Federation of American Hospitals Comments on S. 4054 Health Care Cybersecurity Act of 2024

However, we have serious concerns regarding provisions in the Health Care Cybersecurity Improvement Act of 2024 (S. [...] 4054) and would welcome the opportunity to work with you to ensure that this effort to promote cybersecurity preserves access to care. [...] Protecting against cyberattacks that can disrupt care and put patients’ health care information at risk is a key priority for FAH and our member hospitals. According to the 2023 Department of Health and Human Services (HHS) Hospital Resiliency Landscape Analysis, hospitals and health systems implement robust cybersecurity protocols, including encryption mechanisms, consumption of threat int [...] Yet, despite these efforts, the Health Care Cybersecurity Improvement Act of 2024 (S. [...] 4054) would unnecessarily penalize hospitals and other providers as if they were to blame for a crime 1 United States Department of Health and Human Services. (n.d.). [...] Specifically, the Health Care Cybersecurity Improvement Act of 2024 (S. [...] 4054) would eliminate the ability of the Secretary of HHS to offer accelerated and advance payments to hospitals and other providers if they, or their third party “intermediary,” do not meet yet to be developed cyber standards. The inadvisability of this proposal is illuminated by the current cyberattack against Change Healthcare, which processes 15 billion claims totaling more than $1.5 tr [...] This continued financial strain underscores the need for HHS to have a rapid response mechanism that includes robust accelerated and advance payments. Despite this ongoing crisis, under the Health Care Cybersecurity Improvement Act of 2024 (S. [...] No organization, including federal agencies, has immunity from cyberattacks. Penalizing hospitals and other providers by barring them from accelerated or advance payments would diminish hospital resources needed to continue to treat patients and combat cyberattacks. We urge you to work with the hospital community to develop alternative solutions that would promote cybersecurity without pena [...] We would welcome the opportunity to discuss our views on cybersecurity policy and serve as a resource as you consider the best approach to promoting cybersecurity in health care.