The American Hospital Association submitted a statement to the House Energy and Commerce Health Subcommittee stating its concerns for potential penalties for hospitals and health systems that do not meet cybersecurity standards outlined by the Biden administration.
President Biden's budget for 2025 suggests imposing fines on hospitals and health systems if they do not follow what the administration sees as essential cybersecurity practices. For example, starting in 2029, the administration plans to enforce important practices in hospitals. Those that do not meet these standards could lose up to 100% of their yearly payment increase. Starting in 2031, they might face extra penalties of up to 1% of their base payment.
Critical access hospitals could also see a payment reduction of up to 1%, with a maximum penalty limit, the AHA said in an April 17 news release.
"The now well-documented source of cybersecurity risk in the healthcare sector, including the Change Healthcare cyberattack, is from vulnerabilities in third-party technology, not hospitals' primary systems," the AHA wrote to the subcommittee. "No organization, including federal agencies, is or can be immune from cyberattacks. Imposing fines or cutting Medicare payments would diminish hospital resources needed to combat cybercrime and would be counterproductive to our shared goal of preventing cyberattacks."
The AHA also said the cybersecurity proposal would penalize hospitals and "will not improve the overall cybersecurity posture of the healthcare sector."