Prescription for resilience: Health care needs financial sector-inspired regulation

In the early days after it was hit by a cyberattack on Feb. 21, Change Healthcare, one of the country’s largest claims and prescription processors, said it would be back online soon. Three weeks later, customers were still waiting — and Biden administration officials were calling its owner, the giant company UnitedHealth Group, to task, even as Medicare offered emergency funds to providers who hadn’t been paid. However the crisis plays out in the coming days, one thing is clear: The critical technology infrastructure of the U.S. health care system needs to be better protected from any future attack.

The fallout from the attack on Change Healthcare has been widespread, significantly hurting pharmacies, clinics, and providers. The disruption has significantly strained a sector already facing financial pressures.

And the attack spotlights a broader trend within health care: how vertical and horizontal integration, combined with the relentless push for digital transformation and cloud computing, have created a risky dependency on a handful of companies. The incident serves as a call for the health care industry not only to vastly strengthen its cyber-defenses but also for the establishment of a dedicated regulatory authority to oversee and enforce robust cybersecurity standards. Doing so is also crucial to protect patients’ health information — which remains at risk despite a ransom being paid. From 2005 until 2019, it is estimated that 250 million people were affected by health care data breaches. While Social Security numbers can be bought for $1 on the dark web and credit card numbers for $5, a single medical record can command $1,000.

But there is no need to reinvent the wheel. There is already a model: the financial sector’s strong regulatory frameworks, dedicated oversight, formalized stress testing, and redundant IT systems.

The contrast between the proactive and aggressive protective mechanisms in place in the financial services sector and the relative laxity in health care’s critical IT infrastructure is striking and unsustainable. Much of the strong (albeit imperfect) systems in place in the financial sector were born of prior crises.

In health care, systemic resilience can only be achieved through a comprehensive approach to risk management and the empowering of dedicated and actionable regulatory oversight. At present, the Office of the National Coordinator for Health Information Technology in the Department of Health and Human Services coordinates efforts to implement advanced health information technology, and the Health Information Sharing and Analysis Center works to foster stakeholder information sharing and collaboration around cybersecurity threats. But these organizations have relatively narrow scopes and don’t possess the enforcement and intervention authority seen in the financial sector.

In March 2023, HHS released a voluntary implementation guide to help health care organizations align their cybersecurity programs with the National Institute of Standards and Technology Cybersecurity Framework. At the time, Sen. Mark Warner (D-Va.), raised concern about the program’s voluntary nature that seems prescient in hindsight. “I look forward to continuing to work with cyber experts, health stakeholders, and officials in the Biden administration,” he said, “to determine which voluntary measures we need to start requiring to ensure patient safety.”

Congress will almost certainly hold hearings about the Change cyberattack. While such hearings rarely drive systemic change, the scale and implications of this incident demand a different approach. These hearings must be substantive, delving into the root causes of the attack and the industry’s vulnerabilities. More importantly, they should serve as a catalyst for the implementation of bold measures, such as the establishment of a dedicated regulatory authority and the adoption of rigorous cybersecurity standards. Only through comprehensive and action-oriented hearings can we hope to drive the necessary systemic change to protect our critical health care infrastructure.

Three steps need to be taken.

Dedicated oversight of critical health care infrastructure should be implemented through the creation of a new regulatory entity for the health care sector that would enforce rigorous cybersecurity standards, conduct audits, and oversee emergency response protocols for health tech stakeholders. This agency should be granted authority akin to the robust regulatory authority possessed by the Department of the Treasury, the Financial Stability Oversight Council, the Federal Reserve System, and the Securities and Exchange Commission in the financial sector. The new entity should mandate regular, third-party security audits and penetration testing that stages fake cyberattacks. All health care technology vendors that exceed a certain size or scope should be subject these measures. This agency must be empowered with authority to intervene swiftly, just as the Federal Deposit Insurance Corporation and the Federal Reserve Board do during banking crises.

Health care IT companies should be required to ‘stress test’ their preparedness against cyberattacks and system failures and buttress their defenses, just as the nation’s financial institutions do. Minimum requirements and best practices around data backup, disaster recovery, and business continuity planning should be created, implemented, and monitored. Information sharing across stakeholders is crucial, much like with the Financial Services Information Sharing and Analysis Center and the Financial and Banking Information Infrastructure Committee in the financial sector.

Post-incident investigations should be customary, akin to those conducted by the National Transportation Safety Board in the aviation industry. These investigations should be carried out by the proposed oversight entity or another designated body, with the aim of understanding the root causes of the incident, synthesizing all information, conducting thorough analysis, drawing conclusions, identifying probable causes, and making formal recommendations to prevent future occurrences. The findings and recommendations from these investigations should be made public and used to inform the development of new cybersecurity standards and best practices for the health care industry.

The cyberattack on Change Healthcare has exposed the urgent need to implement strong oversight of health care technology in the U.S. Prioritizing cybersecurity, protecting systems by building redundancy in vital functions and establishing proactive regulation with empowered authority are crucial steps. Now is the time to accelerate this work. The implementation of best practices related to cybersecurity cannot be optional for large vendors that dominate large sections of the health IT landscape.

This can be a balanced approach that continues to encourage technological advancement and systems integration while mitigating risks and possessing necessary controls. By adopting a regulatory and oversight model inspired by the financial sector, health care can emerge more resilient.

Jonathan R. Slotkin, M.D., is the associate chief medical informatics officer and vice chair of neurosurgery at Geisinger Health. David Vawdrey, Ph.D., is the chief data and informatics officer at Geisinger Health and associate professor of biomedical informatics at Columbia University.