New bill would create payment incentives for the health sector to meet cyber standards

Sen. Mark Warner, shown here at a news conference on March 14. 2024, is looking to incentivize cybersecurity upgrades in the health care industry.

Sen. Mark Warner, shown here at a news conference on March 14. 2024, is looking to incentivize cybersecurity upgrades in the health care industry. Bill Clark/CQ-Roll Call, Inc via Getty Images

The measure led by Sen. Mark Warner, D-Va. comes in the wake of a ransomware attack on UnitedHealth subsidiary Change Healthcare.

A bill introduced Friday would legally enable advanced and accelerated payments to be made to healthcare providers in the event of a cyber incident, so long as the providers and their vendors meet minimum cyber posture standards.

The measure from Senate Intelligence Committee Chair Mark Warner of Virginia was influenced by ongoing recovery efforts caused by a crippling ransomware attack on UnitedHealth subsidiary Change Healthcare, which has paralyzed prescription delivery services and caused other payment logjams at health centers.

The Health Care Cybersecurity Improvement Act would create an incentive for cash to keep flowing to providers during future cyber incidents, provided they meet baseline cybersecurity standards determined by the Secretary of Health and Human Services.

Specifically, the Medicare Hospital Accelerated Payment Program and the Medicare Part B Advance Payment Program would be modified to help providers better adapt to cash crunches brought on by cyber incidents. If a provider’s intermediary was targeted by a cyberattack, that intermediary must also meet minimum standards, according to the bill.

The law would take effect two years after enactment to give stakeholders time to adapt.

“I’ve been sounding the alarm about cybersecurity in the health care sector for some time. It was only a matter of time before we saw a major attack that disrupted the ability to care for patients nationwide,” Warner said in a written statement.

The Feb. 21 attack carried out by the ALPHV/Blackcat hacking gang has delayed prescription fillings and led to cash crunches at clinics and other facilities. The American Healthcare Association said that 94% of hospitals are signaling financial impact from the incident, with some providers losing upwards of $1 billion per day in revenues. Most, but not all systems, have been restored.

Officials have been working to roll out emergency financing plans that would accelerate payments to certain providers and suppliers experiencing shortfalls in funding. Nearly all claims are flowing again, which an HHS official earlier this week called “massive progress” compared to three weeks ago.

HHS’s civil rights office last Wednesday said it is probing UnitedHealth over how it complied with the Health Insurance Portability and Accountability Act, or HIPAA, which is meant to enforce safeguards for patients’ healthcare data.

The agency previously announced steps to enhance cybersecurity standards in existing programs. That includes potentially leveraging the major payer programs at HHS — Medicare and Medicaid — as well as authorities under HIPAA to enforce compliance. 

UnitedHealth CEO Andrew Witty is expected to testify before a Senate panel in the coming weeks, according to reports.