TLDR:
- A cyberattack on a payment processor has crippled the U.S. health care system, leading to calls for urgent cybersecurity regulations.
- HHS has proposed voluntary standards and is working on mandatory rules, sparking resistance from industry groups.
Health care groups are resisting cybersecurity regulations following a ransomware attack on a payment processor that has severely impacted the U.S. health care system. The attack on Change Healthcare, a firm that handles a large portion of American patient records, has prompted calls for immediate cybersecurity regulations in the sector. Senator Ron Wyden has emphasized the systemic risk posed by large health care companies and urged for stricter action to be taken. However, industry groups, such as the American Hospital Association, have pushed back against mandatory cybersecurity requirements, citing financial constraints and the complexity of attacks carried out by third-party vendors.
The Biden administration is planning to roll out proposed rule-making for minimum cybersecurity standards in the health care sector, but faces opposition from industry groups. The administration aims to establish basic cybersecurity principles to enhance the security posture of the industry. The ongoing debate surrounding cybersecurity regulations in the health care sector is complex, with experts highlighting the challenges faced by small and medium-sized entities in meeting cybersecurity standards.
The industry is grappling with the consolidation of companies and the devastating effects of cyberattacks, creating a pressing need for enhanced cybersecurity measures. While lawmakers like Sen. Mark Warner are pushing for legislation to incentivize providers and vendors to meet cybersecurity standards, various concerns remain regarding the feasibility and impact of mandatory regulations on the industry.