Senate Bill Aims to Incentivize Cybersecurity in Healthcare Industry

Proposed federal legislation would accelerate Medicare payments to healthcare providers that have suffered a cyberattack, if they and their vendors meet minimum cybersecurity standards.

This bill, the “Health Care Cybersecurity Improvement Act of 2024,” was introduced Friday (March 22) by U.S. Sen. Mark R. Warner, D-Va., according to a Friday press release.

This legislation follows the ransomware attack on Change Healthcare that has left many providers in danger of becoming financially insolvent, according to the release.

“The recent hack of Change Healthcare is a reminder that the entire healthcare industry is vulnerable and needs to step up its game,” Warner said in the release. “This legislation would provide some important financial incentives for providers and vendors to do so.”

The Centers for Medicare & Medicaid Services (CMS) enables advance payments from the federal government to Medicare Part A providers and Part B suppliers that face cash flow challenges due to specified circumstances that are beyond their control, the release said.

Warner’s bill would modify these programs by requiring the secretary of Health and Human Services to determine if the need for advanced payments results from a cyber incident; determine if the healthcare provider receiving the payments meets minimum cybersecurity standards; and, if the provider’s intermediary was the target of the incident, determine if that intermediary also meets the standards, per the release.

Only if the secretary determines those three things to be true will the provider receive the payments, according to the release.

“I’ve been sounding the alarm about cybersecurity in the health care sector for some time,” Warner said in the release. “It was only a matter of time before we saw a major attack that disrupted the ability to care for patients nationwide.”

Change Healthcare’s parent company, UnitedHealth Group (UHG), has spent the last month working to resume services at Change following a breach on Feb. 21 that disrupted the healthcare payment system around the country and prompted a federal investigation.

On March 10, the U.S. Department of Health and Human Services and the Department of Labor published an open letter urging UHG to take steps to help providers in the wake of the cyberattack.