Key takeaways from the Change Healthcare hearing

On Tuesday morning, the House Health Subcommittee held a hearing to analyze the aftermath of the Change Healthcare cyberattack. Healthcare leaders and cybersecurity experts testified before the Subcommittee to share their analysis and propose solutions to improve the Nation’s cybersecurity response plan in the healthcare sector. 

Key Takeaways and shared concerns

• Consolidation in healthcare increases cybersecurity risk

“One of our recommendations is that in any future considerations of mergers and acquisitions in the healthcare sector that among the various antitrust considerations such as market concentration and competition implications that the potential for there becoming either a single point of failure for either low redundancy or no redundancy that could cause a catastrophic cyberattack – if that finding is positive – than that should very seriously be taken into consideration as to whether to approve a merger or some kind of consolidation that could increase cyber risk.” 

Greg Garcia, Executive Director for Cybersecurity, Healthcare Sector Coordinating Council

“With a company that size with the immense amount of resources that they have – they’re the largest healthcare technology company in the world. We would expect that they would be using the most advanced, redundant, resilient technology to prevent an attack like this which impacted so many Americans and risked their data and patient care as well.”

 John Riggi, National Advisor for Cybersecurity and Risk, American Hospital Association

• Third-party services providers need to be held accountable

“Hold third-party product and service providers and business associates to a higher standard of secure-by-design and secure by default for technology and services used in critical healthcare infrastructure.” 

Greg Garcia, Executive Director for Cybersecurity, Healthcare Sector Coordinating Council

“There is little no reason why insurers could not have continued to make weekly payments based on the physicians’ unique history, then reconciled once the clearing house outage was resolved. Recall that insurers are paid premiums in advance of care and have the money on hand.” 

Dr. Adam Bruggeman, MD, Orthopedic Surgeon, Texas Spine Center

“We need more collective [cybersecurity] responsibility across those who are stewarding healthcare data.” 

Scott MacLean CHIME Board Chair and SVP and CIO of MedStar Health

“Most of these software programs limit their liability – and dramatically. My liability with most of our electronic medical records is $10,000 or less. Meaning that if there was a breach, they would pay up to three months worth of our software fees against the breach and the cost of rectifying the breach has the potential to run into the hundreds of thousands to recover that I would be responsible for even though it was not my breach.” 

Dr. Adam Bruggeman, MD, Orthopedic Surgeon, Texas Spine Center

• Government needs to enact better a preparedness and better response plan

“Enhance a government-industry rapid response capability against systemic attacks.”

Greg Garcia, Executive Director for Cybersecurity, Healthcare Sector Coordinating Council

“It is critical that Congress provide additional authority for advanced accelerated payments that would allow CMS to be more responsive to the needs of providers during future emergencies.”

John Riggi, National Advisor for Cybersecurity and Risk, American Hospital Association

• Healthcare cybersecurity is an issue of national security

“[Cybersecurity] is a national security risk because we are one of the 16 critical infrastructures and if we’re disrupted, then everyone is.” 

Scott MacLean, CHIME Board Chair and SVP and CIO of MedStar Health

“Foreign-based groups will try to use the data to conduct other types of fraud like identity theft fraud…and we do have instances where hostile nation-states will use that data for intelligence purposes to identify government employees, illnesses they may have, and potentially use it for recruitment of government employees in sensitive positions.” 

John Riggi, National Advisor for Cybersecurity and Risk, American Hospital Association