Senate Finance Committee Chair Ron Wyden is urging HHS to mandate stronger cybersecurity measures for crucial healthcare companies in the wake of the ransomware attack on UnitedHealth Group's subsidiary Change Healthcare.
In a June 5 news release, Mr. Wyden criticized what he described as the current self-regulatory approach employed by HHS, arguing it is insufficient to safeguard patient information.
"HHS does not require companies, including UHG, to use multi-factor authentication (MFA) and other cybersecurity best practices," Mr. Wyden wrote.
Mr. Wyden called for HHS to immediately establish minimum technical cybersecurity and resiliency standards, regular audits, and technical assistance for low-resource providers.
"It is clear that HHS' current approach to healthcare cybersecurity — self-regulation and voluntary best practices — is woefully inadequate and has left the healthcare system vulnerable to criminals and foreign government hackers," Mr. Wyden wrote. "HHS must follow the lead of other federal regulators in mandating cybersecurity best practices necessary to protect the healthcare sector from further, devastating, easily preventable cyberattacks."
Mr. Wyden's push comes after he wrote a letter to the Federal Trade Commission and the Securities and Exchange Commission urging the agencies to investigate UnitedHealth Group for what he termed "negligent" security practices, which he believes contributed to the Change Healthcare hack in February.