Senate Finance Committee Chair Ron Wyden (D-OR) is urging HHS to take a stronger stance on healthcare companies’ cybersecurity practices as the healthcare system is still piecing together what happened with the ransomware attack on UnitedHealth’s Change Healthcare.
In a four-page letter sent to HHS Secretary Xavier Becerra on Wednesday, Wyden said the department isn’t doing enough to protect against cybersecurity incidents. Specifically, he said HHS should require companies to use multifactor authentication, something he said could have helped prevent the Change attack.
“It is clear that HHS’ current approach to healthcare cybersecurity — self-regulation and voluntary best practices — is woefully inadequate and has left the health care system vulnerable to criminals and foreign government hackers,” Wyden wrote.
The letter follows UnitedHealthcare CEO Andrew Witty’s grilling before the Senate Finance Committee last month over the company’s response to the ransomware attack that paralyzed the healthcare system, leaving doctors without pay and patients without prescriptions.
Wyden is asking HHS to establish minimum cybersecurity standards for “systemically important entities,” including large healthcare systems, and that they be required to meet resiliency requirements to test how well they can recover from attacks.
He also wrote that HHS should conduct periodic audits of healthcare systems and covered entities to measure how well they’re meeting cybersecurity requirements. The FDA in March published draft guidance on updated recommendations for the medical device industry on cybersecurity considerations, with suggestions on what to document for submissions.
Lastly, Wyden urged HHS to provide technical support for healthcare systems seeking to improve cybersecurity and suggested that HHS could enlist CMS’ Quality Improvement Organizations and Medicare Learning Network to do so.
HHS did not immediately return Endpoints News’ request for comment.