Friday, May 17, 2024

Negotiating with health care hackers

Presented by The American Hospital Association: Delivered daily by 10 a.m., Pulse examines the latest news in health care politics and policy.
May 17, 2024 View in browser
 
POLITICO's Pulse newsletter logo

By Ben Leonard and Chelsea Cirruzzo

Presented by The American Hospital Association

With Sophie Gardner

Driving The Day

A man looks at lines of code on a laptop

When Change Healthcare was hacked, its owner, UnitedHealth Group, paid $22 million in ransomware. | Adam Berry/Getty Images

YOU’VE BEEN HACKED. NOW WHAT? Health care companies are retaining help — often from Silicon Valley — to manage ransomware attacks.

The debilitating breaches at Change Healthcare, owned by UnitedHealth Group, in February and Ascension last month come as the Cybersecurity and Infrastructure Security Agency warns of a specific ransomware service targeting health care organizations — and have led cybersecurity experts to advise the sector on reducing risk.

UnitedHealth Group and Ascension hired cybersecurity firms — Mandiant, a subsidiary of Google; Palo Alto Networks’ Unit 42; and CYPFER — after the breaches. The ransomware experts declined to comment on their roles in negotiating for the companies. But Pulse spoke with ransom negotiators and cybersecurity experts about what happens when they’re called in to negotiate on behalf of a health care company.

Establishing the harm: Kurtis Minder, co-founder of GroupSense, a ransomware negotiator service that’s worked with pharmaceutical companies, said he starts by helping hacking victims understand the total cost of the breach — including human or patient harm.

The companies, he said, have to consider whether they should temporarily go offline to curb the financial or reputational impact.

Scott Bailey, a partner at N1 Discovery, which provides cybersecurity services and has negotiated ransomware attacks at health care systems in Michigan, said negotiators must then determine how much data has been stolen. Otherwise, they’re relying on the bad actors to tell them what they have.

Pay the ransom, or not? Paying the ransom is usually the only way to secure stolen information and restore access to encrypted systems, according to Minder and Bailey. Ransomware negotiators communicate with bad actors to hammer out how much they’re willing to pay.

“The data they stole is so highly sensitive and confidential that you’re willing to pay the ransom in hope that they’ll give it back and not destroy it or publish it,” Bailey said.

UnitedHealth Group CEO Andrew Witty told Congress earlier this month that the company paid a $22 million ransom to protect stolen patient data.

“Even the organizations that have great backup strategies end up having to pay because the restoration process would take so much time,” Minder said. “It is so complicated, and when you're talking about patient well-being, that puts an additional pressure on it. They can’t wait to see if their backup strategy is going to work.”

Federal help? While federal officials have gotten involved in the attacks on Ascension and Change Healthcare, Minder and Bailey said they’re limited to investigating what happened. “It’s not their job” to get companies back to operations, Bailey said.

Hospitals want federal officials to do more to tackle bad actors and have pushed back against HHS mandates, including establishing minimum cybersecurity standards for hospitals.

“Right now, a lot of these organizations have two options: They stop operating and, in health care, someone might die, or they pay the ransom,” Minder said.

WELCOME TO FRIDAY PULSE. The Department of Justice yesterday proposed reclassifying marijuana to a less restrictive category following an HHS recommendation. Send your tips, scoops and feedback to ccirruzzo@politico.com and bleonard@politico.com and follow along @ChelseaCirruzzo and @_BenLeonard_.

 

A message from The American Hospital Association:

America’s hospitals and health systems are ready for you, 24/7. This week, almost 1 out of every 100 individuals will visit the emergency room. And by the end of this year, more than 130 million people will have made this visit. You may not know when you’ll need us; but in America’s hospitals and health systems, we’re always ready — because emergencies don’t wait for business hours. Learn more during National Hospital Week May 12 – 18.

 
In Congress

House Rules Committee Chair Tom Cole (R-Okla.) is seen before a hearing at the U.S. Capitol.

Funding for health programs could take a hit in FY 2025, says Rep. Tom Cole. | Francis Chung/POLITICO

HEALTH FUNDING SLASH: Health appropriation bills in fiscal 2025 might be subject to “significant cuts” partly due to congressional limits, according to House Appropriations Committee Chair Tom Cole (R-Okla.).

