Senator Mark R. Warner (D-VA) presented new legislation that will approve advance and faster payments to healthcare companies in case of a cyberattack. The new legislation was prompted by the ransomware attack on Change Healthcare, which resulted in an outage for over 4 weeks. Because of the outage, doctors and hospitals could not process claims, bill patients, and verify medical insurance coverage. Many healthcare companies had trouble paying employees and purchasing supplies because of reimbursement delays. Some providers are prone to becoming financially bankrupt.
With the high number of cyberattacks on the healthcare industry recently, it is inevitable that a big attack can result in massive disruption to healthcare across the nation. Other damaging healthcare cyberattacks will likely continue in the future. The Health Care Cybersecurity Improvements Act of 2024 will help avoid major financial problems for healthcare organizations in the event of another attack.
Sen. Warner, co-chair of the Senate Cybersecurity Caucus and a Senate Finance Committee member, has been giving information regarding healthcare cybersecurity for a while. In 2022, he released a white paper that presented cybersecurity as an issue of patient safety. The Change Healthcare ransomware attack showed how a cyberattack can keep patients from getting prompt care and necessary medications. This legislation could offer necessary financial rewards for companies and vendors.
The Health Care Cybersecurity Improvements Act of 2024 will permit advance and faster payments to healthcare companies in case of a cybersecurity attack; nevertheless, they would just qualify if they and their suppliers satisfy minimum cybersecurity requirements. The proposed legislation by Sen. Warner didn’t mention any minimum cybersecurity requirements, since it will be the HHS Secretary who will determine those as is the case with HIPAA compliance.
Presently, in selected cases, Medicare Part A providers (including skilled nursing facilities, acute care hospitals, and other inpatient care services) and Part B suppliers (such as doctors, nonphysician professionals, medical equipment providers, and those who provide outpatient services) can encounter cash flow issues because of particular instances that are outside of their control, just like in the case of Change Healthcare ransomware attack. Temporary financial aid was provided by the Centers for Medicare and Medicaid Services (CMS) to Medicare Part A providers and Part B suppliers through the Accelerated and Advance Payment (AAP) programs. Advance payments are funded by the federal government, which are paid through withheld payments for claims later on.
The Health Care Cybersecurity Improvements Act of 2024 will revise the current Medicare Part B Advance Payment Program and the Medicare Hospital Accelerated Payment Program. When the legislation is approved, the HHS Secretary will decide whether the required payment is due to a cyberattack. If it is, the healthcare company needing the payment should satisfy minimum cybersecurity requirements, which is to be confirmed by the Secretary. For example, a healthcare company may need to carry out the necessary cybersecurity performance targets lately introduced by the HHS. When the company has put in place those minimum cybersecurity steps and the company’s intermediary is the target of the attack, the intermediary should also satisfy minimum cybersecurity requirements so that the company can collect the payments.
If approved, the act will be effective two years after the date of enactment. The healthcare providers will have adequate time to make sure they are compliant with the cybersecurity standards established by the HHS Secretary.