The recent cyberattack on billing and payment giant Change Healthcare revealed just how serious vulnerabilities are across the US healthcare system and alerted industry leaders and policymakers to the urgent need for better digital security.
Hospitals, health insurers, doctors’ clinics and others in the industry are increasingly the targets of major hacks, culminating in the Feb. 21 attack on Change, a unit of the giant UnitedHealth Group.
The ransomware attack on the nation’s largest clearinghouse, which handles a third of all patient records, had far-reaching effects. Fixes and workarounds have eased some of the discomfort, but providers still can’t collect billions of dollars in payments. Many smaller hospitals and medical offices are still struggling to pay more than a month after Change was first forced to shut down many of its systems.
Even now, little information about the exact nature and scope of the attack has been revealed. UnitedHealth said it had advanced more than $3 billion to troubled providers and expected more of Change’s services to be available in the coming weeks as it brought systems back online.
The FBI and the Department of Health and Human Services are investigating the Change breach, including whether patient records and personal information were compromised. Because Change’s network acts as a digital switchboard that connects information from a patient’s first visit to a doctor with a diagnosis such as cancer or depression and then subsequent treatment to a health insurer for benefits and payments, there is a risk that the medical history of people to be exposed for years.
The Attack on Change is just the most widespread example of what has become almost commonplace in the healthcare industry. Ransomware attacks, in which criminals shut down computer systems unless the owners pay the hackers, affected 46 hospital systems last year, up from 25 in 2022, according to data security firm Emsisoft. Hackers have also taken down companies that provide services like medical transcription and billing in recent years.
How big is the problem?
Cybersecurity consultants and government officials have consistently identified healthcare as the sector of the US economy most vulnerable to attack and as part of the nation’s critical infrastructure like energy and water.
“We should all be horrified,” said DJ Patil, chief technology officer at insurer Devoted Health and former chief data scientist at the federal Office of Policy Science and Technology. He and others have highlighted inadequate protections in US health systems, despite dramatic events such as the 2017 ransomware attack that locked up medical records at Britain’s National Health Service, leading to massive disruption for patients.
“The entire sector is very deficient in cybersecurity and information security,” said Errol Weiss, chief security officer for the Center for Health Information Sharing and Analysis, which he described as a virtual neighborhood watch for the industry.
The Change attack has drawn much more government attention to the problem. The White House and federal agencies have held several meetings with industry officials. Congressional lawmakers have also launched investigations, and senators subpoenaed UnitedHealth CEO Andrew Witty to testify this spring.
The financial sector has worked to identify and strengthen vulnerable areas to make it less susceptible to systemic attacks. But “healthcare hasn’t gone through a mapping exercise to understand” exactly where the main choke points at risk of hacks are, said Erik Decker, the chief information security officer for Intermountain Health, a major regional health system based in Salt Lake. City.
“We have a lesson — we have to do it,” said Mr. Decker, who also serves as chairman of a private-sector task force on health care cybersecurity that advises the federal government.
Wall Street and the nation’s banking system had strong financial incentives to bolster their defenses because a hacker could steal their money, and the sector faces tougher government regulations.
Healthcare hacks can have deadly consequences.
Studies have shown that hospital mortality increases after an attack. Doctors are unable to look up past medical care, communicate notes to colleagues or check patients’ allergies, for example.
Scheduled surgeries are canceled and ambulances are sometimes rerouted to other hospitals, even in emergencies, because the cyberattack has disrupted electronic communications or medical records and other systems. The research suggests that the hacks have a cascading effect, reducing the quality of care at nearby hospitals that are forced to accept extra patients.
“Cybersecurity has become a patient safety issue,” said Steve Cagle, CEO of Clearwater, a healthcare compliance firm.
In some cases, hackers have made public sensitive patient health data. Lehigh Valley Health Network has refused to pay a ransom demanded by the same entity suspected of attacking Change Healthcare. The hackers then posted nude photos of breast cancer patients online, according to a lawsuit filed by one of the victims. Hundreds of patient photos were stolen.
Why is the healthcare industry a target?
Medical records can be worth many times more than a stolen credit card. And unlike a credit card, which can be canceled quickly, a person’s medical information cannot be changed.
“We can’t cancel your diagnosis and send you a new one,” said John Riggi, national cybersecurity and risk adviser for the American Hospital Association, a trade group.
But he also said the records have value “because it’s easy to commit health care fraud.” Health insurers, unlike banks, often do not use sophisticated methods to detect fraud, making it easy to submit false claims.
People concerned about stolen Social Security numbers and other financial information can sign up for a credit monitoring service, but patients have little recourse if their personal health information is stolen.
Hospital networks and other healthcare groups have also been quick to pay ransoms to try to limit exposure for patients, a decision that only rewards and encourages hackers. The FBI advises targets of ransomware attacks not to pay, but most hospitals do because the stakes are so high. In the case of Change Healthcare, the company is said to have paid a ransom of $22 million, Wired reports.
Why aren’t hospitals and doctors doing more?
Despite the risk, smaller hospitals and doctors’ offices often don’t have the money to pay for enhanced security measures or the expertise to examine serious threats.
And older technology is rarely compatible with the latest cybersecurity standards. a host of connected products and vendors leave digital side doors open, tempting hackers. Because hacks mostly targeted individual hospital systems before Change, the groups underestimated the risk.
Jacki Monson, Sutter Health senior vice president and chair of the National Committee on Health Vitals and Statistics, said, “People have to decide what to invest in, and cybersecurity isn’t usually at the top of the list. “
What is the government’s response?
The regulatory framework is also old and fragmented. Hospitals are allowed to choose from a range of security standards and there is no prior compliance check.
Digital security is divided among different offices within HHS, and much of the agency’s regulatory authority is still based on a 1996 law, written before the development of modern digital health systems or the rise of ransomware hacking. The government’s regulatory focus has been on privacy and compliance rather than strengthening against attacks.
Insurer data security regulation is even more dangerous, as health insurers are heavily regulated at the state level. Many vendors like Change, which provide digital services to hospitals but are not healthcare providers themselves, can also slip through regulatory loopholes, Ms Monson said.
This may change. The Biden administration is asking HHS to ensure hospitals have adequate protections. The administration is also considering revisions to regulations on how health data is shared and may impose clearer rules on digital security measures for hospitals.
Sen. Ron Wyden of Oregon, the Democratic chairman of the Senate Finance Committee, has expressed interest in enacting tougher new rules.
“Today, there are no federally mandated cybersecurity technical standards for the health care industry, even though people have been talking about it for years, like decades,” he said during a recent presidential budget hearing. “I want to be clear: This has to change now.”
General systems updating can be expensive, particularly for smaller organizations operating on tight budgets. When the government required hospitals to meet cybersecurity standards to create electronic health records 20 years ago, it combined strict rules with significant financial incentives.
The Biden administration initially requested $800 million to help improve hospital systems as part of its recent budget proposal. But it is unclear whether Congress will be able or willing to provide funding for the modernization today.
And some hospitals will continue to spend money on the latest MRI technology or more nurses for strict digital protections.
“Without additional resources to raise the bar, these health care providers and these health care payers will continue to make choices to pay for treatment or for cybersecurity,” said Iliana Peters, a former federal health official who specializes in data security who is now an attorney at Polsinelli, a law firm in Washington, DC