On Thursday, Cole outlined the interim subcommittee allocations, which are the caps on spending for each appropriation bill. Nondefense programs are being cut by 6 percent, according to Cole, with health, labor, education, financial services and state foreign operations seeing the most significant cuts at 10 to 11 percent. Veterans Affairs, which includes veterans’ medical benefits, will be fully funded.

These amounts could change with the president’s budget requests and offsets by the Congressional Budget Office.

The interim funding for labor and health services is $184.5 billion. Funding for agricultural programs, which includes the Food and Drug Administration, is $25.8 billion.

HHS requested $130.7 billion in discretionary funding and $1.7 trillion in mandatory funding in its fiscal 2025 budget request.

 

THE GOLD STANDARD OF HEALTHCARE POLICY REPORTING & INTELLIGENCE: POLITICO has more than 500 journalists delivering unrivaled reporting and illuminating the policy and regulatory landscape for those who need to know what’s next. Throughout the election and the legislative and regulatory pushes that will follow, POLITICO Pro is indispensable to those who need to make informed decisions fast. The Pro platform dives deeper into critical and quickly evolving sectors and industries, like healthcare, equipping policymakers and those who shape legislation and regulation with essential news and intelligence from the world’s best politics and policy journalists.

Our newsroom is deeper, more experienced and better sourced than any other. Our healthcare reporting team—including Alice Miranda Ollstein, Megan Messerly and Robert King—is embedded with the market-moving legislative committees and agencies in Washington and across states, delivering unparalleled coverage of health policy and the healthcare industry. We bring subscribers inside the conversations that determine policy outcomes and the future of industries, providing insight that cannot be found anywhere else. Get the premier news and policy intelligence service, SUBSCRIBE TO POLITICO PRO TODAY.

 
 
Abortion

ABORTION AMENDMENT CERTIFIED FOR SD BALLOT — A proposal to amend South Dakota’s constitution to protect abortion access has received enough valid signatures to qualify for the November ballot, state election officials said Thursday.

The measure’s certification comes after a push by anti-abortion organizers in recent days to get people who signed the petition to formally withdraw their support. By Thursday, only 19 removal requests out of 54,281 submitted signatures had been filed with the secretary of state’s office.

“Today, the fight begins,” campaign chair Rick Weiland said in a statement. “We hope there can be a civil discussion about deeply held moral beliefs leading to a reasoned decision balancing the rights of us all.”

The proposal doesn’t have support from national abortion-rights groups, who’ve criticized the measure for not going far enough to restore access to the procedure. But its passage would restore access in a state where abortion has been illegal in almost all circumstances for nearly two years.

The measure takes a Roe-like approach to abortion by barring South Dakota from restricting abortion in the first trimester of pregnancy but allowing the state to regulate it “in ways that are reasonably related to the physical health of the pregnant woman” in the second trimester. It also allows the state to regulate or ban abortion after the fetus is viable, at around 24 weeks of pregnancy, unless it’s needed to save a mother’s life.

Anti-abortion advocates have promised to challenge the measure’s certification in the next 30 days.

Telehealth

TELEHEALTH MOVES FORWARD — A bill to extend eased telehealth rules in the Medicare program advanced out of the House Energy and Commerce Health Subcommittee yesterday, Ben reports.

The legislation is largely in line with a bill that the House Ways and Means Committee advanced unanimously last week. The telehealth rules, which were rolled back during the height of the pandemic, expire at year’s end, along with hospital-at-home waivers. Like the W&M bill, the E&C bill would extend those waivers for five years and use pharmacy benefit manager reform as a pay-for.

The two bills also have similar provisions to reduce fraud related to lab tests and durable medical equipment.

The differences: Unlike the W&M bill, the E&C bill would establish payment parity for federally qualified health centers and rural health clinics for in-person and virtual care. How much to pay for virtual care versus in-person care, including in those settings, will be a key question going forward.

Another difference between the two bills is that the E&C bill has a required modifier for billing for telehealth offered via a “telehealth virtual platform” and nonphysician providers.

 

A message from The American Hospital Association:

Advertisement Image

 
Public Health

REINING IN THE MEASLES OUTBREAKS Six of the eight measles outbreaks reported to the CDC this year have ended, according to a CDC spokesperson, Sophie reports.

