Capitol Insights Newsletter

Authors: Luke Schwartz, Matt Reiter, and Caroline Oliver

What happened in Congress this week?

On Thursday, February 29th, both chambers of Congress voted to advance a short-term Continuing Resolution (CR) that would extend funding for part of the government until March 8th and the rest until March 22nd. The intention of passing another CR is to buy lawmakers time to agree on terms regarding the 12 appropriations bills necessary to fund the government. Congress passed a “clean CR”, meaning that no policy riders, such as a Medicare payment fix, were included. We will now wait until March 8th to see if the rumored 1.75% conversion factor fix is included in the federal spending budget.

In other big news, after nearly 17 years as Republican Senate Leader, Senator Mitch McConnell (R-KY) announced he will step down from his leadership role in November. Despite stepping down as Leader, he will serve the remainder of his Senate term. Several Senators have already begun maneuvering to succeed McConnell. For example, less than 24 hours after the announcement, John Cornyn (R-TX) announced he would run for Senate Republican Leader. Expect others to declare their intent to run for the position in the coming weeks. Also, anticipate an endorsement from former President Trump to play a huge role in who ultimately succeeds McConnell as the GOP Senate leader.

On a more healthcare-related note, the House Energy and Commerce Subcommittee on Health held a hearing Thursday morning entitled “Legislative Proposals to Support Patients with Rare Diseases”. The hearing, held during “rare disease week” on Capitol Hill, considered 18 wide-ranging bills aimed at improving drug and treatment access for patients with rare diseases.

Lastly, President Biden will deliver his annual State of the Union address on Thursday, March 7th.

Change Healthcare Falls Victim to a Ransomware Cyberattack

On February 21, 2024, Optum announced that its subsidiary, Change Healthcare, was the victim of a massive cyberattack. Change Healthcare is one of the largest clearinghouses for medical claims. Clearinghouses such as Change Healthcare serve an essential role in the healthcare revenue cycle management (RCM) process. They ensure that medical claims include the necessary data, and that the data is in the correct format to be received by the payer. Most claims are submitted to commercial and government payers through a clearinghouse. Change Healthcare touches 1 in 3 patient records and processes 15 billion healthcare transactions every year.

Physician practices and hospitals were immediately advised to disconnect from Optum to mitigate against future impact. While there was concern that the malicious actor could have access to all of UnitedHealth’s servers, Optum says it is confident that the attack was contained to Change Healthcare.

While initial reports said that the attack had been perpetrated by a foreign nation-state, UnitedHealth recently acknowledged that the Blackcat Ransomware Group is behind the attack.

The disruption to Change Healthcare has prevented providers from filing claims and pharmacies in processing prescriptions. UnitedHealth says it could be weeks before this situation is resolved.

Practices are attempting to enact workarounds to keep their doors open and continue serving patients. Many physician groups are already struggling financially as a result of this cyberattack because these workarounds take time to solidify. Providers who use this clearinghouse will continue to face revenue cycle disruptions until a workaround is established or Change Healthcare is reconnected.

Cyberattacks such as this have rapidly become the norm in healthcare. In 2023 there were 46 ransomware attacks on US hospitals, impacting 141 total hospitals, which caused system disruptions and loss of patient data. This is a growing problem that is only going to continue to get worse as cyber capabilities grow.

Various federal agencies play a role in strengthening the healthcare sector’s preparedness for cyber attacks. These agencies include the Cybersecurity and Infrastructure Security Agency (CISA), the HHS Office of Civil Rights (OCR), the Office of the National Coordinator for Health Information Technology (ONC), and the State Department. However, these organizations focus on preventing and responding to attacks. While sometimes agencies such as the Federal Bureau of Investigation (FBI) help the compromised entity regain control of their systems, these agencies focus on preventing, responding, and recovering from an attack. They generally do not provide resources or relief for those impacted by an attack, especially those indirectly impacted (such as the physician practices and hospitals that use Change Healthcare).

