Cybersecurity News

“If you are asking yourself how a cyberattack on a single company could cause such massive damage, you are asking the right question,” an AHA advertorial in April 30's Washington Post, states. “The answer, however, is stunningly simple. Over the past several years, Change Healthcare’s corporate owner, UnitedHealth Group, has acquired so many companies and spread its tentacles so far throughout the healthcare system that it has become ‘too big to fail.’”

The AHA April 29 provided the Senate Committee on Finance and House Energy and Commerce Subcommittee on Oversight and Investigations an update regarding outstanding issues continuing to impact patients and hospitals following the Change Healthcare cyberattack, as well as additional actions for Congress and the Administration to consider related to the cybersecurity of the health care sector. 

The Department of Health and Human Services’ Office for Civil Rights April 19 launched a webpage answering HIPAA-related FAQs about the Change Healthcare cyberattack.

U.S.

In a statement submitted to the House Energy and Commerce Health Subcommittee for a hearing April 17 on President Biden’s fiscal year 2025 Health and Human Services’ budget request, AHA expressed concern about proposed new penalties for hospitals and health systems that do not meet what the Administration defines as essential cybersecurity practices.

Department of Health and Human Services Deputy Secretary Andrea Palm addressed AHA Annual Membership Meeting attendees about the Administration’s work to improve access to care and increase the number of people with health insurance, as well as the Change Healthcare cyberattack and what cybersecurity looks like in the future.

Rep. Brett Guthrie, R-Ky., addressed attendees of AHA’s 2024 Annual Membership Meeting and touched on many of the biggest issues in health care: cybersecurity; prior authorization and denials of care; extensions for expiring telehealth provisions; and how government and hospitals can work together to find solutions to these and other problems.

Testifying April 16 before a House Energy and Commerce Subcommittee on Health hearing on addressing health care cybersecurity vulnerabilities in the wake of the Change Healthcare attack, AHA shared proposals and concerns for Congress and the Administration to consider.

Two Administration officials April 14 discussed how the federal government is working with hospitals and other parts of the health care sector to defend against cyber threats and mitigate cyberatta

Sen. Ron Wyden, D-Ore., expressed to AHA members frustration with the Change Healthcare cyberattack, which he believes jeopardized patients and their personal data. 

The Change Healthcare cyberattack was a significant event that caught many off guard, said the Centers for Medicare & Medicaid Services Administrator Chiquita Brooks-LaSure, reiterating the age

“Even before the recent Change Healthcare cyberattack that has left some hospitals fronting millions of dollars in extra costs, a perfect storm of complex factors was already threatening the future of high-quality patient care — and misguided proposals from policymakers risk making things even worse,” writes Nancy Howell Agee, CEO of Carilion Clinic and chair of the Coalition to Strengthen America’s Healthcare, whose founding members include the AHA.

The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) April 5 released an advisory on the top 10 ransomware groups targeting the health care sector.

The AHA has been made aware of a validated IT help desk social engineering scheme that uses the stolen identity of revenue cycle employees or employees in other sensitive financial roles.

In this second of a two-part conversation, Providence’s Adam Zoller, chief information security officer, and Katie Adams, cybersecurity director of clinical technology services, discuss the potential cyberthreats posed by third-party medical devices, and strategies to keep third-parties open and transparent with organizations.

The Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology March 27 released for comment through May 28 a federal strategic plan for health information technology over the next five years.

In this first of a two-part conversation with experts from Providence, Adam Zoller, chief information security officer, and Katie Adams, cybersecurity director of clinical technology services, discuss the potential cyberthreats posed by third parties and prevention strategies to keep your protected systems secure.

The Department of Health and Human Services’ Administration for Strategic Preparedness and Response and Centers for Medicare & Medicaid Services this week released a guide to health plan resources for health care providers impacted by the Change Healthcare cyberattack, including health plan contact information, noting in an accompanying letter that many providers continue to face significant disruptions as a result of the cyberattack or difficulty getting information from health plans about prospective payments and other flexibilities.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency March 27 released a proposed rule implementing cyber incident and ransom payment reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022, intended to help the agency prevent cyberattacks and deploy assistance to victims.

U.S. and international cybersecurity authorities this week released additional guidance to help health care and other critical infrastructure leaders defend their networks from Volt Typhoon, a People’s Republic of China state-sponsored group that has been pre-positioning itself on U.S. networks to disrupt critical services in the event of increased geopolitical tensions or conflict with the U.S. and its allies.