And an outbreak at a migrant shelter in Chicago — which resulted in 57 cases — has also petered out.

The outbreak was contained after a massive vaccination effort by the Chicago Department of Public Health across the shelter, according to a new CDC report. In March, CDPH verified vaccine records for 784 residents and vaccinated 882 residents.

The CDC also came to the state to aid the response.

Why it matters: The threat of measles outbreaks has loomed over the CDC as vaccination skepticism soared after the height of the Covid-19 pandemic. Migrant shelters pose a particular risk as many residents might not be vaccinated or have records of vaccination. But the report shows that a large-scale vaccination campaign after the first positive case can work to stamp out the outbreak.

Even so: New measles cases are still popping up around the country, and they're up significantly in 2024. As of May 9, there have been 132 cases, the highest number in the U.S. since 2019. Measles cases are on the rise globally also.

 

LISTEN TO POLITICO'S ENERGY PODCAST: Check out our daily five-minute brief on the latest energy and environmental politics and policy news. Don't miss out on the must-know stories, candid insights, and analysis from POLITICO's energy team. Listen today.

 
 
AROUND THE AGENCIES

MOTION FOR STAY — The Florida attorney general and others have asked a Florida judge to issue a preliminary stay on an HHS rule to strengthen nondiscrimination protections for LGBTQ+ patients in health care services.

Background: Florida and some medical groups sued the Biden administration last week over the rule, which clarified that provision 1557 of the Affordable Care Act forbids providers from discriminating against patients based on their gender identity or sexuality. Florida has argued that the rule violates state law barring gender-affirming care for minors and forces providers to give this care.

The motion, filed late Wednesday, said that “plaintiffs are likely to succeed on the merits, will suffer imminent and irreparable injury absent temporary relief, and the balance of harms favors Plaintiffs.” The plaintiffs want the judge in the case to pause the rule from taking effect until the case is over.

 

A message from The American Hospital Association:

America’s hospitals and health systems are ready for you, 24/7. This week, almost 1 out of every 100 individuals will visit the emergency room. And by the end of this year, more than 130 million people will have made this visit. You may not know when you’ll need us; but in America’s hospitals and health systems, we’re always ready — because emergencies don’t wait for business hours. Learn more during National Hospital Week May 12 – 18.

 
Names in the News

Sophia Nilanont is joining the American Heart Association next week as global advocacy portfolio lead. She was previously at CVS Health.

John O’Brien is joining Manatt, Phelps & Phillips’ health care industry group as national adviser. He was previously with HHS and CMS.

WHAT WE'RE READING

The New York Times reports on the CDC warning of a resurgence in mpox.

Modern Healthcare reports on a California plan to redo its Medicaid program that leans heavily on nonprofit service providers.

 

Follow us on Twitter

Dan Goldberg @dancgoldberg

Chelsea Cirruzzo @chelseacirruzzo

Katherine Ellen Foley @katherineefoley

Lauren Gardner @Gardner_LM

Sophie Gardner @sophie_gardnerj

Kelly Hooper @kelhoops

Robert King @rking_19

Ben Leonard @_BenLeonard_

David Lim @davidalim

Megan Messerly @meganmesserly

Alice Miranda Ollstein @aliceollstein

Carmen Paun @carmenpaun

Daniel Payne @_daniel_payne

Ruth Reader @RuthReader

Erin Schumaker @erinlschumaker

Megan R. Wilson @misswilson

 

Follow us

Follow us on Facebook Follow us on Twitter Follow us on Instagram Listen on Apple Podcast
 

To change your alert settings, please log in at https://login.politico.com/?redirect=https%3A%2F%2Fwww.politico.com/settings

This email was sent to edwardlorilla1986.paxforex@blogger.com by: POLITICO, LLC 1000 Wilson Blvd. Arlington, VA, 22209, USA

Unsubscribe | Privacy Policy | Terms of Service

No comments:

Post a Comment

Marcos says DOJ evaluating EJK evidence

Take it from President Marcos himself: Malacañang and the Justice department are closely monitoring the congressional probes ͏ ‌      ͏ ‌  ...