This week, Senator Mark R. Warner (D-VA) introduced new legislation that will allow for advance and accelerated payments to healthcare providers in the event of a cyberattack. The new legislation was introduced in response to the recent ransomware attack on Change Healthcare, which caused an outage that lasted for more than 4 weeks. The outage prevented physicians and hospitals from processing claims, billing patients, and checking insurance coverage for care, and the reimbursement delays have left many healthcare providers struggling to pay workers and buy supplies, with some placed at risk of becoming financially insolvent.

Given the increase in cyberattacks on the healthcare sector in recent years, a major attack that caused massive nationwide disruption to healthcare was an inevitability, and there will likely be other highly damaging healthcare cyberattacks in the future. The Health Care Cybersecurity Improvements Act of 2024 will help to ensure that in the event of another attack, healthcare providers will not face such challenging financial problems.

Sen. Warner, a member of the Senate Finance Committee and co-chair of the Senate Cybersecurity Caucus, has been sounding the alarm about healthcare cybersecurity for some time. In 2022, he published a white paper that framed cybersecurity as a patient safety issue. The Change Healthcare ransomware attack demonstrated how a cyberattack can prevent patients from receiving timely care and essential medications. “The recent hack of Change Healthcare is a reminder that the entire healthcare industry is vulnerable and needs to step up its game. This legislation would provide some important financial incentives for providers and vendors to do so.”

The Health Care Cybersecurity Improvements Act of 2024 will allow for advance and accelerated payments to healthcare providers in the event of a cyber incident; however, they would only qualify if they and their vendors meet minimum cybersecurity standards. In the press release announcing the new legislation, Sen. Warner did not mention what those minimum cybersecurity standards are, as that will be left to the HHS Secretary to determine.

Currently, in certain situations, Medicare Part A providers (such as acute care hospitals, skilled nursing facilities, and other inpatient care facilities) and Part B suppliers (including physicians, nonphysician practitioners, durable medical equipment suppliers, and others who furnish outpatient services) can experience cash flow difficulties due to specific circumstances that are beyond their control, as happened following the Change Healthcare ransomware attack. The Centers for Medicare and Medicaid Services (CMS) has provided temporary financial relief to Medicare Part A providers and Part B suppliers through Accelerated and Advance Payment (AAP) programs, which provide advance payments from the federal government, which are later recovered by withholding payments for later claims.

The Health Care Cybersecurity Improvements Act of 2024 will modify the existing Medicare Hospital Accelerated Payment Program and the Medicare Part B Advance Payment Program. If the legislation is passed, the HHS Secretary will determine if the need for payment results from a cyber incident, and if it does, the healthcare provider requiring the payment must meet minimum cybersecurity standards, which will be determined by the Secretary. For instance, a healthcare provider may be required to implement the essential cybersecurity performance goals recently announced by the HHS. If the provider has implemented those minimum cybersecurity measures and the provider’s intermediary was the target of the incident, the intermediary must also meet minimum cybersecurity standards in order for the provider to receive the payments.

If passed, the act would take effect two years from the date of enactment, which will give healthcare organizations sufficient time to ensure they comply with the cybersecurity requirements set by the HHS Secretary.

The post Legislation Introduced to Provide Advance Payments to Providers Affected by Cyberattacks appeared first on HIPAA Journal.

Senator Bill Cassidy, M.D. (R-LA), ranking member of the Senate Health, Education, Labor, and Pensions (HELP) Committee, has demanded answers from the Department of Health and Human Services (HHS) about a 2023 cyberattack that resulted in the theft of millions of dollars of grant funds and the failure of the HHS to notify Congress about the incident.

In January this year, Bloomberg published a report about a hacking incident at the HHS. According to the report, hackers had access to an HHS system that processed civilian grant payments between March 2023 and November 2023 and stole $7.5 million. The money should have been transferred to five accounts to provide support for at-risk populations, including children, pregnant women, and patients in rural communities.

Hackers are thought to have used spear phishing emails to target HHS staff, who were tricked into disclosing credentials that allowed access to the grantees’ accounts. The HHS provided a statement at the time confirming the incident had been reported to the HHS’ Office of Inspector General; however, in January, an HHS OIG spokesperson could neither confirm nor deny that an investigation had been launched into the incident.

In his letter to HHS Secretary Xavier Becerra, Sen. Cassidy said the HHS did not notify Congress about the incident and has so far failed to publicly acknowledge the breach, even though federal law requires government agencies to disclose major cyberattacks. Sen. Cassidy said any disruption to grant funding can place healthcare facilities under significant financial strain and the delay in receiving grant awards could delay life-saving care to patients. Cyberattacks on healthcare organizations are increasing and the HHS has issued regular guidance to HIPAA-regulated entities on the steps that should be taken to improve cybersecurity and has recently announced voluntary cybersecurity performance goals for the HPH sector. Senator Cassidy said, “This attack raises serious questions about HHS’ ability to safeguard its own systems and protect taxpayer funds and sensitive data.”

Senator Cassidy also criticized the HHS for the lack of transparency about the breach and its incident response.  “HHS’ lack of transparency and communication regarding this breach, including communication to Congress as required by law, undermines the public trust and suggests that the Federal government is not prepared to protect patients against cybersecurity attacks,” wrote Sen. Cassidy. “Americans entrust HHS to safeguard taxpayer dollars from cyberattacks. An unauthorized breach of this nature requires transparency from HHS about the facts at issue, and leadership from HHS to take the necessary steps to ensure that it does not happen again.”

Sen. Cassidy has demanded answers about when the HHS identified the breach of its Payment Management Services (PMS) system, when the system was accessed by hackers, how many grantees were affected, how much was stolen, when the HHS notified the Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS) about the breach, whether the attack delayed any payments of grant awards, and what steps the HHS has taken to try to recover the stolen funds. Questions were also asked about the safeguards that were in place prior to the attack, its internal incident response plan, the steps that have been taken to identify and address any vulnerabilities in HHS systems, and how the HHS can justify failing to notify Congress. Sen. Cassidy has requested answers on a question-by-question basis by April 5, 2024.

A spokesperson for the HHS confirmed that the HHS has been in regular contact with Congress about the incident and is working to ensure that the affected grantees will have access to the funds that they were awarded. “The event in December was a targeted fraud campaign against the Payment Management System, not a cyberattack,” said the HHS spokesperson. “HHS promptly reported the incident to the HHS Office of Inspector General. As federal stewards of the taxpayer dollar, we take this issue with the utmost importance.”

The post Senator Cassidy Demands Answers About HHS Cyberattack and $7.5M Theft appeared first on HIPAA Journal.