Lawmakers expressed frustration about the months-long impact stemming from the cyberattack against Change Healthcare during a House subcommittee hearing on Tuesday, and raised concerns that increasing consolidation could make the sector more vulnerable.
Consolidation can create choke points for key services, strangling normal healthcare operations during an attack, lawmakers and witnesses said during the Energy and Commerce hearing. UnitedHealth Group, Change’s parent company, purchased the technology firm in 2022, following significant pushback from antitrust regulators.
The Change cyberattack has caused industry-wide disruptions, including delays in payments to providers.
“I do think that vertical integration in our healthcare system — supposed to save money — is actually going in the other direction,” said Rep. Larry Bucshon, R-Ind. “And we’re going to have to take a strong look at this.”
Legislators were also upset that UnitedHealth didn’t send a representative to the meeting, and one member encouraged the chair to subpoena the company.
“I'm disappointed that UnitedHealth Group chose not to make anyone available to testify today, so that the committee and the American people could hear directly from them about how the specific cyberattack occurred,” said Rep. Cathy McMorris Rodgers, R-Wash.
UnitedHealth briefed subcommittee members recently, and committed to testifying at a future hearing, Rodgers said. Although lawmakers have not released a hearing date, the Washington Post reported that CEO Andrew Witty will testify before the Senate Finance Committee on April 30.
Cyber risks from consolidation
UnitedHealth is no stranger to consolidation. The insurer already owns a number of assets across the healthcare sector, including a large pharmacy benefit manager, and it employs tens of thousands of physicians, said Rep. Buddy Carter, R-Ga. Its increasing reach has garnered scrutiny from antitrust agencies.
The Department of Justice originally sued to block UnitedHealth's acquisition of Change, arguing the purchase would give UnitedHealth access to technology its competitors needed and result in higher healthcare costs and lower quality.
But the government lost its case and a federal judge allowed the deal to close in 2022. Change now processes 15 billion healthcare claims annually and touches 1 in 3 patient records.
“I think the FTC [Federal Trade Commission] more than any other agency has failed the American people by allowing this vertical integration to happen,” Carter said. “It needs to be busted up.”
UnitedHealth is being reportedly investigated again by the DOJ, this time for the relationship between its insurance arm and health services business Optum, which includes doctor’s offices.
Outside of antitrust concerns, the government should assess if future mergers and acquisitions would create a point of failure with few redundancies in case of cyberattack, said Greg Garcia, executive director for cybersecurity at the Healthcare Sector Coordinating Council.
“If that finding is positive, then that should be very seriously taken into consideration as to whether to approve a merger or some kind of consolidation that could increase cyber risk,” he said.
Boosting healthcare cyber protections
Cyber threats are likely to continue, witnesses told warned lawmakers Tuesday, and attacks can have serious consequences for hospital operations and patient care.
Cyberattacks against the healthcare sector have become increasingly common, with the HHS’ Office for Civil Rights reporting a 256% increase in large breaches involving hacking over the past five years.
If hospitals are attacked, providers may be unable to access critical technologies like imaging equipment, and they may need to divert ambulances to nearby facilities. That delay could be crucial in emergencies where time is of the essence, like care for stroke and trauma patients, said John Riggi, national advisor for cybersecurity and risk at the American Hospital Association.
The Biden admin has pushed for cybersecurity standards for hospitals, including allocating $1.3 billion over 10 years in an HHS budget proposal to help hospitals build up their defenses. Eventually, hospitals would also face penalties if they fail to adopt protections.
That might not be enough money to shore up hospital defenses, especially for smaller and rural providers who are most at risk, some witnesses said. But the funding is a good starting point to improve the industry’s cyber defenses, Garcia added.
Hospitals aren’t the only ones that should be held to increased standards either, as risk comes from third parties and vendors too, witnesses said.
“Cybersecurity should be a meaningfully shared responsibility. Of course, that's not how we operate, right? People always look at it as a way to offload their liability and protect the bottom line and so forth,” said Rep. John Sarbanes, D-Md. “Fair enough, if you’re a small, medium-sized player in a large ecosystem, but when you’ve got the kind of heft that we see here, there’s got to be a better allocation of responsibility and liability.”