As U.S. hospitals struggle to pay their employees amid a cyberattack that knocked out a major payment vendor, a powerful Democratic senator is seizing the moment to push for better security in the sorely vulnerable healthcare sector.

Sen. Mark Warner (D-VA) has introduced legislation that would require hospitals and their technology vendors to implement cybersecurity best practices before the government offers them any emergency payments. It’s a proposal that reflects his immense frustration with an industry that he says has consistently underinvested in vital digital defenses — negligence that burst into the spotlight in February when Change Healthcare, the largest medical claims processor in the U.S., shut down its systems after suffering a ransomware attack, cutting off payments to already cash-strapped hospitals and plunging the industry into crisis.

“We need to get some minimum cybersecurity standards into healthcare,” Warner told Recorded Future News in a recent interview. “We’ve been talking about this for some time without a lot of action.”

As chairman of the Senate Intelligence Committee, Warner has access to the most sensitive information about how foreign governments and cybercriminals are trying to hurt Americans by disrupting critical infrastructure. While others focus on shoring up cyber defenses at water facilities and schools, Warner has concentrated on healthcare facilities. In late 2022, his office issued a white paper laying out policy responses to the health sector’s cyber crisis. Last November, he launched a bipartisan Senate working group to consider legislative solutions.

“Cybersecurity in healthcare is really about patient safety,” Warner said. And with the Change hack still affecting hospitals across the country, and the Biden administration planning regulations to boost the industry’s cyber posture, Warner believes the time is right to press his case.

“Nothing moves until an incident,” he said, “and then you’ve got to be ready, and things move quickly.”

Change is in the air

A constant barrage of cyberattacks has shown that the healthcare community is among the most poorly guarded parts of U.S. critical infrastructure. Hackers have repeatedly breached hospital chains, insurers and vendors, and the healthcare sector topped the list of ransomware victims in 2023, according to FBI data.

With hospitals facing a perpetual funding crunch that the COVID-19 pandemic sharply exacerbated, Warner wants to focus regulation on the vendors that sell technology to these facilities. “We have to change the incentive system to make cyber built in … before the product or software otherwise goes to market.”

Healthcare’s cyber weaknesses largely flew under the general public’s radar for years. But the Change Healthcare hack, which could be costing providers tens of millions of dollars a day in cash flow disruptions, starkly highlighted the problem — and may have given lawmakers like Warner the political momentum necessary to overcome long-standing industry opposition to regulation.

“The Change hack was something that got the industry’s attention in a pretty dramatic way,” Warner said. “We suddenly saw something that really rocked about a third of the healthcare industry.”

The Biden administration scrambled to respond as providers warned of dire cash shortages. The Department of Health and Human Services (HHS) began making emergency payments, the department opened an investigation into Change’s security failures and administration officials summoned company leaders to a White House meeting with other industry representatives to stress the importance of a collective response.

Now, Warner is hoping for prompt action on his legislation in the brief window of time before the emergency passes. When asked whether he saw the Change crisis as an example of the old adage “never let a good crisis go to waste,” Warner responded, “That’s my hope.”

Carrots, costs and certifications

Warner’s legislation, the Health Care Cybersecurity Improvement Act, would require healthcare providers experiencing cash-flow problems due to a cyberattack to meet “minimum cybersecurity standards” before receiving emergency funds from the Centers for Medicare and Medicaid Services (CMS). If the cyberattack targeted one of the provider’s vendors, that vendor would also need to meet the minimum standards before the provider could receive funding.

The bill leaves it up to the HHS secretary to determine what constitutes minimum cyber standards. HHS recently published health-specific Cybersecurity Performance Goals based on broader guidance from the Cybersecurity and Infrastructure Security Agency (CISA).

Warner said he chose to link cyber hygiene requirements to financial assistance to avoid the harder-edged approach of simply mandating improvements with no associated benefits. “We’ve been trying to fashion this a little bit more into a carrot,” he said.

