WASHINGTON – U.S. Senator John Hickenlooper joined a bicameral group of colleagues to call on the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) to introduce a plan to help health care systems increase their data security protections and prevent cyberattacks.
Hickenlooper’s call to action follows a major cyberattack in late February that crippled Change Healthcare, the largest health care payment system in the country. The Change Healthcare attack forced the company to shut down many of its systems, hurting patients and preventing healthcare providers from getting insurance approval for medical procedures and prescriptions. Senator Hickenlooper’s office is working to support Colorado hospitals and health care providers negatively impacted by the attack.
“The attack against a UnitedHealth Group subsidiary, Change Healthcare, has had a severe and wide reaching effect across the nation. Americans have faced challenges getting their prescriptions filled, and many hospitals, physician’s offices, and pharmacies disconnected their systems from key entities that process billions of healthcare-related transactions annually,” the lawmakers wrote.
“The disruption is not limited to delays in filling prescriptions. We are hearing from health care sector businesses each day as they voice a growing concern that this cyber-attack already has, or will very soon, create significant cash flow disruptions to their operations,” they continued.
In their letter, Senator Hickenlooper and his colleagues requested information regarding efforts undertaken by CISA and HHS to protect Americans’ health data and health care sector businesses from this cyberattack and the ongoing threat to the health care sector.
Full text of the letter is available HERE and below:
Dear Director Easterly and Secretary Becerra:
We write today regarding the serious, recent cyber-attack impacting the healthcare sector. The attack against a UnitedHealth Group subsidiary, Change Healthcare, has had a severe and wide reaching effect across the nation. Americans have faced challenges getting their prescriptions filled, and many hospitals, physician’s offices, and pharmacies disconnected their systems from key entities that process billions of healthcare-related transactions annually. We are also concerned about the impact the cyber-attack has had on military clinics and hospitals worldwide, with the Defense Health Agency reporting that the attack caused military members and their families significant delays in filling prescriptions.
Therefore, we request that the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) develop enhanced contingency plans for outages within the healthcare ecosystem and broaden the Joint Cyber Defense Collaborative (JCDC) to ensure key healthcare sector entities proactively receive actionable threat information.
We also request that HHS offer guidance to providers about how they may request Medicare advanced and accelerated payments, including by directing the Medicare Administrative Contractors to prioritize expediting the processing of applications by hospitals impacted by the cyber-attack. Finally, we request that CISA and HHS offer technical resources and informational guidance to entities facing challenges securely resuming operations to assist hospitals and health systems that lives depend on.
The disruption is not limited to delays in filling prescriptions. We are hearing from healthcare sector businesses each day as they voice a growing concern that this cyber-attack already has, or will very soon, create significant cash flow disruptions to their operations. We refer you to the February 26, 2024, letter to Secretary Becerra from the American Hospital Association noting the “immediate adverse impact on hospitals’ finances,” and explaining that, without the critical revenue source from payments, hospitals “may be unable to pay salaries for clinicians and other members of the care team, acquire necessary medicines and supplies, and pay for mission critical contract work in areas such as physical security, dietary and environmental services.”
As you help health systems navigate this devastating attack, we request information regarding efforts by CISA and HHS to protect Americans and healthcare sector businesses from this cyberattack and the ongoing threat to the healthcare sector. Specifically, we respectfully request a briefing regarding the questions below:
- As the nation’s cyber defense agency, what is CISA doing to monitor and proactively defend against cyber threats impacting the healthcare sector?
- As the Sector Risk Management Agency, what is HHS doing to proactively prepare the sector to face cyber threats and respond to cyber-attacks when they occur?
- How is CISA working with HHS to identify and provide technical support to healthcare critical infrastructure owners and operators that are most at risk?
- What technical assistance did CISA provide the affected entities and how quickly? Did CISA reach out to potentially affected entities with specific offers for assistance that entities declined?
- What steps are being taken to enhance timely sharing of actionable threat information with the healthcare sector?
- What steps are being taken to ensure the healthcare sector has robust contingency plans for system outages?
- How are CISA and HHS sharing information with Information Sharing and Analysis Centers (ISACs), (including the MS-ISAC) and State, Local, Territorial, and Tribal entities concerned about these intrusions?
- How is any applicable support and guidance being shared with smaller healthcare entities that do not have significant cybersecurity staffing and that are not members of the JCDC, Health-ISAC, Healthcare Ready or other affiliated healthcare-related information sharing organizations?
- What immediate steps are being taken to address the delays in filling prescriptions across the country?
- To what extent, and how, has CISA and/or HHS targeted healthcare specific cyber threat and response information to different healthcare organizations including hospitals, physician practices, healthcare support service providers, pharmacies etc.?
- Given the regional implications for this attack, has CISA or HHS considered engaging the Public Health and Medical Services Emergency Support Function under the National Response Framework in responding to this incident?
We appreciate the efforts to date by HHS and CISA to prevent and respond to cyber threats to our healthcare system, and look forward to working together to increase the support to healthcare providers and strengthen the resilience of our healthcare system to attacks such as this.
Thank you for your attention to this important matter, and we look forward to your prompt response.
Sincerely,
###