Feds Wave Sticks & Carrots at Health Sector to Bolster Cyber

Proposed federal sticks and carrots to incentivize the health sector to implement stronger cybersecurity standards are already meeting opposition from some industry groups that say financial help is welcome but payment penalties for perceived laggards likely will do more harm than good.

See Also: The Convergence of Healthcare Innovation and Compliance

The Department of Health and Human Services’ recently released budget proposal for fiscal 2025 includes $1.3 billion in financial help, such as grants, for hospitals to invest in cybersecurity over the next several years.

But the budget proposal also includes financial penalties in the form of reduced payments to certain hospitals that fail to meet cybersecurity standards, starting in fiscal 2029.

“Many recent cyberattacks against hospitals and the healthcare system, including the current Change Healthcare cyberattack, have originated from third-party technology and other vendors. No organization, including federal agencies, is or can be immune from cyberattacks,” the American Hospital Association said about the proposals.

“Imposing fines or cutting Medicare payments would diminish hospital resources needed to combat cybercrime and would be counterproductive to our shared goal of preventing cyberattacks. The Administration’s budget proposal for hospitals is misguided, and it will not improve the overall cybersecurity posture of the healthcare sector,” the AHA said in a letter last week to members of Congress urging them to help hospitals contending with fallout from the Change Healthcare cyberattack.

In January, the U.S. Department of Health and Human Services released sets of “essential” and “enhanced” cybersecurity performance goals for healthcare entities to implement in the quest to improve the overall state of cybersecurity in sector.

HHS at the time said the goals were voluntary but admitted they could eventually be tied to potential financial rewards and penalties (see: HHS Details New Cyber Performance Goals for Health Sector).

The release on March 13 of HHS’ fiscal 2025 budget proposal offered a peek into how potential incentives for implementing the cybersecurity performance goals – and disincentives for failing to apply them – could play out.

HHS’ fiscal 2025 budget proposal calls for investing $800 million from the Medicare Hospital Insurance Trust Fund over fiscal years 2027 and 2028 in approximately 2,000 “high-need” hospitals to implement the HHS cybersecurity performance goals, or CPGs.

But beginning in fiscal 2029, new penalties would apply within the Promoting Interoperability program – formerly known as the Meaningful Use program – to provide “specific consequences” to hospitals that fail to adopt essential cybersecurity practices, HHS said.

“Hospitals that fail to adopt essential cybersecurity standards face penalties of up to 100% of the annual market basket increase, and beginning in fiscal 2031 potential additional penalties of up to 1% off the base payment, HHS said. Medicare “market basket increases” refer to a price index – or inflation – of goods and services in the healthcare sector.

“Critical Access Hospitals that fail to adopt the essential practices would incur an up to 1% payment reduction. But a Critical Access Hospital’s total penalty is capped at a total of 1% if it would otherwise incur higher total penalties due other elements of the Promoting Interoperability Program,” HHS said.

Some healthcare industry groups – including the AHA – say they generally support the concept of voluntary cybersecurity performance goals to bolster the healthcare sector – and financial resources to help achieve that – but they don’t think threats of financial penalties will move the needle much.

“The President’s budget request raises serious concerns as it diverts funds from the Medicare Health Insurance Trust Fund while failing to adequately address the substantial congressional funding required for hospitals to implement cybersecurity performance goals,” said Chelsea Arnone, director of federal affairs at the College of Healthcare Information Management Executives, a professional association of healthcare CIOs and CISOs.

“While CHIME supports the intent of the CPGs, the budget overlooks the true cost and the time our members need to implement them before being penalized financially,” she told Information Security Media Group.

“This approach disproportionately affects already under-resourced safety net providers, jeopardizing the care communities depend on. CHIME remains steadfast in advocating for equitable financial support to ensure no one is left behind in this critical endeavor,” Arnone said.

The AHA also “cannot support proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault for the success of hackers in perpetrating a crime,” the organization said in a letter last week to leaders of the House of Representatives Ways and Means Committee.

“Hospitals and health systems have invested billions of dollars and taken many steps to protect patients and defend their networks from cyberattacks that can disrupt patient care and erode privacy by the loss of personal healthcare data,” the AHA told the lawmakers.

Meanwhile, as the Change Healthcare cyberattack continues to rock the U.S. healthcare ecosystem, Sen. Mark Warner, D-Va., last week introduced legislation that would potentially reward healthcare entities that implement HHS cybersecurity standards – if they suffer future financially disruptive cyber incidents.

Warner’s Health Care Cybersecurity Improvement Act of 2024 proposes to modify the existing Medicare Hospital Accelerated Payment Program and the Medicare Part B Advance Payment Program by requiring HHS to determine if there is a need for advance or accelerated payments to hospitals due to a cyber incident affecting the entity’s cash flow.

The catch is that the entity first must have met minimum HHS cybersecurity standards (see: Nursing Home Declares Bankruptcy, Blames Recent Cyberattacks).

“The recent hack of Change Healthcare is a reminder that the entire healthcare industry is vulnerable and needs to step up its game. This legislation would provide some important financial incentives for providers and vendors to do so,” Warner said in a statement last week.

Privacy attorney David Holtzman of consulting firm HIT Privacy LLC said that whether entities like it or not, the U.S. government appears intent to make the healthcare sector take action to improve its cybersecurity state.

“HHS is sending strong signals that the Center for Medicare and Medicaid Services will begin the process of setting cyber standards this year,” he said. Although the HHS incentives are not slated to start for more than two years, theoretically, CMS might have the authority to adopt the penalties sooner, he said.

“They are set to propose to modify the existing Promoting Interoperability Program to add new requirements for adoption of the recently released CPGs,” he said.

Still, “HHS likely needs congressional authorization to spend Medicare Trust Funds dollars to fund the incentives for hospitals to invest in the adoption of cyber protections.”