Cybersecurity Breaches Have Impacted Patients’ Ability to Access Critical Medications 

WASHINGTON, D.C. – U.S. Senator Gary Peters (D-MI), Chairman of the Homeland Security and Governmental Affairs Committee, is urging the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) to prioritize cybersecurity improvements and protect Americans from cyberattacks in the health care sector. On February 21, 2024, Change Healthcare encountered a ransomware attack that caused serious disruptions to their operations and prevented their ability to provide care to patients. In response to the attack, Change Healthcare shut down many of its systems, leading to patients being billed for previously covered medication and unable to access refills for prescriptions. In the letter, Peters calls on HHS and CISA to expand cybersecurity guidance for the health care sector and increase public outreach on the threat of ransomware attacks.   

“The recent cyberattack on a UnitedHealth Group subsidiary, Change Healthcare, has disrupted their ability to process medical claims, impacting millions of Americans trying to fill their prescriptions and access health care services,” wrote Senator Peters. “HHS should heavily encourage health care entities impacted by the attack to take advantage of available technical and financial resources and assistance from CISA, CMS, and other organizations.”  

Peters continued: “Public outreach and engagement are an important part of increasing cybersecurity across the health care sector. CISA and HHS in coordination should conduct a campaign to engage and inform health care entities and the public of cybersecurity best practices and resources available to them.”  

As Chairman of the Homeland Security and Governmental Affairs Committee, Peters has led efforts to strengthen our nation’s cybersecurity. In March 2023, Peters convened a hearing to examine cybersecurity threats facing the health care sector. The hearing examined current cybersecurity threats to hospitals and health care providers, and how the federal government is working to prevent breaches and protect patient care. In 2022, Peters’ landmark legislation was signed into law requiring critical infrastructure owners and operators, including those in the health care sector, to report if they experience a substantial cyberattack or if they make a ransomware payment.  

The text of the letter is copied below and available here.  

Dear Secretary Becerra and Director Easterly,     

We write to request that the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) prioritize protecting Americans from cyberattacks in the health care sector. The recent cyberattack on a UnitedHealth Group subsidiary, Change Healthcare, has disrupted their ability to process medical claims, impacting millions of Americans trying to fill their prescriptions and access health care services. Not only is this cyberattack impacting Americans domestically, but it has also disrupted access to health care on American military bases worldwide.     

As the sector risk management agency for the health care sector, HHS is a critical resource and regulator for the victims of this attack and the healthcare ecosystem at large. Therefore, we request that HHS expand its technical cybersecurity guidance and increase engagement with private sector entities in the 405(d) Program and Task Group efforts and call on the Administration for Strategic Preparedness and Response (ASPR) to include the operational resiliency of the health care sector’s platforms in the National Infrastructure Protection Plan. HHS should heavily encourage health care entities impacted by the attack to take advantage of available technical and financial resources and assistance from CISA, CMS, and other organizations.     

We recognize the significance of the released Healthcare and Public Health Sector-specific Cybersecurity Performance Goals as a first step by HHS and applaud the work that has gone into encouraging the health care sector to invest in cybersecurity. It is absolutely critical that HHS prioritize measuring the implementation of its goals and publish minimum cybersecurity requirements. These sector requirements and goals should be aimed at supporting the facilities most at risk of cyberattack and should be enforceable through available mechanisms like the Centers for Medicare & Medicaid Services (CMS) Conditions of Participation for consistently low-performing hospitals. Without rapid measurable improvements in cybersecurity across the health care sector, incidents like this one will continue to impact patient outcomes and lead to significant financial, administrative, and logistical costs for health care facilities.    

Public outreach and engagement are an important part of increasing cybersecurity across the health care sector. CISA and HHS in coordination should conduct a campaign to engage and inform health care entities and the public of cybersecurity best practices and resources available to them. This campaign should also highlight guidance and information on the threat of ransomware attacks to the health care industry. CISA should also make available additional resources to the health care community, including technical resources, to ensure that the health care ecosystem is better equipped to mitigate cybersecurity threats and rapidly improve their cybersecurity to prevent future incidents.    

We urge HHS and CISA to act expeditiously to ensure that these resources are provided to hospitals and health care systems, and to reduce the impact on patients and providers across the country.     

As HHS and CISA work to support recovery efforts after this attack, we request your responses to the questions below:   

• As the Sector Risk Management Agency, what are the next steps HHS is taking to prevent another cyber incident like this from occurring?  
• How is HHS measuring and encouraging the implementation of its sector-specific cybersecurity performance goals?   
• What assistance did HHS offer to the impacted entities in the health care sector? Is HHS monitoring for the effectiveness of this assistance?   
• What kind of assistance, both technical and non-technical, did CISA offer to HHS during the incident and in the weeks after the incident?   
• To what extent did CISA share information on cyber threats to the health care sector with HHS and health care entities in the several months prior to the attack? What information was shared during and after the incident?   
• How is HHS coordinating with CISA to receive and distribute threat indicators, warnings, and indicators of compromise across entities in the health care sector? How is HHS and CISA measuring usage of these messaging services in the health care sector?  
• What assistance is CISA offering to impacted entities in the health care sector and how is CISA ensuring that entities are aware of the assistance?    

###