Congress shows concern for healthcare cyber attacks

With cyber attacks on the rise against healthcare organizations, Congress is starting to notice. Serious attacks have tripled since 2018.

With cyber attacks on the rise against healthcare organizations, Congress is starting to notice. Serious attacks have tripled since 2018, in some cases interrupting service and extracting ransom payments. Bipartisan legislation would give the Health and Human Service Department a specific task in helping prevent these attacks. For details, the Federal Drive with Tom Temin spoke with Rep. Abigail Spanberger (D-Va.).

Interview Transcript:  

Tom Temin Let’s talk about the health care cyber attack bill that would give a specific task to Health and Human Services inspector general, of all places. Tell us what you would have happen and what’s behind it.

Abigail Spanberger We are seeing ever increasing and consistent cyber attacks on our health care system. Certainly, we saw that to be the case in the attack against change health care, which serves more than 152 million Americans. So we know that these attacks are growing more and more frequent, and more and more complex. And we need to ensure that the Department of Health and Human Services, which is the agency ultimately responsible for the privacy of Americans health care data, is equipped with the most up to date mitigation and response strategies, particularly as we see the health care sector continues to be such a prime target. We know that these attacks have been detrimental on patient care, including extended delays and disruption of care, being able to have appointments, being able to get prescriptions that they’ve caused, issues with insurance coverage or the inability to receive authorizations for the services or prescriptions. And so, ensuring that we are putting the inspector general in a place to evaluate whether current systems could be compromised or could expose patient data or could be strengthened. I think is an important step forward.

Tom Temin This would apply to looking at federal systems for health care, but also the private sector.

Abigail Spanberger So this would be in terms of how we are setting standards for American patients healthcare data. And so recognizing that the standards related to how that data is maintained, but ensuring that HHS is ultimately part of a larger conversation, certainly there’s much that needs to be done in private industry. As a member of the Intelligence Committee as well, I’ve been engaged on this topic just recognizing, we were talking about this issue just, two days ago with Director [Christopher] Wray of FBI. So when the event happens, then it becomes a kind of a follow up law enforcement issue. But our effort is one of many complementary efforts to try and prevent these types of attacks from even, happening or being able to occur based on strengthened levels of cybersecurity that we should and want to see.

Tom Temin It’s also fair to say that HHS pays for so much health care delivered by the private sector in the first place.

Abigail Spanberger That’s right. And as the one acting on behalf of so many American patients across the country, they have a substantial role to play in this endeavor.

Tom Temin So this bill would have the IG ride herd on HHS, which is supposed to ride herd on the safety of the industry, to put it simply.

Abigail Spanberger To put it simply. Yeah that’s a pretty good way to clarify it.

Tom Temin Now, there’s also something called the Cyber Incident Reporting of Critical Infrastructure Acts, (CIRCIA). And there’s a giant 400 page rulemaking underway in CISA for incident reporting by all critical infrastructure entities. Is there some way of tying this all together?

Abigail Spanberger Certainly. And ultimately recognizing that an attack on the electric grid, water systems or our health care system, while they might seem kind of outwardly very different, the idea that a hospital wouldn’t be able to put billing through or the reality that prescriptions, lifesaving prescriptions, wouldn’t even be able to be dispensed. This is an element of our nation’s infrastructure that, in this case, the health care infrastructure that is quite vulnerable. And certainly we’ve seen it locally with doctors offices not being able to take patients or arrange appointments or be able to bill. There’s been an issue related to the ability to prescribe prescriptions or distribute prescriptions. And these are realities that are impeding the American system of health care because of these nefarious acts to try and either extract payments from the system that they’ve shut down or steal very, very personal data related to American citizens.

Tom Temin And you’ve got bipartisan support. And there’s also a Senate counterpart.

Abigail Spanberger That’s correct. And really, looking into the longer term, I’m really proud to be backing bipartisan legislation to create two new federal training programs so that the U.S. and our cyber defenses and our cybersecurity workforce is strengthened. And so we’ve got an effort to build up a cybersecurity apprenticeship program under the Cybersecurity and Infrastructure Security Agency, also a pilot program within the Department of Veterans Affairs to basically specifically recruit veterans who want to transition from their military service into the civilian workforce into a cybersecurity role. So these are efforts to really increase access to national security focus federal jobs, ensure workforce training that’s relevant and vital to protecting both our infrastructure and our data. And in the case of the VA related program helping with that transition out of the military for veterans who have had a skill set related to this new career that will hope that they’ll pursue.

