The recent cyberattack on billing and payments giant Change Healthcare revealed how severe vulnerabilities are across the U.S. healthcare system and alerted industry leaders and policymakers to the urgent need for better digital security.
Hospitals, health insurers, medical clinics and other industry players have increasingly been the targets of significant cyber attacks, culminating in the assault on Change, a unit of giant UnitedHealth Group, on February 21.
The ransomware attack on the country's largest clearinghouse, which handles a third of all medical records, has had widespread effects. Fixes and workarounds have alleviated some challenges, but vendors are still unable to collect billions of dollars in payments. Many smaller hospitals and medical practices are still struggling to get paid more than a month after Change was forced to shut down many of its systems.
Even now, very little information has been released about the exact nature and scope of the attack. UnitedHealth said it has advanced more than $3 billion to struggling providers and that it expects more of Change's services to be available in the coming weeks as systems come back online.
The FBI and the Department of Health and Human Services are investigating the Change hack, including whether patient data and personal information were compromised. Because Change's network serves as a digital switchboard that links information from a patient's first doctor's visit to a diagnosis such as cancer or depression and then subsequent treatment to a health insurer for benefits and payments, there is a risk that people's medical history can be displayed for years.
The attack on change is just the broadest example of what has become almost commonplace in healthcare. Ransomware attacks, in which criminals shut down computer systems unless owners pay hackers, hit 46 hospital systems last year, up from 25 in 2022, according to data security firm Emsisoft. hackers have also taken down companies that provide services such as medical transcription and billing.
How big is the problem?
Cybersecurity consultants and government officials have consistently identified healthcare as the sector of the U.S. economy most susceptible to attack and as part of the nation's critical infrastructure such as energy and water.
“We should all be terrified,” said DJ Patil, chief technology officer at the insurer Devoted Health and former chief data scientist at the federal Office for Science and Technology Policy. He and others have highlighted inadequate protections in US healthcare systems, despite dramatic events such as the 2017 ransomware attack that locked up National Health Service medical records in Britain, causing huge disruption for patients.
“The entire industry is severely under-resourced when it comes to cybersecurity and information security,” said Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center, which he described as a virtual neighborhood watch for the industry.
The attack on Change has drawn much more government attention to the problem. The White House and federal agencies have held several meetings with industry officials. Congressional lawmakers have also launched investigations, and senators have subpoenaed UnitedHealth CEO Andrew Witty to testify this spring.
The financial sector has worked to identify and strengthen vulnerable areas to make them less prone to systemic attacks. But “health care hasn't been put through a mapping exercise to understand” exactly where the major chokepoints are at risk of hacking, said Erik Decker, chief cybersecurity officer at Intermountain Health, a major regional health system based in Salt Lake. City.
“We learned a lesson: We have to do this,” said Decker, who is also chair of a private sector working group on cybersecurity in health care that advises the federal government.
Wall Street and the nation's banking system have had strong financial incentives to shore up their defenses because a hacker could steal their money, and the industry faces tougher government regulation.
Healthcare hacks can have deadly consequences.
Studies have shown that hospital mortality increases following an attack. Doctors, for example, are unable to review past medical treatments, communicate notes to colleagues, or check patients' allergies.
Scheduled surgeries are canceled and ambulances are sometimes diverted to other hospitals even in emergencies because the cyberattack disrupted electronic communications, medical records and other systems. Research suggests that the hacks have a cascading effect, lowering the quality of care at nearby hospitals forced to take on additional patients.
“Cybersecurity has become a patient safety issue,” said Steve Cagle, CEO of Clearwater, a healthcare compliance firm.
In some cases, hackers have made sensitive patient health data public. Lehigh Valley Health Network refused to pay the ransom demanded by the same entity suspected of the Change Healthcare attack. The hackers then posted nude photographs of patients being treated for breast cancer online, according to a lawsuit filed by one of the victims. Hundreds of patient photographs were stolen.
Why is the healthcare sector a target?
Medical records can claim several times the amount of money of a stolen credit card. And unlike a credit card, which can be canceled quickly, a person's medical information cannot be changed.
“We can't erase your diagnosis and send you a new one,” said John Riggi, national cybersecurity and risk advisor for the American Hospital Association, a trade group.
But he also said the documents have value “because it is easy to commit health care fraud.” Health insurers, unlike banks, often do not use elaborate methods to detect fraud, making it easier for false claims to be submitted.
People concerned about the theft of Social Security numbers and other financial information can sign up with a credit monitoring agency, but patients have little recourse if their personal health information is stolen.
Hospital networks and other healthcare groups have also rushed to pay ransoms to try to limit patient exposure, a decision that only rewards and emboldens hackers. The FBI advises victims of ransomware attacks not to pay, but most hospitals do because the stakes are so high. In the case of Change Healthcare, the company reportedly paid a ransom of $22 million, Wired reported.
Why don't hospitals and doctors do more?
Despite the risk, smaller hospitals and medical practices often don't have the money to pay for enhanced security measures or the expertise to screen for serious threats.
And older technology is rarely compatible with the latest cybersecurity standards; a mishmash of connected products and vendors leaves digital doors open, attracting hackers. Because the hacks had been largely targeted at individual hospital systems before Change was thwarted, the groups underestimated the risk.
Jacki Monson, senior vice president at Sutter Health and chair of the National Committee on Vital and Health Statistics, said: “People have to decide what to invest in, and cybersecurity is usually not at the top of the list. “
What is the government's response?
The regulatory framework is also old and fragmented. Hospitals can choose from a range of safety standards and there is no prior compliance check.
Digital security is divided between several offices within HHS, and much of the agency's regulatory power still relies on a 1996 law, written before the development of modern digital health systems or the rise of ransomware hacking. The government's regulatory focus has been on privacy and compliance rather than fortification against attacks.
Regulation of insurer data security is even more spotty, as health insurers are largely regulated at the state level. Many vendors like Change, which provide digital services to hospitals but are not themselves healthcare providers, may also slip through the regulatory cracks, Ms. Monson said.
This could change. The Biden administration is calling on HHS to ensure hospitals have adequate protections. The administration is also considering revising rules on sharing health data and may impose clearer rules for digital security measures for hospitals.
Senator Ron Wyden of Oregon, the Democratic chairman of the Senate Finance Committee, has signaled interest in establishing tougher new rules.
“There are no mandated federal technical standards for cybersecurity for healthcare today, even though we've been talking about it for centuries, something like decades,” he said during a recent hearing on the president's budget. “I want to be clear: things need to change now.”
Updating systems at all levels can be expensive, particularly for smaller organizations operating on limited budgets. When the government required hospitals to meet cybersecurity standards to set up electronic health records 20 years ago, it paired strict rules with major financial incentives.
The Biden administration has asked for an initial $800 million to help improve hospital systems as part of its recent budget proposal. But it's unclear whether Congress will be able or willing to provide funding for modernization today.
And some hospitals will continue to spend money on the latest MRI technology or more nurses over rigorous digital protections.
“Without additional resources to raise the bar, health care providers and taxpayers will continue to choose whether to pay for care or for cybersecurity,” said Iliana Peters, a former federal health official specializing in data security who is now an attorney at Polsinelli , a law firm in Washington, DC