Press Releases
WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA), a member of the Senate Finance Committee and co-chair of the Senate Cybersecurity Caucus, introduced the Health Care Cybersecurity Improvement Act of 2024, legislation that would allow for advance and accelerated payments to health care providers in the event of a cyber incident, as long as they and their vendors meet minimum cybersecurity standards. The legislation follows a ransomware attack on Change Healthcare that has paralyzed billing services for providers nationwide, leaving many in danger of becoming financially insolvent.
“I’ve been sounding the alarm about cybersecurity in the health care sector for some time. It was only a matter of time before we saw a major attack that disrupted the ability to care for patients nationwide,” said Sen. Warner. “The recent hack of Change Healthcare is a reminder that the entire health care industry is vulnerable and needs to step up its game. This legislation would provide some important financial incentives for providers and vendors to do so.”
In rare situations, Medicare Part A providers (such as acute care hospitals, skilled nursing facilities, and other inpatient care facilities) and Part B suppliers (including physicians, nonphysician practitioners, durable medical equipment suppliers, and others who furnish outpatient services) can face cash flow challenges due to specified circumstances beyond their control (for instance, during the COVID-19 pandemic.) Since the 1980s, the Centers for Medicare & Medicaid Services (CMS) has provided temporary financial relief to participants in these programs through Accelerated and Advance Payment (AAP) programs, during which these providers and suppliers receive advance payments from the federal government that are later recovered by withholding payment for subsequent claims.
The Health Care Cybersecurity Improvement Act of 2024 would modify the existing Medicare Hospital Accelerated Payment Program and the Medicare Part B Advance Payment Program by:
- Requiring the Secretary to determine if the need for payments results from a cyber incident;
- If it does, requiring the health care provider receiving the payment to meet minimum cybersecurity standards, as determined by the Secretary, to be eligible; and
- If a provider’s intermediary was the target of the incident, the intermediary must also meet minimum cybersecurity standards, as determined by the Secretary, for the provider to receive the payments.
These provisions would go into effect two years from the date of enactment. A copy of the bill text is available here.
In 2022, Sen. Warner authored “Cybersecurity is Patient Safety,” a policy options paper, outlining current cybersecurity threats facing health care providers and systems and offering for discussion a series of policy solutions to improve cybersecurity across the industry. Since publishing, Sen. Warner has launched the Health Care Cybersecurity Working Group with a bipartisan group of colleagues to examine and propose potential legislative solutions to strengthen cybersecurity in the health care and public health sector.
###