Tom Temin And how does this bill envision the apprenticeship program working? I’m thinking to become an engraver, for example, at Bureau of Engraving and Printing. That’s a 7 or 10 year apprenticeship program.

Abigail Spanberger Well, so the bill doesn’t prescribe the full details of what it takes to do the on the job training. But recognizing that having someone at CISA learning the skill set. And this is where I’ll give a hat tip to so many of the community colleges and certification programs that exist throughout Virginia who’ve recognized this need, who have frequently served federal agencies where someone might have a background in computer science or maybe some years ago they studied engineering or didn’t pursue a four year degree. But this specialty offering add on certifications and offering additional training is something that’s certainly been happening for quite some time in Virginia. And so it’s recognizing that the goal would be to ensure that in addition to training, in addition to certification and kind of theoretical piece of it that we have on the ground apprenticeship programs specific to the needs of our federal agencies.

Tom Temin Because agencies do have direct hiring authority and there are some special salary availabilities for the agency. So they’ve got some tools now to get cyber people in.

Abigail Spanberger That’s right. And making sure that they’re using them and able to have those folks in those apprenticeship programs is an important one.

Tom Temin And just while we have you briefly, there is a bill you’re also backing, Enhancing Improper Payment Accountability Act, because we’ve seen this breathtaking level of fraud happening in the still going pandemic programs. Why they haven’t pinched those off, I don’t know. But the money’s still going out.

Abigail Spanberger Yeah. And just to give the kind of context and numbers to that. In FY 23, the Government Accountability Office (GAO) reported that federal agencies had disbursed an estimated $236 billion in improper payments. And so what our bill would do is just recognizing that these things happen whatever the costs, like there’s various different causes. We want to make sure that there are reporting requirements that would, at a point in time as bills and payments are going out, or excuse me, as payments are going out, that we can take a step forward in preventing potential waste or fraud or abuse by requiring more comprehensive reporting requirements for new federal spending that would exceed $100 million in annual payments. And this legislation would also make sure that programs are compliant with current reporting standards, because we do have current reporting standards. But to ensure compliance to current reporting standards and to provide both Congress and federal agencies the ability to really detect and prevent waste, triggering those additional reporting requirements at the $100 million mark is an important step forward.

Tom Temin And of course, if you prevent, then you don’t have to report. And on that matter, the IG of Justice Michael Horowitz, also the luminary of [Pandemic Response Accountability Committee (PRAC)] and of the [Centre for International Governance Innovation (CIGI)], he has called for Congress to preserve the Pandemic Response Accountability Committee apparatus for general use across the government and the mechanisms and the technology they’ve built for detecting fraud before it happens. That came a little late for the pandemic response itself. Would you support a bill to preserve that after the sunset of the press?

Abigail Spanberger Yeah, in principle, absolutely. And I think, to the point you just made, we learned a variety of things, which is detecting the fraud, waste and abuse after it’s occurred puts you in a responsive mode. But we also learned, I think, some lessons from the way that dollars were distributed quickly and under the parameters that they were distributed. What are some of the potential triggers that should alert to potential cases of fraud or wasteful payments? And we should be learning from every opportunity that we have to prevent any possible circumstances. Again, whether it’s nefarious and intentional fraud or whether it’s waste that occurs because of negligence. In either case, it’s taxpayer dollars that are not going towards a program or a purpose that would be helpful to the American people. And so, any steps forward we can take. And this is not about creating sort of owners reporting requirements, this is about really ensuring that there’s a point in time oversight, and that we have seen the sort of trends where this, and I gave the number earlier, like we have seen the point in time where there’s $236 billion in improper payments. That didn’t happen in a day, that didn’t happen in one payment. And so, just to require along the way for those large scale, in excess of $100 million, that we really ensure that the reporting requirements are clear, are present, and can be used as not just triggers for detecting improper payments or fraud, but also when there’s greater oversight. That should be helpful and beneficial in avoiding it in the first place.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Amelia Brust/Federal News NetworkCybersecurity Maturity Model Certification

    Data security’s integral role in the digital age

    Read more
    NDAA, POGO, 2025 National Defense Authorization Act

    NDAA amendment to give more authority to DoD components to buy cyber products

    Read more