Following a major cyberattack in late February that crippled Change Healthcare, the largest health care payment system in the country, U.S. Senator Kirsten Gillibrand is calling on the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) to put forth a plan to help health care systems navigate this crisis and to prevent attacks like this in the future. The attack on Change Healthcare is preventing health care providers from getting insurance approval for medical procedures and prescriptions. The ripple effect of this has been increasingly serious, causing delays across the country for many patients seeking prescriptions, including on military bases globally. The impact on hospitals’ finances also means that they may be unable to pay physician salaries or acquire medications and supplies.
“The ransomware attack on Change Healthcare is disrupting patient care across the country and causing a cash crisis at large and small hospitals and health care providers,” said Senator Gillibrand. “Key federal agencies – the Department of Health and Human Services and the Cybersecurity and Infrastructure Security Agency – are working hard to address this problem, but the American people and the health care sector need more support and information. That is why I’m calling on these agencies to share their plan to address this crisis and provide hospitals in need with technical assistance to securely resume operations. I’m also asking HHS and CISA to explain what they are doing to proactively help the health care sector defend against cyber threats.”
The letter was also signed by Senators Jacky Rosen (D-NV), John Hickenlooper (D-CO), Peter Welch (D-VT), Amy Klobuchar (D-MN), Richard Blumenthal (D-CT), Elizabeth Warren (D-MA), Tina Smith (D-MN), Raphael Warnock (D-GA), Bob Casey (D-PA), and Ed Markey (D-MA), and Representatives Jerry Nadler (D-NY), Grace Meng (D-NY), Pat Ryan (D-NY), Joe Morelle (D-NY), Nydia Velázquez (D-NY), Ann Kuster (D-NH), Chrissy Houlahan (D-PA), Chris Pappas (D-NH), Jimmy Panetta (D-CA), Jennifer McClellan (D-VA), and Andy Kim (D-NJ).
The full text of the letter is available here or below:
Dear Director Easterly and Secretary Becerra:
We write today regarding the serious, recent cyber-attack impacting the healthcare sector. The attack against a UnitedHealth Group subsidiary, Change Healthcare, has had a severe and wide reaching effect across the nation. Americans have faced challenges getting their prescriptions filled, and many hospitals, physician’s offices, and pharmacies disconnected their systems from key entities that process billions of healthcare-related transactions annually. We are also concerned about the impact the cyber-attack has had on military clinics and hospitals worldwide, with the Defense Health Agency reporting that the attack caused military members and their families significant delays in filling prescriptions.
Therefore, we request that the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) develop enhanced contingency plans for outages within the healthcare ecosystem and broaden the Joint Cyber Defense Collaborative (JCDC) to ensure key healthcare sector entities proactively receive actionable threat information. We also request that HHS offer guidance to providers about how they may request Medicare advanced and accelerated payments, including by directing the Medicare Administrative Contractors to prioritize expediting the processing of applications by hospitals impacted by the cyber-attack. Finally, we request that CISA and HHS offer technical resources and informational guidance to entities facing challenges securely resuming operations to assist hospitals and health systems that lives depend on.
The disruption is not limited to delays in filling prescriptions. We are hearing from healthcare
sector businesses each day as they voice a growing concern that this cyber-attack already has, or will very soon, create significant cash flow disruptions to their operations. We refer you to the February 26, 2024, letter to Secretary Becerra from the American Hospital Association noting the “immediate adverse impact on hospitals’ finances,” and explaining that, without the critical revenue source from payments, hospitals “may be unable to pay salaries for clinicians and other members of the care team, acquire necessary medicines and supplies, and pay for mission critical contract work in areas such as physical security, dietary and environmental services.”
As you help health systems navigate this devastating attack, we request information regarding efforts by CISA and HHS to protect Americans and healthcare sector businesses from this cyberattack and the ongoing threat to the healthcare sector. Specifically, we respectfully request a briefing regarding the questions below:
· As the nation’s cyber defense agency, what is CISA doing to monitor and proactively defend against cyber threats impacting the healthcare sector?
· As the Sector Risk Management Agency, what is HHS doing to proactively prepare the sector to face cyber threats and respond to cyber-attacks when they occur?
· How is CISA working with HHS to identify and provide technical support to healthcare critical infrastructure owners and operators that are most at risk?
· What technical assistance did CISA provide the affected entities and how quickly? Did CISA reach out to potentially affected entities with specific offers for assistance that entities declined?
· What steps are being taken to enhance timely sharing of actionable threat information with the healthcare sector?
· What steps are being taken to ensure the healthcare sector has robust contingency plans for system outages?
· How are CISA and HHS sharing information with Information Sharing and Analysis Centers (ISACs), (including the MS-ISAC) and State, Local, Territorial, and Tribal entities concerned about these intrusions?
· How is any applicable support and guidance being shared with smaller healthcare entities that do not have significant cybersecurity staffing and that are not members of the JCDC, Health-ISAC, Healthcare Ready or other affiliated healthcare-related information sharing organizations?
· What immediate steps are being taken to address the delays in filling prescriptions across the country?
· To what extent, and how, has CISA and/or HHS targeted healthcare specific cyber threat and response information to different healthcare organizations including hospitals, physician practices, healthcare support service providers, pharmacies etc.?
· Given the regional implications for this attack, has CISA or HHS considered engaging the Public Health and Medical Services Emergency Support Function under the National Response Framework in responding to this incident?
We appreciate the efforts to date by HHS and CISA to prevent and respond to cyber threats to our healthcare system, and look forward to working together to increase the support to healthcare providers and strengthen the resilience of our healthcare system to attacks such as this. Thank you for your attention to this important matter, and we look forward to your prompt response.