These agencies tend to more effectively establish guidelines designed to manage cybersecurity risk. For example, in mid-February the National Institute for Standards and Technology released a special publication linking NIST’s Cybersecurity Framework to the HIPAA Security Rule. NIST’s Cybersecurity Framework takes an industry-neutral approach to cybersecurity risk management, but directly linking it to the HIPAA Security Rule goes a step further, providing healthcare information technology staff with the guidance necessary to offer the best data security. This helps protect sensitive personal health information (PHI) while keeping hospitals and physician practices safe and operational.

The Change Healthcare cyberattack just marks the next chapter in cyberattacks on the healthcare sector. These kinds of attacks show no signs of slowing down, so healthcare organizations must take precautions to enhance their cybersecurity risk management.

Optum established a website to provide updates on the situation. UnitedHealth said it is establishing a financial relief program for impacted providers. We have not seen details of this program but will provide updates as we learn more. We are continuing to monitor activities taken by Congress and Federal agencies to respond to the cyberattack.

Top Stories in Healthcare Policy

The Commonwealth Fund 2024 Value of Medicare Survey published its findings last week on February 22nd. The survey measured utilization of services and compared experiences for beneficiaries of traditional Medicare and Medicare Advantage. Highlights include analyses of access to care, delays in care, and use of supplemental benefits.

The Biden administration announced this week that it has received $1.7 billion in commitments from healthcare stakeholders and local governments to support initiatives that promote nutrition and physical activity. These initiatives will address the administration’s goal to end hunger and reduce diet-related diseases by 2030.

The Alabama legislature passed bills on Thursday this week that will protect access to in vitro fertilization (IVF), while a vote on federal legislation that would do the same was blocked in the Senate on Wednesday, February 28th. Efforts to protect access to IVF come after the Alabama Supreme Court’s decision that frozen embryos can be considered children.

Many states are introducing legislation that would protect contract pharmacies in the 340B program and are facing backlash from the pharmaceutical industry. Arkansas and Louisiana have enacted laws, while 18 other states have introduced similar bills.

The Centers for Disease Control and Prevention recommends that individuals over the age of 65 should receive another COVID-19 vaccination this spring. The recommendation was made by an independent panel of advisors and endorsed by CDC director, Mandy Cohen.

Northwell Health announced a merger with Nuvance Health on Wednesday, February 28th. The joining of the two systems will create a healthcare network with 28 hospitals across New York and Connecticut.

A Center for Medicare and Medicaid Services report analyzing quality metrics during the COVID-19 pandemic determined that quality performance decreased significantly from prior improvements made from 2016 to 2019. These outcomes have negative implications for patient safety and health equity.

Top Stories on Cybersecurity & Privacy in the Health Sector

Below are top stories related to this week’s featured topic.

The Department of Justice (DOJ), Cybersecurity & Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) released a joint Cybersecurity Advisory (CSA) to distribute known indicators of compromise (IOCs) and observed tactics, techniques, and procedures (TTPs) associated with the Change Healthcare Cyberattack.

Less than a week after the cyberattack, the DOJ announced an antitrust probe into UnitedHealth, the owner of Change Healthcare.

The FTC is continuing their involvement in furthering health data security and privacy, especially with the rise of Artificial Intelligence (AI). FTC Chair Lina Khan is working to create better standards that would ban the use of sensitive health data for training AI models.

Earlier this year, HHS released “New Voluntary Performance Goals to Enhance Cybersecurity Across the Health Sector and Gateway for Cybersecurity Resources These performance goals will likely gain new attention in light of the cyberattack on Change Healthcare.

On Monday, February 26th, the National Institute of Standards and Technology (NIST) released the second iteration in their lauded Cybersecurity Framework. This framework, now applied across all industries (rather than solely focused on critical infrastructure as the initial iteration was), is arguably the premier standard for enhancing cybersecurity risk management. This can serve as a useful guide for hospitals and physician practices.

Next Wednesday, March 6th, the Federal Trade Commission (FTC) will host PrivacyCon 2024 where digital health privacy and security is on the agenda. This event will likely address the Change Healthcare cyberattack in some way.