Senator Urges HHS to Mandate Health Care Organizations to Comply With Cybersecurity Standards

Senate Finance Committee Chair Ron Wyden, D-Ore., has urged the Department of Health and Human Services to do away with its approach of allowing “systemically important health care companies” to self-regulate cybersecurity practices and instead require the organizations to comply with new security rules.

Wyden asked the HHS to develop cybersecurity and resiliency standards, perform periodic audits and provide technical assistance to providers with insufficient cyber resources to avoid similar incidents that could impact health care operations and expose sensitive data to criminals and foreign spies, the Senate Committee on Finance said.

The senator made the call on the heels of a ransomware attack that targeted UnitedHealth Group’s subsidiary Change Healthcare. According to the Senate committee, UHG has yet to disclose details about the stolen data of Americans.

Recently, Wyden wrote a letter to the Federal Trade Commission and the Securities and Exchange Commission urging them to hold UHG accountable for its cybersecurity negligence.

In May, UHG CEO Andrew Witty revealed that the company was not using multifactor authentication at the time of the attack.