Healthcare organizations would face minimum cybersecurity standards under a new bill proposed by Sen. Mark Warner (D-VA) that will impose a set of requirements on how they protect data and conduct business.
On its face, the measure is a striking response to the massive Change Healthcare incident, and if enacted, would be long coming. It arrives in the wake of at least six class action lawsuits filed against Change Healthcare and its parent company UnitedHealth Group, as of March 20, 2024.
The complaints allege that the medical clearinghouse failed to enact adequate security protections ahead of a monstrous ransomware attack a month ago that hobbled much of the healthcare industry. The attack is said to be the work of the ALPHV/BlackCat cyber crew.
Four of the lawsuits are filed against Change in Tennessee and two are filed against UnitedHealth in its home state of Minnesota.
MSSPs Have Skin in the Game
If the matter hasn’t already caught the attention of healthcare-centric managed security service providers (MSSPs) operating as trusted advisors to their clients, it should. For larger MSSPs, the event could ask those organizations to become more intertwined with security decision making at the corporate level. And, for the smaller MSSPs supporting local and regional healthcare facilities, more might be asked of them as well to protect their customers.
Ultimately, this could create new opportunities for MSSPs. For example, Cynerio, a cybersecurity solutions provider for healthcare IoT, recently expanded its partner ecosystem in North America. Among its new benefits to MSSPs are real-time identification and inventory of IoT and medical device assets, automated detection of device vulnerabilities, and risk and threat mitigation.
Warner’s proposed legislation, which would provide advance payments to eligible downstream companies damaged in a cyber event, will likely be met by serious headwinds. The American Hospital Association (AHA) opposes legislative intervention to address the organization’s laissez faire position on cybersecurity.
The AHA, in a letter sent to the Senate Finance Committee, said it “cannot support proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault for the success of hackers in perpetrating a crime. Many recent cyberattacks against hospitals and the healthcare system, including the current Change Healthcare cyberattack, have originated from third-party technology and other vendors. No organization, including federal agencies, is or can be immune from cyberattacks.”
Feds Launch Investigation into Change
At the federal level, the Health and Human Services (HHS) agency has begun an investigation into whether Change violated the Health Insurance Portability and Accountability Act (HIPAA) governing patient privacy, an action that could force the industry to make substantive changes. Under HIPAA, healthcare clearinghouses, plans and providers must report breaches to individual patients within 60 days of discovery.
HHS produced a cybersecurity report in January on ransomware and healthcare.
To date, Change has not disclosed information about what patient data may have been exposed or how many patients’ information has been compromised. The payment processor’s technology touches more than 30% of American patient records, the company has said.
There is big money floating all around the issue. The ALPHV syndicate has claimed that they stole six terabytes of information, amounting to a treasure trove of information on the personal data of healthcare patients. Cybersecurity researcher Jeremiah Fowler told CNBC that on the dark web medical records sell for $60 compared to $15 for a Social Security number and $3 for a credit card.
To add to the financial pile, as of March 22, 2024, Change said it had advanced more than $2.5 billion to care providers through its Temporary Funding Assistance Program at no cost to the recipients. Change is also rumored to have held out for two weeks before coughing up some $22 million in ransom to ALPHV to recover its data, a claim it has not denied.
Lawsuits Pile Up
In addition, the class action lawsuits, if successful, could amount to a staggering amount of money for Change. The first of those lawsuits was a class-action filed March 14 by New Albany, Mississippi-based Advanced Obstetrics & Gynecology.
Another action, filed by Concord, California-based Bay Area Therapy Group, alleged Change’s failure to shore up its cybersecurity forced the company to secure emergency loans with interest rates of 50% to meet payroll and pay other basic expenses, according to a report in Beckers Hospital Review. MSSP Alert has reached out to Bay Area Therapy Group for comment.
