����������

The AHA June 6 participated in a Wall Street Journal Tech Live Cybersecurity event to discuss the historic Feb. 21 cyberattack on Change Healthcare.

Hospitals and health systems have their hands full coping with the scary reality of a ransomware attack, but there are also civil liability concerns that arise in the fallout of a health care cybercrime.

In response to the alarming rise of ransomware attacks, hospitals and health systems must stay vigilant by playing defense, having a mitigation plan and keeping lines of communication open with federal law enforcement.

The Department of Health and Human Services May 31 announced that hospitals and health systems can require UnitedHealth Group to notify patients if their data was stolen during the Change Healthcare cyberattack Feb. 22.

The Department of Health and Human Services' Advanced Research Projects Agency for Health May 20 announced the launch of a $50 million cybersecurity program that would create tools for information technology teams in health care to enhance cybersecurity measures.

The Cybersecurity and Infrastructure Security Agency along with international agencies May 14 released guidance for high-risk nonprofit and other resource-constrained community organizations to assist in understanding and mitigating cyberthreats.

Hospitals and health systems nationwide saw a sizable increase in delayed or missing payments in first quarter 2024, according to a report released May 10 by Strata on health care performance trends.

The Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, Department of Health and Human Services, and Multi-State Information Sharing and Analysis Center May 10 released a joint cybersecurity advisory to provide information on Black Basta, a ransomware variant whose actors have encrypted and stolen data from at least 12 out of 16 critical infrastructure sectors, including the health care and public health sector.

The Department of Justice May 7 announced more than two dozen criminal charges against Dimitry Yuryevich Khoroshev, 31, of Voronezh, Russia, for his alleged role as the creator, developer and administrator of the LockBit ransomware group.

The AHA and other national hospital groups May 8 sent a letter to UnitedHealth Group, urging the organization to formally accept responsibility for issuing breach notifications on behalf of providers or customers following cyberattacks if protected health information or personally identifiable information is stolen.

The Cybersecurity and Infrastructure Security Agency May 3 extended the comment period to July 3 for the April 4 proposed rule that would implement cyber incident and ransom payment reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022.

The Biden Administration April 30 released a memo announcing updated critical infrastructure protection requirements, which include the Cybersecurity & Infrastructure Security Agency acting as the National Coordinator for Security and Resilience.

The FBI, State Department and National Security Agency issued a warning about attempts by North Korean state-sponsored cyberthreat actors to exploit improperly configured domain-based message authentication, reporting and conformance record policies to conceal social engineering attempts.

Senate and House lawmakers May 1 grilled UnitedHealth Group CEO Andrew Witty about the continued fallout from the Feb. 22 cyberattack on Change Healthcare — the most significant and consequential cyberattack on the U.S. health care system in American history. 

“If you are asking yourself how a cyberattack on a single company could cause such massive damage, you are asking the right question,” an AHA advertorial in April 30's Washington Post, states. “The answer, however, is stunningly simple. Over the past several years, Change Healthcare’s corporate owner, UnitedHealth Group, has acquired so many companies and spread its tentacles so far throughout the healthcare system that it has become ‘too big to fail.’”

The AHA April 29 provided the Senate Committee on Finance and House Energy and Commerce Subcommittee on Oversight and Investigations an update regarding outstanding issues continuing to impact patients and hospitals following the Change Healthcare cyberattack, as well as additional actions for Congress and the Administration to consider related to the cybersecurity of the health care sector. 

The Department of Health and Human Services’ Office for Civil Rights April 19 launched a webpage answering HIPAA-related FAQs about the Change Healthcare cyberattack.

U.S.

In a statement submitted to the House Energy and Commerce Health Subcommittee for a hearing April 17 on President Biden’s fiscal year 2025 Health and Human Services’ budget request, AHA expressed concern about proposed new penalties for hospitals and health systems that do not meet what the Administration defines as essential cybersecurity practices.

Department of Health and Human Services Deputy Secretary Andrea Palm addressed AHA Annual Membership Meeting attendees about the Administration’s work to improve access to care and increase the number of people with health insurance, as well as the Change Healthcare cyberattack and what cybersecurity looks like in the future.