A recent cyberattack on billing and payment giant Change Healthcare reveals just how deep the vulnerabilities are across the U.S. health care system, prompting industry leaders and policymakers to urgently improve digital security. I warned you about it.
Industries such as hospitals, health insurance companies, and clinics are increasingly being targeted by large-scale hacks, with the culmination of February 21st being an attack on Change, a division of the giant UnitedHealth Group. reached.
The ransomware attack on the country’s largest information clearinghouse, which handles a third of all patient records, had far-reaching effects. While fixes and workarounds have eased some of the pain, providers are still unable to collect billions of dollars in payments. More than a month after Change first forced many systems to shut down, many small hospitals and clinics are still struggling to make payroll.
To this day, little information has been disclosed about the exact nature and scope of the attack. UnitedHealth said it has donated more than $3 billion to struggling health care providers and expects more Change services to become available in the future. week Because the system is back online.
The FBI and Department of Health and Human Services are investigating the Change hack, including whether patient records or personal information were compromised. Change’s network acts as a digital switchboard that connects information from a patient’s initial diagnosis, diagnosis of cancer or depression, and subsequent treatment to health insurance companies for benefits and payments, ensuring that people’s medical history is clear. There is a risk of exposure over many years. .
The attacks on Change are just the most widespread example of what has happened. commonplace in the healthcare industry.A ransomware attack affected 46 hospital systems in which criminals shut down computer systems unless owners paid hackers. last yearThat number is up from 25 companies in 2022, according to data security firm Msisoft. In recent years, hackers have also targeted companies that provide services such as medical transcription and billing.
How big is the problem?
Cybersecurity consultants and government officials have consistently noted that health care is the most vulnerable sector of the U.S. economy and is as much a part of the nation’s critical infrastructure as energy and water.
“We should all be afraid,” said DJ Patil, head of technology at insurer Devoted Health and former chief data scientist at the federal Office of Science and Technology Policy. They argue that despite dramatic events like the 2017 ransomware attack that locked British National Health Service medical records and caused massive patient disruption, the U.S. healthcare system remains poorly protected. He emphasized that enough is enough.
“There is a significant lack of resources across the industry when it comes to cybersecurity and information security,” said Errol Weiss, chief security officer at the Center for Healthcare Information Sharing and Analysis, which is an industry virtual watchdog. It states that it is an institution.
The Change attack brought further government attention to the issue. The White House and federal agencies have held several meetings with industry stakeholders. Lawmakers have also launched an investigation, and senators subpoenaed UnitedHealth CEO Andrew Whitty to testify this spring.
The financial sector has been working to identify and harden areas of vulnerability to make them less susceptible to systemic attacks. But Eric Decker, chief information security officer at Intermountain Health, a major regional health system headquartered in Salt Lake, said, “We haven’t done any mapping work to figure out exactly what exists.” city.
“We learned our lesson and we need to implement it,” Decker said. He also chairs the Private Sector Working Group on Healthcare Cybersecurity, which advises the federal government.
Wall Street and the nation’s banking system have strong economic incentives to tighten their defenses because hackers can steal funds, and the sector faces increased government regulation.
Medical hacking can have deadly consequences.
According to research, Hospital mortality increases In the aftermath of the attack. For example, doctors can’t look up past practice, relay notes to colleagues, or check patients for allergies.
The cyber attack disrupted electronic communications, medical records and other systems, causing scheduled surgeries to be canceled and even emergency ambulances to be diverted to other hospitals. Research shows that hacking has cascading effects, reducing the quality of healthcare. nearby hospital We were forced to accept more patients.
“Cybersecurity has become a patient safety issue,” said Steve Cagle, CEO of healthcare compliance firm Clearwater.
In some cases, hackers may expose sensitive patient data. Lehigh Valley Health Network has refused to pay a ransom demanded by the same group suspected in the Change Healthcare attack. According to , the hackers then posted nude photos online of patients undergoing treatment for breast cancer. lawsuit One of the victims brought it with him. Hundreds of patient photos were stolen.
Why is the healthcare industry a target?
Medical records can cost you several times more than a stolen credit card. And unlike credit cards, which can be canceled on the fly, personal medical information cannot be changed.
“You can’t cancel a diagnosis and send a new one,” said John Riggi, national advisor on cybersecurity and risk for the American Hospital Association, an industry group.
But he also said records are valuable because “health care fraud is easy to commit.” Unlike banks, health insurance companies often do not employ sophisticated methods to detect fraud, making it easy for false claims to be submitted.
People who worry about their Social Security number or other financial information being stolen can register with a credit monitoring agency, but patients have little recourse if their personal health information is stolen.
Hospital networks and other medical groups have also been quick to pay ransoms to limit patient infection, a decision that only rewards and encourages hackers. Although the FBI advises targets of ransomware attacks not to pay, most hospitals do so because the risk is so high. In the case of Change Healthcare, the company allegedly paid a $22 million ransom. wired.
Why aren’t hospitals and doctors doing more?
Despite the risks, small hospitals and clinics often lack the funds to pay for increased security measures or the expertise to investigate serious threats.
Additionally, older technology is rarely compatible with the latest cybersecurity standards. The mishmash of connected products and vendors leaves the door open on the digital side, inviting hackers. Before Change was thwarted, groups underestimated the risk because hacks were primarily targeting individual hospital systems.
“People have to decide what to invest in, and cybersecurity is typically on the list,” said Jackie Monson, senior vice president at Sutter Health and chair of the National Vital and Health Statistics Committee. It will not be at the top of the list.”
What is the government’s response?
The regulatory framework is also outdated and fragmented. Hospitals can choose from a variety of security standards, but there are no upfront audits of compliance.
Digital security is divided into various bureaus within HHS, and much of the agency’s regulatory authority still relies on a 1996 law that predated the development of modern digital health systems and the rise of ransomware hacking. I am. Government regulations are focused on privacy and compliance rather than hardening against attacks.
Regulation of data security for insurance companies is even more spotty, as health insurance companies are primarily regulated at the state level. Monson said many vendors like Change, which provide digital services to hospitals but are not themselves healthcare providers, could also slip through the cracks.
That may change. The Biden administration is asking HHS to ensure hospitals have adequate protections.The administration is also considering revision Regulations on how health data is shared may be tightened, imposing clearer rules on hospitals’ digital security measures.
Sen. Ron Wyden of Oregon, the Democratic chairman of the Senate Finance Committee, has expressed interest in enacting new, tougher rules.
“Even though people have been talking about this for decades, there are no federally enforced technical cybersecurity standards for the healthcare industry,” he said during a recent hearing on the president’s budget. ” he said. “Let me be clear: that needs to change now.”
Updating your entire system can be expensive, especially for small organizations with limited budgets. Two decades ago, when governments required hospitals to meet cybersecurity standards to set up electronic health records, they combined strict rules with large financial incentives.
The Biden administration initially requested $800 million to help improve the hospital system as part of its recent budget proposal. But it is unclear today whether Congress is able or willing to provide funding for modernization.
And some hospitals will continue to invest in the latest MRI technology and more nurses than strict digital protection.
“Without additional resources to raise standards, health care providers and payers will continue to choose between the cost of care and the cost of cybersecurity,” said former federal health official and current data Iliana Peters, a security expert, said:Lawyers at Polsinelli, a law firm in Washington, D.C.
