The recent cyberattack on billing and payments behemoth Change Healthcare exposed the severity of security vulnerabilities across the U.S. healthcare system and alerted industry leaders and policymakers to the urgent need for higher digital security.
Hospitals, health insurers, medical practices and other industry players are increasingly becoming targets of major hacking attacks, which culminated within the February 21 attack on Change, a unit of the large UnitedHealth Group.
The ransomware attack on the nation’s largest clearinghouse, which handles one-third of all patient records, had widespread effects. Fixes and workarounds have alleviated some problems, but providers are still unable to collect billions in payments. Many smaller hospitals and doctor’s offices are still struggling to receives a commission greater than a month after Change was first forced to shut down a lot of its systems.
Even now, little or no information has been released about the precise nature and scope of the attack. UnitedHealth said it has provided greater than $3 billion to struggling entities and expects more Change services will likely be available in the approaching yr. (*4*)weeks because it brought systems back online.
The FBI and the Department of Health and Human Services are investigating the Change hack, examining whether patient and private information was compromised. Because the Change network acts as a digital hub connecting information from a patient’s first medical visit to diagnosis, equivalent to cancer or depression, after which treatment to the health insurer for advantages and payments, there may be a risk that an individual’s medical history will likely be exposed for years.
The switch attack is just essentially the most far-reaching example of what is imminent commonplace within the healthcare industry. Ransomware attacks, wherein criminals disable computer systems unless owners pay the hackers, hit 46 hospital systems last yraccording to data security firm Emsisoft, up from 25 in 2022. In recent years, hackers have also targeted firms that provide services equivalent to medical transcription and billing.
How big is the issue?
Cybersecurity consultants and government officials consistently discover health care as essentially the most vulnerable sector of the U.S. economy and as much an element of the nation’s critical infrastructure as energy and water.
“We should all be terrified,” said DJ Patil, chief technology officer at insurer Devoted Health and former chief data scientist on the federal Office of Science and Technology Policy. He and others have highlighted the insufficient protection of US healthcare systems despite dramatic events equivalent to the 2017 ransomware attack that blocked medical records within the UK’s National Health Service, leading to massive disruption for patients.
“The entire sector is seriously underresourced when it comes to cybersecurity and information security,” said Errol Weiss, chief security officer on the Center for Health Information Sharing and Analysis, which he described as a virtual neighborhood look ahead to the industry.
The Change attack brought far more government attention to the issue. The White House and federal agencies held several meetings with industry officials. Congressional lawmakers also launched an investigation, and senators called UnitedHealth CEO Andrew Witty to testify this spring.
The financial sector has worked to discover and strengthen vulnerable areas to make them less vulnerable to systemic attacks. However, “health care has not done any mapping to understand” where precisely the primary bottlenecks vulnerable to hacking are, said Erik Decker, chief information security officer at Intermountain Health, a significant regional health system based in Salt Lake City.
“We’ve learned our lesson — we have to do it,” said Decker, who also chairs the private sector working group on cybersecurity in health care, which advises the federal government.
Wall Street and the nation’s banking system have had a robust financial incentive to shore up their defenses because a hacker could steal their money and the sector faces tougher government regulation.
Healthcare hacks can have deadly consequences.
Research has shown this hospital mortality increases within the wake of the attack. For example, doctors are unable to check past medical care, share notes with colleagues, or check a patient’s allergies.
Scheduled surgeries are canceled and ambulances are sometimes diverted to other hospitals, even in emergencies, since the cyberattack has disrupted electronic communications, medical records and other systems. Research suggests that hacks have a cascading effect, reducing the standard of care nearby hospitals forced to accept additional patients.
“Cybersecurity has become a patient safety issue,” said Steve Cagle, CEO of Clearwater, a healthcare compliance company.
In some cases, hackers make sensitive patient health data public. Lehigh Valley Health Network has refused to pay the ransom demanded by the identical entity suspected of attacking Change Healthcare. According to him, the hackers then posted nude photos of patients undergoing treatment for breast cancer on the Internet a lawsuit brought by certainly one of the victims. Hundreds of patient photos were stolen.
Why is the healthcare industry being targeted?
Medical records may require repeatedly the quantity of a stolen bank card. Unlike a bank card, which may be canceled quickly, medical information can’t be modified.
“We can’t cancel your diagnosis and send you a new one,” said John Riggi, national cybersecurity and risk adviser for the American Hospital Association, an industry group.
But he also said the records have value “because it’s easy to commit health care fraud.” Health insurers, unlike banks, often don’t use sophisticated fraud detection methods, which makes it easier to submit false claims.
People concerned about theft of Social Security numbers and other financial information can register with a credit monitoring agency, but patients have little recourse if their personal information is stolen.
Hospital chains and other healthcare groups have also been quick to pay ransoms in an attempt to limit patient exposure, and this decision only rewards and encourages hackers. The FBI recommends that targets of ransomware attacks not pay, but most hospitals do since the stakes are so high. According to “Change Healthcare”, the corporate paid a ransom of $22 million. Wire.
Why don’t hospitals and doctors do more?
Despite the risks, smaller hospitals and doctors’ offices often haven’t got the cash to pay for increased safety measures or the expertise needed to investigate serious threats.
Older technology isn’t compatible with the most recent cybersecurity standards; a mixture of connected products and vendors leaves digital doors open, luring hackers. Because hacking attacks largely targeted individual hospital systems before Change was disabled, groups underestimated the risks involved.
Jacki Monson, senior vice chairman of Sutter Health and chair of the National Committee on Vital and Health Statistics, said: “People need to decide what they are going to invest in, and cybersecurity is not usually at the top of the list. “
What is the government’s response?
The regulatory framework is also old and fragmented. Hospitals can choose from a range of safety standards and are not subject to prior compliance review.
Digital security is divided among various HHS offices, and much of the agency’s regulatory authority is still based on the 1996 Act, written before the development of modern digital health systems or the advent of ransomware hacking attacks. The government has focused on protecting privacy and regulatory compliance rather than protecting against attacks.
Regulation of insurer data security is even more unequal because health insurers are largely regulated at the state level. Many vendors, such as Change, that provide digital services to hospitals but are not providers themselves can also slip through the regulatory cracks, Monson said.
This may change. The Biden administration is calling on HHS to provide hospitals with adequate protection. The administration also takes this into account revisions to health data sharing regulations and could impose clearer rules on digital security measures for hospitals.
Sen. Ron Wyden of Oregon, the Democratic chairman of the Senate Finance Committee, has signaled interest in establishing new, tougher rules.
“There are currently no federal mandatory technical cybersecurity standards for the health care industry, even though people have been talking about it for centuries, maybe decades,” he said during a recent presidential budget hearing. “I want to be clear: this must change now.”
Keeping all your systems up to date can be costly, especially for smaller organizations operating on tight budgets. When the government required hospitals to meet cybersecurity standards to create electronic health records 20 years ago, it combined strict rules with serious financial incentives.
As part of its latest budget proposal, the Biden administration asked for an initial $800 million to improve hospital systems. However, it is unclear whether Congress will be able or willing to provide funds for modernization today.
Some hospitals will continue to spend money on the latest MRI technology or more nurses instead of rigorous digital security.
“Without additional resources to raise the bar, these health care providers and payers will continue to make choices about how they pay for treatment or about cybersecurity,” said Iliana Peters, a former federal health official specializing in data security and now an attorney at Polsinelli, a law firm legal in Washington