On March 22, Senator Mark Warner (D-Va.) introduced new legislation that would give advance payments to healthcare providers stricken by cyberattacks, provided that the healthcare companies have implemented recommended cybersecurity measures.
The proposed new law follows the devastating cyberattack on Change Health in February and March when thousands of pharmacies couldn’t fill much-needed prescription medications for millions of Americans.
The Health Care Cybersecurity Improvement Act of 2024, would provide financial incentives to healthcare providers to invest more in cybersecurity. The act would modify an existing law that already gives organizations participating in Medicare and Medicaid advance and accelerated payments in the event of circumstances beyond their control, such as the COVID-19 pandemic.
Under the new law, the Secretary of Health and Human Services (HHS) would determine if the healthcare providers suffered losses due to a cyber attack that evaded security measures HHS recommended. If it did, the Secretary could authorize advance and accelerated payments to the providers.
Senator Warner, a long-time advocate for improved cybersecurity in the healthcare sector, said, “It was only a matter of time before we saw a major attack that disrupted the ability to care for patients nationwide…the recent hack of Change Healthcare is a reminder that the entire healthcare industry is vulnerable and needs to step up its game.”
Change Healthcare was able to bring its disrupted payment system back online on 14 March. Without the system in operation, thousands of pharmacies were unable to determine how much to charge customers with health insurance for their medications. Some pharmacies resorted to charging full price, a dramatic increase that many customers could not afford.
Now UnitedHealthcare Group (UHG), the parent company of Change Healthcare, is facing numerous lawsuits brought by pharmacies, including some on the verge of bankruptcy due to the month-long disruption. One proposed class-action lawsuit alleges that UHG and Change were negligent in providing cybersecurity protocols for their critical payment systems, which led to significant financial losses for healthcare providers.