactions annually. Since a ransomware attack shut down its systems in late February, medical providers across the US have reported disruptions to patient care and severe cash-flow issues.
ALPHV/BlackCat affiliates claimed responsibility for the cyber attack, and the extortion crew received more than $22 million in the weeks after the attack – a payment thought to be a possible payment to secure decryption of ransomed systems.
In a letter addressed to “health care leaders” on Sunday, the heads of both the US Department of Health and Human Services (DHHS) and the US Department of Labor (DOL) called on UnitedHealth Group to “take responsibility to ensure no provider is compromised by their cash flow challenges” following the cyber attack, and expedite funds to all impacted providers.
UnitedHealth did not immediately respond to The Register‘s request for comment.
DHHS secretary Xavier Becerra and DOL acting secretary Julie Su also urged insurance companies to make interim payments to providers, simplify electronic data interchange requirements, and accept paper claims.
“While we believe payers have a unique responsibility and opportunity to address the challenge before us, we urge action on the part of any health care entity that can step up,” the secretaries wrote.
Five days earlier, DHHS announced measures to help hospitals and pharmacies affected by the security fiasco, including more relaxed prior authorization requirements in Medicare and Medicaid.
Meanwhile, lawmakers have heavily criticized the embattled health care IT provider and the federal government’s response to its troubles.
“There’s no shortage of blame to go around,” senator Wyden declared. “UnitedHealth Group botched basic cyber security practices by allowing a single hack to create chaos across the nation’s health care system and should be held accountable. At the same time, federal regulators have been asleep at the wheel on cyber security.”
Wyden called on DHHS to establish “tough, mandatory cyber security standards for the health care industry,” that involve regular auditing to ensure that both providers and technology vendors are protecting patient data.
DHHS has issued voluntary cyber security performance goals for hospitals and other health care organizations – but has stopped short of mandating minimum security requirements even as ransomware and other cyber attacks against the industry have skyrocketed.
“These breaches, which result from lax cyber security practices, harm patients, our healthcare system and US national security,” Wyden continued. “Regulators must prevent companies in critical infrastructure sectors like health care from growing so large that they pose a systemic risk, as occurred here.”
That criticism of the size achieved by health care players is a reference to the October 2022 merger of Optum and Change Healthcare in a $13 billion deal. Parent company UnitedHealth Group completed the acquisition after the US Justice Department and states dropped a lawsuit [PDF] challenging the merger on the grounds that it was anti-competitive and would lead to higher costs for consumers.
“I’m also investigating whether additional legislation is needed to bolster security in the health care sector, including increasing financial penalties and holding company executives liable for failing cyber security 101,” Wyden warned.
US senator Mark Warner (D-VA) argued that the ransomware infection “should surprise no one,” and pledged to introduce legislation that will accelerate payments to providers in the case of future disruptions “as long as they meet minimum cyber security standards.”
“While the repercussions of this incident have been primarily – though not wholly – financial, what keeps me up at night is the possibility of a similar widespread attack directly affecting patient care and safety,” Warner stated.
The senator added his belief that the US government should consider “mandatory cyber hygiene standards for health care providers and their vendors.”
Sterilization and hand hygiene practices prevent infections – and cyber hygiene practices prevent cyber intrusions,” Warner declared. “Both are critical to protect patients.” ®