Cyberattacks plague the health industry. Critics call feds’ response feeble and fractured. • Oregon Capital Chronicle

Central Oregon Pathology Consultants has been in business for nearly 60 years, providing molecular testing and other diagnostic services east of the Cascade Mountains.

Practice manager Julie Tracewell said the practice ran without pay for several months last winter, surviving on cash on hand. The practice comes in the aftermath of the February hack of payments manager Change Healthcare, one of the most significant digital attacks in U.S. history.

The COPC recently learned that Change has begun processing some of the approximately 20,000 outstanding claims as of July, but Tracewell said it does not know which claims are which. she stated. The patient payment portal remains down, meaning customers are unable to settle their accounts.

“It will be many months before we can calculate the total cost of this downtime,” she says.

Healthcare organizations will be the most frequent targets of ransomware attacks: in 2023. FBI saysOf those, 249 targeted healthcare organizations, the most of any sector.

And health officials, lawyers and Congressional officials are concerned that the federal response is underpowered, underfunded and overly focused on protecting hospitals — even with changes. Even if the weaknesses prove to be widespread.

Sen. Ron Wyden (D-Ore.) said the Department of Health and Human Services’ “current approach to health care cybersecurity — self-regulation and voluntary best practices — is woefully inadequate and leaves the health system vulnerable to criminals and criminals.” It leaves them vulnerable to foreign government hackers.” ), Chairman of the Senate Finance Committee; I wrote in a recent letter To the agency.

Mark Montgomery, senior director of the Cyber ​​Technology Innovation Center at the Foundation for Defense of Democracies, said the funding doesn’t exist. “We’ve seen very incremental or almost zero efforts” to increase investment in security, he said.

This challenge is urgent. 2024 was the year of healthcare hacks. There are hundreds of hospitals in the Southeast. faced with confusion OneBlood, a nonprofit organization that provides donation services, has fallen victim to a ransomware attack, reducing its ability to obtain blood for transfusions.

Nate Couture, chief information security officer at the University of Vermont Health Network, which suffered a ransomware attack in 2020, said cyberattacks complicate routine and complex tasks alike, adding, “You can’t visually mix a therapeutic cocktail.” Mentioned cancer treatment at an event held in Washington, DC in June

HHS in December Develop a cybersecurity strategy It aims to support the sector. Several proposals focus on hospitals, including carrot-and-stick programs that reward providers who adopt certain “required” security practices and penalize those who do not. was.

Even that narrow focus can take years to materialize. Department budget proposalIn 2027, funds will begin to flow to hospitals with “high needs.”

Iliana Peters, a former executive attorney in the HHS Office of Civil Rights, said in an interview that focusing on hospitals is “not appropriate.” He said “the federal government needs to go further” and invest in the organizations that contract with suppliers.

Brian Mazanec, deputy director of the Department of Health’s Office of Strategic Preparedness and Response, said in an interview that the department’s interest in protecting the health and safety of patients “has put hospitals near the top of our list of priority partners.”

Responsibility for the nation’s healthcare cybersecurity is shared among three offices within two different government agencies. The Department of Health’s Office of Civil Rights is a police force that monitors whether hospitals and other health organizations have adequate safeguards for patient privacy and can impose fines if they don’t. It plays a similar role.

The Department of Health’s Office of Preparedness and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency are helping build defenses, including requiring medical software developers to use auditing techniques to check their security.

Both of the latter are required to create a list of “systemically important organizations” whose work is essential to the smooth functioning of the health care system. Josh Corman, co-founder of the cyber advocacy group I Am the Cavalry, said in an interview that these organizations could receive special attention, including participation in government threat briefings. .

When news of the Change hack broke, federal officials were working on a list, but Change Healthcare wasn’t on it, said Jen Easterly, leader of the Department of Homeland Security’s Cybersecurity Agency. I mentioned this at an event in March.

Nitin Natarajan, deputy director of the Cyber ​​Security Bureau, told KFF Health News that the list is only a draft. agency previously estimated A sector-wide entity list was due to be completed in September last year.

The Health Department’s preparedness office is supposed to work with the Department of Homeland Security’s Cybersecurity Bureau and the Department of Health overall, but Congressional staffers said the office’s efforts are not going far enough. HHS has “silos of excellence” where “teams don’t talk to each other; [where it] Matt McMurray, chief of staff to Rep. Robin Kelly (D-Ill.), said in a June briefing that it was not clear who should go to whom.

Is the Health Ministry’s readiness office an ‘appropriate hub for cybersecurity’? I’m not sure,” he said.

Historically, the bureau focused on physical world disasters such as earthquakes, hurricanes, anthrax attacks, and pandemics. Chris Meekins, who worked in the Trump administration’s preparedness office and is now an analyst at investment bank Raymond James, took over cybersecurity when Trump-era department leadership seized more funding and authority. said.

But since then, the department has shown it is “not qualified to do that,” Meekins said. There’s no money, no commitment, no expertise. ”

Annie Fixler, director of FDD’s Center for Cyber ​​Technology Innovation, said there are only “a handful” of employees in the readiness office who specialize in cybersecurity. Mazanec admits the numbers aren’t large, but he hopes the additional funding will lead to more jobs.

The agency was slow to respond to external feedback. When the industry’s Cyber ​​Threat Information Center tried to collaborate to create an incident response process, the effort “took probably three years to identify people who could help,” the health information sharing group said at the time. Board Chairman Jim Routh said. and an analysis center.

During the 2017 NotPetya attack (a hack that severely damaged hospitals and pharmaceutical company Merck), Health-ISAC ended up distributing information to its members themselves, including how best to contain the attack. Routh said.

Advocates point to change hacking (reportedly caused by a lack of multi-factor authentication, a technology all too familiar in U.S. workplaces), and HHS to use mandates and incentives to improve health care departments. They argue that better defense measures need to be put in place. A strategy released by the ministry in December proposed a relatively narrow list of health targets, most of which are currently voluntary. Mazanec said the agency is “considering” creating “new enforceable” standards.

Much of the HHS strategy is expected to be rolled out in the coming months. The department has already requested additional funding. For example, the Bureau of Reserves is requesting an additional $12 million for cybersecurity. The Office of Civil Rights plans to release an updated version of its privacy and security rules as its budget remains flat and its enforcement staff decreases.

“There are still significant challenges facing the entire industry,” Routh said. “I don’t think there’s anything on the horizon that will necessarily change that.”