AHA urges additional congressional action to help providers affected by Change Healthcare cyberattack; comments on HHS budget proposal on cybersecurity

Mar 13, 2024 - 02:59 PM
aha-medicaid-data-900x400

Congress should consider any statutory limitations that exist for an adequate response from the Centers for Medicare & Medicaid Services and Department of Health and Human Services to help hospitals and other providers minimize further fallout from the Change Healthcare cyberattack, AHA wrote March 13 in a letter to Senate Finance Committee leaders.

“The Administration has limited tools available, particularly because, unlike with COVID-19, the government is not operating under a declared Public Health Emergency and National Emergency,” AHA said. “While CMS has offered payments under the AAP [accelerated and advance payments], the agency only has authority to do so for limited time periods and amounts and with very high interest rates after repayments are due.”

AHA shared new data from a survey of hospitals and health systems describing the significant impact the cyberattack has had on direct patient care impact, including delays in authorizations for medically necessary care, as well as the significant and serious financial impact on their organizations.

“The staggering loss of revenue means that some hospitals and health systems may be unable to pay salaries for clinicians and other members of the care team, acquire necessary medicines and supplies, and pay for mission critical contract work in areas such as physical security, dietary and environmental services,” AHA wrote.

In the letter, which was sent ahead of a March 14 Senate Finance Committee hearing on HHS’ fiscal year 2025 budget proposal, AHA also commented on new penalties HHS proposes to implement on hospitals beginning in FY 2029 for not meeting what the Administration defines as essential cybersecurity practices.

“The AHA cannot support proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault for the success of hackers in perpetrating a crime,” AHA wrote. “Many recent cyberattacks against hospitals and the health care system, including the current Change Healthcare cyberattack, have originated from third-party technology and other vendors. No organization, including federal agencies, is or can be immune from cyberattacks. Imposing fines or cutting Medicare payments would diminish hospital resources needed to combat cybercrime and would be counterproductive to our shared goal of preventing cyberattacks.”

Related News Articles

Headline
2025 Cybersecurity Year in Review, Part Two: Mitigating Third-Party Risk, Ensuring Clinical Continuity and Addressing AI Risk
In part two of a recent blog, AHA National Advisor for Cybersecurity and Risk John Riggi and AHA Deputy National Advisor for Cybersecurity and Risk Scott Gee…
AHA Cyber Intel
2025 Cybersecurity Year in Review, Part Two: Mitigating Third-Party Risk, Ensuring Clinical Continuity and Addressing AI Risk
In part one of this blog, we reviewed the number of cyberattacks the health care field endured this year compared to last; provided an overview of the lessons…
Headline
CISA warns of vulnerability in F5 BIG-IP products
The Cybersecurity and Infrastructure Security Agency Oct. 15 released an emergency directive advising federal agencies to take stock of their F5 BIG-IP…
Headline
AHA blog: 2025 Cybersecurity Year in Review, Part One — Breaches and Defensive Measures
In part one of a new blog, John Riggi, AHA national advisor for cybersecurity and risk, and Scott Gee, AHA deputy national advisor for cybersecurity and risk,…
Perspective
Protecting Patients and Hospitals from Cyberattacks
Public
This week, the FBI issued an urgent warning to all users — including hospitals — of a critical security soft spot within Oracle’s E-Business Suite, stating “…
Headline
HSCC launches toolkit to strengthen essential health care services and prevent cyberattacks
The Health Sector Coordinating Council Oct. 7 released its Sector Mapping and Risk Toolkit, created to help health care providers and other organizations…