AHA raises concerns over cybersecurity penalties for hospitals

In a statement to the Committee on Energy and Commerce Subcommittee on Health, the American Hospital Association said it was concerned over potential penalties for hospitals and other healthcare facilities that fall short of the Biden administration’s cybersecurity standards.

According to the hospital group, hospitals and health systems are not the primary source of cyber risk exposure facing the healthcare sector. An internal review of the top data breaches in 2023 showed that more than 95% of the most significant health sector data breaches – defined by those in which over one million records were exposed – were related to “business associates” and other nonhospital healthcare entities, including the Centers for Medicare and Medicaid Services, which had a breach included in the top 20 largest data breaches last year.

The AHA said it supports voluntary consensus-based cybersecurity practices, such as those announced in January by the Department of Health and Human Services, because the performance goals are targeted at defending against common cyberattack tactics, such as the exploitation of known technical vulnerabilities, phishing emails and stolen credentials.

President Biden’s FY 2025 budget recommends new penalties for hospitals and health systems for not meeting what the administration defines as essential cybersecurity practices. Beginning in FY 2029, the administration proposes to enforce adoption of essential practices with hospitals failing to meet these standards facing penalties of up to 100% of the annual market basket increase and, beginning in FY 2031, potential additional penalties of up to 1% off the base payment.

Critical access hospitals that fail to adopt the essential practices would incur a payment reduction of up to 1%, but their total penalty is capped. While it is coupled with funding purported to assist hospitals in defending against cyberattacks, the per hospital benefit would be extremely limited, the AHA said.

“The AHA opposes proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault for the success of hackers in perpetrating a crime,” the AHA wrote. “The now well-documented source of cybersecurity risk in the health care sector, including the Change Healthcare cyberattack, is from vulnerabilities in third-party technology, not hospitals’ primary systems.”

Imposing fines or cutting Medicare payments, in the AHA’s view, would diminish hospital resources needed to combat cybercrime.

What’s the impact?
To make meaningful progress on cybercrime, the group said Congress should focus on the entire healthcare sector, not just hospitals. To that end, it believes Congress should deploy a strong and sustained offensive cyber strategy to combat the ongoing threat.

“Healthcare is a top critical infrastructure sector with direct impact to public health and safety and must be protected,” the AHA wrote. “Any cyberattack on the healthcare sector that disrupts or delays patient care creates a risk to patient safety and crosses the line from an economic crime to a threat-to-life crime. These attacks should be aggressively pursued and prosecuted as such by the federal government.”

Imposing swift and certain consequences on cyber adversaries, who are often provided safe harbor in noncooperative foreign jurisdictions, is essential to reducing cyber threats, the group said.

It called the cybersecurity proposal in Biden’s FY 2025 budget “misguided” and said that imposing or cutting Medicare payments will only weaken the collective cyber defense capability of the healthcare sector.

The penalties in the proposal, in the AHA’s view, would deplete resources needed to combat cybercrime.

“To make meaningful progress in the war on cybercrime, AHA urges Congress to enact policies that address cybersecurity sector-wide and not force hospitals to shoulder responsibility for systems outside of their control,” the group wrote.

The larger trend
The Change Healthcare cyberattack, which brought intense focus to the topic of cybercrime in healthcare, is expected to cost UnitedHealth Group $1 billion to $1.5 billion this year, according to CFO and president John Rex.

The February 21 cyberattack disconnected Change from claims payments for hospitals and physician practices, disrupting provider revenue and financial stability to the point of potential bankruptcy for some practices, according to a recent American Medical Association survey.

UnitedHealth Group, the parent company of Optum, which owns Change, has been working to restore systems and is offering accelerated payments to providers. The company said it has provided over $6 billion in advance funding and interest-free loans.

The expectation is to fully return to performance levels next year. Healthcare Finance News