The most recent class action suit, filed in Tennessee by the Zimmerman Law Offices, claims that Change did not discover the “intrusion until it was too late, and their systems were knocked out for weeks, grinding the insurance claims process to a halt and preventing the processing and payment of insurance claims.” The lawsuit states that due to the breach healthcare providers and pharmacies “lost the ability to submit insurance claims and obtain insurance payments” straining them financially.
According to the complaint, Change “failed to adequately protect their systems, failed to adequately prepare for known threats, and failed to reasonably prevent the breadth and scope of the data breach.”
Thomas Zimmerman, an attorney with the Chicago-based firm that bears his name, told MSSP Alert that “we are not asking hospitals to do anything more than what every other business is required to do: comply with industry standards for data security.”
Since the cyberattack that hit Change on February 21, 2024, cascading to hundreds of pharmacies and impacting patient care, the company has been under withering charges that its cybersecurity standards have been sub-par. That criticism has expanded to the healthcare industry as a whole and drawn the attention of federal authorities.
Legislative Remedy?
Anne Neuberger, U.S. Deputy National Security Advisor for Cyber and Emerging Tech, told the Washington Post last week that "[Congress] has not passed any legislation providing authorities to mandate minimum standards, which is why we have been using sector emergency authorities or rule making.” She said some cyber requirements are in the works for providers that accept Medicare and Medicaid.
If anything, the Change attack may have perked up Congress’ ears. Rep. Richard Neal (D-MA.), the top Democrat on the House Ways and Means Committee, told the Washington Post that the “recent cyberattack on Change Healthcare and the resulting fallout demonstrates the potential consequences we face if we do not take appropriate measures to protect and secure our data.”
At this point, no baseline standards for cybersecurity exist for healthcare organizations despite the fact that the sector is among the highest exploited by cyberattackers, according to U.S. federal government statistics. In a recent report, HHS said that more than 630 ransomware incidents hit healthcare globally in 2023, with 460 of them hitting organizations in the U.S.
According to the HHS Office for Civil Rights (OCR), ransomware and hacking are the primary cyber threats in healthcare. Indeed, in the past five years, there has been a 264% increase in ransomware breaches, OCR said.
Attorney Eric Tilds, who previously served as chief legal officer of Logicalis until starting his own firm in 2021, told MSSP Alert that the class action lawsuits will have to contend with one of the more difficult procedural issues in getting the class certified.
“To [certify the class] “you need a large class of affected individuals, and their claims must be similar,” he said. “In this case, without analyzing the merits of the case, it seems to me that there are a large number of potential plaintiffs with similar claims. It’s also important to note that usually, only the class representatives (the named plaintiffs) receive significant compensation if their case is successful; all other class members are thrown into a pool and generally receive lesser amounts."
Warner, who co-chairs the Senate Cybersecurity Caucus, said in a statement that his bill would provide some important financial incentives for providers and vendors. The healthcare industry needs to “step up its game,” he said. “It was only a matter of time before we saw a major attack that disrupted the ability to care for patients nationwide.”
Sen. Ron Wyden, D-OR, also intends to introduce legislation to establish minimum cybersecurity standards. Wyden, the Senate Finance Committee chair, said the legislation would include "fines and accountability for negligent CEOs," to protect patients and national security.
"I’m also investigating whether additional legislation is needed to bolster security in the health care sector, including increasing financial penalties and holding company executives liable for failing cybersecurity 101," he said in a statement.
$10 Million Reward Offered
On Wednesday March 27, U.S. officials floated a $10 million reward for information on the Change Healthcare cyberattackers.
Under the government’s Rewards for Justice program, officials seek “information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, engages in certain malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act.”
The ALPHV/BlackCat ransomware-as-a-service group “compromised computer networks of critical infrastructure sectors in the United States and worldwide, deploying ransomware on the targeted systems, disabling security features within the victim’s network, stealing sensitive confidential information, demanding payment to restore access, and threatening to publicize the stolen data if victims do not pay a ransom” U.S. officials said.