Two major American health care firms were recently hit by ransomware attacks, causing disruptions in patient care and highlighting vulnerabilities in the US health care system's defenses against hackers.
Federal officials and private cyber experts worked quickly to minimize the impact of the attacks and restore computer systems. However, the widespread consequences of the hacks, including ambulances being redirected and pharmacies struggling to process insurance claims, have raised concerns among US lawmakers, senior Biden administration officials, and policy experts. It has become evident that the health care system is not adequately prepared for the aftermath of a cyberattack and requires new security regulations. Some experts note that the health care industry falls behind other sectors, such as financial institutions and energy providers, in terms of IT security measures.
Joshua Corman, a cybersecurity expert with a focus on the health sector, shared with CNN that the industry has long pushed for voluntary cybersecurity measures.
Senator Ron Wyden, a Democrat from Oregon and chair of the finance committee, emphasized the importance of mandatory cybersecurity standards in the healthcare sector. He stressed the need for these standards, especially for the largest companies that millions of patients rely on for their care and medication.
The senator warned that without action, hackers will continue to compromise patients' access to care and personal health information.
According to cybersecurity firm Emsisoft, in 2023, 46 hospital systems in the US, totaling 141 hospitals, were affected by ransomware. This is an increase from 25 hospital systems impacted in 2022.
Two ransomware attacks targeted different parts of the health care system. In February, cybercriminals accessed an unsecured computer server used by Change Healthcare, a major insurance billing company processing 15 billion health care transactions yearly. This attack disrupted revenue flow for health care providers, caused service delays at pharmacies nationwide, and potentially exposed the personal data of millions of Americans.
In early May, a separate ransomware attack targeted Ascension, a nonprofit network based in St. Louis with 140 hospitals and 40 senior living facilities in 19 states. This cyber attack led to the diversion of ambulances from certain hospitals within the health network.
The Biden administration is getting ready to establish minimum cybersecurity requirements for US hospitals, as confirmed by senior White House cyber official Anne Neuberger. The specific details of this proposal are still being worked out. However, the American Hospital Association, which represents hospitals nationwide, is against the proposal. They believe it would only further harm victims of cyberattacks by imposing penalties after they have already been hacked.
Officials at the Department of Health and Human Services have also expressed their willingness to take various actions, such as imposing monetary fines, in order to push and support healthcare organizations to enhance the security of their systems.
There is increasing momentum on Capitol Hill to push health care organizations to adhere to basic cybersecurity standards. Sen. Mark Warner, a Virginia Democrat, introduced a bill in March that would enable hacked health care providers to receive "advanced and accelerated" Medicare payments if they meet minimum cybersecurity requirements.
An unhealthy situation
The ransomware attacks on Change Healthcare and Ascension have spotlighted the health sector’s cybersecurity weakness like no other events before it, experts told CNN.
Carter Groome, the chief executive of cybersecurity firm First Health Advisory, believes that even with new cybersecurity regulations, the healthcare sector will still struggle against cyber attacks. This is because the financial challenges in the healthcare industry often lead leaders to prioritize revenue-generating investments over cybersecurity measures.
The recent ransomware attack on Change Healthcare has raised concerns among policymakers and experts about the excessive consolidation in the US healthcare industry. Hackers have the potential to breach security defenses at one company, putting millions of patients within that health network at risk of being impacted.
Corman, a co-founder of I am the Cavalry, a volunteer group focusing on cybersecurity for resource-poor organizations in the health sector, expressed concern about the state of US healthcare. He pointed out that distressed hospitals are being acquired by large conglomerates, leading to ransoms and outages that impact smaller facilities.
He emphasized the importance of strong cybersecurity regulations to drive meaningful improvements in the sector. Corman acknowledged that cybersecurity can be costly but argued that neglecting it ultimately leads to even greater costs.
UnitedHealth Group, the parent company of Change Healthcare, holds a significant share of the US healthcare market. With reported revenue of $371 billion last year, the company manages one out of every three American patient records, as stated by the American Hospital Association. A subsidiary of UnitedHealth, Optum, has around 90,000 physicians in its employ.
During a recent Senate hearing, Senator Marsha Blackburn, a Republican from Tennessee, remarked to UnitedHealth Group CEO Andrew Witty about the company's massive revenues, comparing them to the GDP of some countries. She also questioned how the company lacked the necessary redundancies to prevent cyber attacks and why it found itself vulnerable.
The Wall Street Journal reported in February that the Justice Department is looking into UnitedHealth Group for possible antitrust violations.
Additionally, the Justice Department recently formed a task force to investigate "health care monopolies and collusion." This task force will help the department decide on civil and criminal enforcement actions in the health care market when necessary.
Editor's P/S:
The recent ransomware attacks on two major American health care firms have exposed the alarming vulnerabilities of the US health care system to cyber threats. The widespread disruptions in patient care, including diverted ambulances and delayed pharmacy services, highlight the urgent need for mandatory cybersecurity standards and regulations in the sector. Experts emphasize that the industry has fallen behind other critical sectors in terms of IT security measures, leaving patient data and access to care at risk.
The proposed minimum cybersecurity requirements by the Biden administration and the bipartisan support in Congress for stricter regulations are positive steps towards addressing this critical issue. However, the opposition from the American Hospital Association, citing potential penalties for victims of cyberattacks, raises concerns about the effectiveness of these measures. It is crucial to strike a balance between protecting patient safety and supporting hospitals that have already been compromised. The Justice Department's investigation into UnitedHealth Group and the formation of a task force to investigate health care monopolies further underscore the need for comprehensive oversight and accountability in the industry.