But he also made it clear that, no matter what approach Congress takes, the status quo of unconditional federal payments is no longer acceptable. “The alternative of saying, ‘Okay, we’re going to continue to reimburse regardless of putting minimum standards in place’ doesn’t hold water.”

The powerful healthcare industry has repeatedly opposed new provider regulations, and Warner said his bill has already “picked up knee-jerk reactions from some of the trade associations that reflexively said, ‘We don’t want any new mandatory standards on any subject.’”

Department of Health and Human Services headquarters in Washington, D.C.

The Department of Health and Human Services is planning its own regulatory changes to improve healthcare cybersecurity.

The American Hospital Association, one of the industry’s most influential lobbying groups, declined to comment on the bill. But the AHA — which has harshly criticized Change’s limited assistance to struggling providers — previously told Warner that it opposed CMS’s planned cybersecurity updates to hospitals’ operating regulations because of the “significant financial investment” and staff training that they would require.

These arguments irritate Warner, who argued that there’s no reason why the industry should get to treat cybersecurity differently from any other patient safety imperative.

“A hospital can’t say, ‘Well, we can’t afford our nursing ratios anymore. We can’t afford to have backup power,’” Warner said. “We have a series of requirements already for provider operations that are built into the system. And yes, this is a new one. But you can’t just say, ‘All right, well, this is a whole new area, and we can’t do anything.’”

Still, Warner is sensitive to cost concerns. He acknowledged that the government would have to offer “some level of reimbursement” to help hospitals upgrade and secure their computers and other devices. “How you go back and retrofit equipment,” he said, “is a challenge.”

In addition to hospitals fixing old equipment, Warner also wants to see health-technology vendors designing new products with cybersecurity in mind. To encourage this shift, and to help hospitals buy the safest products, Warner wants the government to create a best-practice certification for health technology, akin to the Energy Star label that distinguishes energy-efficient appliances.

Growing interest

Even before the Change hack, policymakers were increasingly joining Warner’s quest for cybersecurity improvements to the healthcare sector.

In November, Warner and Sen. Bill Cassidy (R-LA), the ranking member of the Senate Health, Education, Labor, and Pensions Committee, joined Sens. John Cornyn (R-TX) and Maggie Hassan (D-NH) in forming a working group to explore legislative options.

“There’s a lot of interest” in the issue among the group’s members, Warner said, although discussions are happening “mostly at the staff level at this point.”

Meanwhile, the Biden administration is pursuing its own healthcare cybersecurity strategy. HHS is planning two regulatory changes: the addition of cybersecurity requirements to the Medicare and Medicaid participation rules for hospitals, and an update to the landmark health-data security rule under the Health Insurance Portability and Accountability Act (HIPAA).

Warner said he expected to soon receive a briefing from the Biden administration on these plans, adding, “I’m supportive, directionally, of what the administration is doing.”

Next steps

As the ongoing Change crisis recedes from the headlines, Warner is determined to keep the issue of vulnerable hospitals and patients front and center in Congress.

Warner said he’s angling to get his bill a hearing in the Senate Finance Committee, whose chairman, Ron Wyden (D-OR), is an outspoken advocate for increased corporate responsibility and government vigilance on cybersecurity. Wyden is already planning to haul in the CEO of Change’s parent company UnitedHealth Group for a hearing this month.

Warner said he planned to discuss his bill with Wyden in the hope of scheduling a hearing soon. But he acknowledged that passing the legislation would “take some time.”

Even if the bill becomes law, Warner knows it could be a long time before hospitals and their vendors actually have to change their cybersecurity practices. It took three years for the White House to start implementing Warner’s bill regulating federal agencies’ use of internet of things devices, and it took CISA two years to propose a rule implementing a cyber incident reporting mandate for critical infrastructure operators that Warner helped draft.

Still, Warner believes that time is running out for Congress to pass meaningful, measured requirements that can head off a disaster.

“The alternative will be, we’ll end up with some catastrophic event where people die, and then Congress will overreact.”