Eric Geller reports:
As U.S. hospitals struggle to pay their employees amid a cyberattack that knocked out a major payment vendor, a powerful Democratic senator is seizing the moment to push for better security in the sorely vulnerable healthcare sector.
Sen. Mark Warner (D-VA) has introduced legislation that would require hospitals and their technology vendors to implement cybersecurity best practices before the government offers them any emergency payments. It’s a proposal that reflects his immense frustration with an industry that he says has consistently underinvested in vital digital defenses — negligence that burst into the spotlight in February when Change Healthcare, the largest medical claims processor in the U.S., shut down its systems after suffering a ransomware attack, cutting off payments to already cash-strapped hospitals and plunging the industry into crisis.
[…]
Warner’s legislation, the Health Care Cybersecurity Improvement Act, would require healthcare providers experiencing cash-flow problems due to a cyberattack to meet “minimum cybersecurity standards” before receiving emergency funds from the Centers for Medicare and Medicaid Services (CMS). If the cyberattack targeted one of the provider’s vendors, that vendor would also need to meet the minimum standards before the provider could receive funding.
The bill leaves it up to the HHS secretary to determine what constitutes minimum cyber standards. HHS recently published health-specific Cybersecurity Performance Goals based on broader guidance from the Cybersecurity and Infrastructure Security Agency (CISA).
Read more at The Record.