Tensions ran high between the two leaders of the Senate Health, Education, Labor & Pensions (HELP) Committee at a committee hearing Wednesday.
The hearing was entitled “Securing the Future of Health Care: Enhancing Cybersecurity and Protecting Americans’ Privacy,” but Sen. Bernie Sanders (I-Vt.), the committee’s ranking member, said that although cybersecurity in healthcare is an important issue, that’s not what he would be speaking with witnesses about.
“What people are worried about is the catastrophic impact that the reconciliation bill that was passed last week will have on the health and well-being of the American people, and that is the issue I’m going to be focusing on today,” he said. Sanders went on to list some of the negative healthcare effects of the bill, which was signed into law by President Trump on July 4.
Sanders’ remarks did not sit well with HELP Committee chairman Sen. Bill Cassidy, MD (R-La.). “This hearing is about cybersecurity, and I hope our witnesses will limit their remarks to that,” Cassidy said. “If not, we will suffer through them.”
The acrimony between Cassidy and Sanders continued throughout the hearing, including when Sanders cited a report from the American Health Care Association (AHCA), a nursing home trade group, which estimated that 27% of nursing homes will have to close their doors as a result of the budget cuts in the reconciliation law.
“Well, among the half-truths being promulgated, the nursing homes are carved out of this legislation, so I’m not sure how they’re going to be affected,” Cassidy responded. Cassidy also ended the hearing abruptly before Sanders could enter into the record a copy of the AHCA report.
Asked to respond to Cassidy’s assertion, a spokesman for Sanders said in an email that the law does exempt nursing homes from a provision involving a provider tax, but “the bottom line is that historic cuts to Medicaid will force states to either cut eligibility, cut benefits, or cut payment rates and those cuts will absolutely hurt nursing homes. Exempting nursing homes from half of one section isn’t ‘exempting them from the bill.'”
Although three of the five witnesses at the Wednesday hearing had a direct connection to the cybersecurity issue, at least one of the two others — presumably chosen to appear by the committee Democrats — did not.
Alison Galvani, PhD, professor of epidemiology at the Yale School of Public Health, discussed her research group’s findings regarding the public health effects of the reconciliation measure, highlighting the finding that 51,000 Americans will die unnecessarily each year because of the lack of healthcare access caused by the funding cuts included in the law.
Another witness, Robert Weissman, president of the consumer group Public Citizen, also warned of the potential effects of the reconciliation law, saying it “will cost healthcare coverage for 17 million Americans … [That] means people will be sicker than they need to be … It means they will not get treatment when they need it. It means when they do go to get treatment, they will pay more than they should, and it means ultimately that many will die needlessly.”
Weissman had opened his remarks by discussing threats to cybersecurity from the collection of data by large corporations as well as from the actions of the Trump administration’s Department of Government Efficiency, which “has gained access to at least 19 datasets inside of HHS and is combining them, perhaps also with external databases, in ways that are unknown, for purposes that are unknown, where protections are uncertain.”
Other speakers spoke to the challenges of staffing and lack of basic standards of privacy for health information technology (IT).
Linda Stevenson, MBA, chief information officer at Fisher-Titus Medical Center in Norwalk, Ohio, outlined the difficulty that her medical center has in recruiting cybersecurity professionals. “Recruiting and retaining qualified IT and cybersecurity professionals remains a challenge for small, rural, and under-resourced hospitals,” she said. “The shift to remote work has only exacerbated that cause, and we are competing for talent with much larger, better-resourced organizations across the country. Most rural hospitals cannot afford a full-time cyber security leader of any kind.”
She also expressed concern about vendor product security. “Managing the security of hundreds of external partners is resource-intensive for all hospitals, especially for rural healthcare providers,” said Stevenson. “It would be incredibly helpful if we had an approved list of vendor products that have already been vetted and that meet a baseline set of standards of privacy and security. This would … help under-resourced providers purchase third-party services with greater confidence.”
Sen. Josh Hawley (R-Mo.) asked Greg Garcia, executive director of the Healthcare and Public Health Sector Coordinating Council, what Congress should be doing for hospitals that can’t afford to hire a chief technology officer.
“Well, certainly we’ve talked about better incentives,” Garcia said. “When you think about CMS [the Centers for Medicare & Medicaid Services], can they tie some level of reimbursement to better cybersecurity practices? ‘You’re doing the right thing. You’re implementing the health industry cyber practices … We’re going to give you a little bit of a bump on your reimbursement.'”
René Quashie, vice president of digital health at the Consumer Technology Association, urged the lawmakers to consider adopting a federal data privacy standard. “Currently, 20 states have privacy laws,” he said. “For businesses, especially small businesses and startups, complying with that many laws stifles innovation and creates unnecessary barriers to entry.”
“Navigating conflicting or inconsistent requirements increases legal risk, drives up operational costs, and makes it harder to build uniform products and services that meet consumer expectations,” he continued. “For consumers, it makes little sense why one person located in one state might have differing rights than another in a different state, even if they’re using the same product. Ultimately, we need a uniform, risk-based, and innovation-friendly federal privacy law to achieve this balance.”
Before the cybersecurity hearing began, the HELP Committee held an executive session to vote on the nomination of Susan Monarez, PhD, as CDC director. The committee voted 12-11, along party lines, to send the nomination to the full Senate for a vote.
