The recent cyberattack on billing and payment behemoth Change Healthcare revealed how serious the vulnerabilities are across the US healthcare system and alerted industry leaders and policymakers to the urgent need for better security. digital.
Hospitals, health insurers, medical clinics and others in the industry have increasingly been the target of major attacks, culminating in the attack on Change, a unit of giant UnitedHealth Group, on February 21.
The ransomware attack on the country's largest clearinghouse, which handles a third of all patient records, had widespread effects. Workarounds and workarounds have alleviated some difficulties, but providers are still unable to collect billions of dollars in payments. Many smaller hospitals and doctors' offices are still struggling to receive payments more than a month after Change was forced to shut down many of its systems.
Even now very little information has been revealed about the exact nature and extent of the attack. UnitedHealth said it had advanced more than $3 billion to struggling providers and expected to make more Change services available in the coming years. weeks as it brought the systems back online.
The FBI and the Department of Health and Human Services are investigating the Change hack, including whether patient records and personal information have been compromised. Because the Change network acts as a digital switchboard that connects information from a patient's first doctor visit with a diagnosis like cancer or depression and then subsequent treatment to a health insurer for benefits and payments, there is the risk of people's medical history being exposed for years. .
The attack on Change is just the most far-reaching example of what has become almost vulgar in the health care industry. The ransomware attacks, in which criminals shut down computer systems unless the owners pay the hackers, affected 46 hospital systems. last year, up from 25 in 2022, according to data security company Emsisoft. Hackers have also taken down companies that provide services like medical transcription and billing in recent years.
How big is the problem?
Cybersecurity consultants and government officials have consistently identified health care as the sector of the U.S. economy most susceptible to attacks, and as important a part of the country's critical infrastructure as energy and water.
“We should all be terrified,” said DJ Patil, chief technology officer at insurance company Devoted Health and former chief data scientist at the federal Office of Science and technology Policy. He and others emphasized the inadequate protections of U.S. health systems, despite dramatic events like the 2017 ransomware attack that locked up medical records from Britain's National Health Service, causing massive disruption. for patients.
“The entire industry is under-resourced when it comes to cybersecurity and information security,” said Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center, which he described as a virtual neighborhood watch for the industry.
The Change attack has brought much more government attention to the problem. The White House and federal agencies have held several meetings with industry officials. Congressional lawmakers have also launched investigations, and senators have subpoenaed UnitedHealth CEO Andrew Witty to testify this spring.
The financial sector has worked to identify and strengthen vulnerable areas to make them less prone to systemic attacks. But “healthcare hasn't gone through a mapping exercise to understand” exactly where the biggest hotspots are that are at risk of attacks, said Erik Decker, chief information security officer at Intermountain Health, a major health system. regional based in Salt Lake. City.
“We learned a lesson: We have to do that,” said Decker, who also serves as chair of a private sector working group on cybersecurity in healthcare that advises the federal government.
Wall Street and the country's banking system have had strong financial incentives to strengthen their defenses because a hacker could steal their money, and the sector faces stricter government regulation.
Attacks on healthcare can have deadly consequences.
Studies have shown that increases hospital mortality after an attack. Doctors cannot review past medical care, communicate notes to colleagues, or check patients' allergies, for example.
Scheduled surgeries are canceled and ambulances are sometimes diverted to other hospitals, even in emergency cases, because the cyberattack has disrupted electronic communications or medical records and other systems. Research suggests that hacks have a cascading effect, reducing the quality of care in nearby hospitals forced to accept additional patients.
“Cybersecurity has become a patient safety issue,” said Steve Cagle, CEO of Clearwater, a healthcare compliance company.
In some cases, hackers have made sensitive patient health data public. Lehigh Valley Health Network refused to pay a ransom demanded by the same entity suspected of the Change Healthcare attack. The hackers then posted nude photos of patients receiving treatment for breast cancer online, according to a demand submitted by one of the victims. Hundreds of patient photographs were stolen.
Why is the healthcare industry a target?
Medical records can demand several times the amount of money a stolen credit card generates. And unlike a credit card, which can be canceled quickly, a person's medical information cannot be changed.
“We can't cancel your diagnosis and send you a new one,” said John Riggi, national cybersecurity and risk advisor for the American Hospital Association, a trade group.
But he also said the records had value “because it's easy to commit health care fraud.” Health insurers, unlike banks, often do not employ elaborate methods to detect fraud, making it easy to submit false claims.
People concerned about the theft of Social Security numbers and other financial information can sign up with a credit monitoring agency, but patients have little recourse if their personal health information is stolen.
Hospital networks and other healthcare groups have also been quick to pay ransoms to try to limit patient exposure, a decision that only rewards and encourages hackers. The FBI advises targets of ransomware attacks not to pay, but most hospitals do because the stakes are so high. In the case of Change Healthcare, the company is said to have paid a $22 million ransom, according to a report from cabling.
Why don't hospitals and doctors do more?
Despite the risk, smaller hospitals and doctors' offices often don't have the money to pay for enhanced security measures or the expertise to vet serious threats.
And older technology is rarely compatible with the latest cybersecurity standards; A hodgepodge of connected products and suppliers leaves digital side doors open, attracting hackers. Because the attacks had largely targeted individual hospital systems before Change was hampered, the groups underestimated their risk.
Jacki Monson, senior vice president of Sutter Health and chair of the National Committee on Vital and Health Statistics, said: “People have to decide what they are going to invest in and cybersecurity is not usually at the top of the list. “
What is the government's response?
The regulatory framework is also old and fragmented. Hospitals are allowed to select from a variety of safety standards and there is no prior audit of their compliance.
Digital security is divided among different offices within HHS, and much of the agency's regulatory power still relies on a 1996 law, written before the development of modern digital health systems or the rise of ransomware hacking. The government's regulatory focus has focused on privacy and compliance rather than hardening against attacks.
Insurers' data security regulation is even more patchy, as health insurers are largely regulated at the state level. Many providers like Change, which provide digital services to hospitals but are not healthcare providers, can also slip through regulatory cracks, Monson said.
That may change. The Biden administration is calling on HHS to ensure hospitals have adequate protection. The administration is also considering reviews to regulations on how health data is shared, and may impose clearer rules for digital security measures for hospitals.
Sen. Ron Wyden of Oregon, Democratic chairman of the Senate Finance Committee, has expressed interest in establishing new, stricter rules.
“Today, there are no mandatory federal cybersecurity technical standards for the health care industry, even though people have been talking about it for years, sort of decades,” he said during a recent hearing on the U.S. budget. president. “I want to be clear: that must change now.”
Upgrading systems across the board can be expensive, especially for smaller organizations operating on tight budgets. When the government required hospitals to meet cybersecurity standards to establish electronic health records 20 years ago, it combined strict rules with significant financial incentives.
The Biden administration has requested an initial $800 million to help improve hospital systems as part of its recent budget proposal. But it's unclear whether Congress will be able or willing to provide funding for the modernization today.
And some hospitals will continue to spend money on the latest MRI technology or more nurses instead of strict digital protections.
“Without additional resources to raise the bar, healthcare providers and healthcare payers will continue to make decisions between paying for treatment or cybersecurity,” said Iliana Peters, a former federal health official specializing in data security who is now an attorney. from Polsinelli, a law firm in Washington, D.C.
