Sen. Wyden Urges HHS to Mandate Cybersecurity Defenses for Large Health Care Companies

Senator Ron Wyden (D-OR) has called on the Department of Health and Human Services (HHS) to enforce stronger cybersecurity practices for large health care organizations, citing a surge in cyberattacks and data breaches. In a pointed letter to HHS Secretary Xavier Becerra, Sen. Wyden criticized the agency’s current laissez-faire approach to cybersecurity regulation in the health care sector as “woefully inadequate,” leaving it vulnerable to cyber threats. 

Wyden highlighted the recent cyberattack on UnitedHealth’s Change Healthcare, where hackers gained access to the company’s network using a compromised username and password. He emphasized that basic cybersecurity measures could have prevented the devastating ransomware attack. This incident underscored the urgent need for federal regulators to impose mandatory cybersecurity standards to protect sensitive patient data and ensure the resilience of health care systems, Wyden argues. 

“The current voluntary guidelines are insufficient to protect against sophisticated cyber threats,” Wyden wrote. He urged HHS to follow the example of other federal regulators by mandating cybersecurity best practices necessary to safeguard the health care sector from further, easily preventable cyberattacks. 

Sen. Wyden’s call to action comes at a critical time, as cyberattacks on the health care sector have reached unprecedented levels. In 2022 alone, over 600 breaches affected nearly 42 million Americans, with the health care sector being the most common target of ransomware attacks among all critical infrastructure sectors. The impacts of these cyberattacks extend beyond data theft, often leading to delays in care, impaired access to medical records, and even higher mortality rates for patients.