Discover the top 4 crucial insights about health care cyberattacks. Learn how to protect your organization from cyber threats in the healthcare industry.
Despite the surge in ransomware attacks, such as the one that targeted Change Healthcare, there is a lack of legislation and few new measures to secure patient information, hospitals, and medical groups that are at risk.
The latest assault targets the massive billing and payment system The severity of the vulnerabilities present in the American healthcare system was exposed by Change Healthcare, which also made legislators and business executives aware of the pressing need for improved digital security.
Significant breaches targeting hospitals, health insurers, physician clinics, and other sector players have started occurring more frequently. This culminated in the attack on Change, a division of the massive UnitedHealth Group, on February 21.
Widespread consequences resulted from the ransomware attack on the biggest clearinghouse in the country, which manages one-third of all patient records. Although some of the problems have been resolved, suppliers are still unable to get paid billions of dollars. More than a month after Change was initially compelled to shut down numerous of its systems, many smaller hospitals and doctors’ offices are still experiencing difficulties receiving their payments.
Very few details regarding the precise type or extent of the attack have been made public as of yet. As it got the system back up, UnitedHealth stated that it had advanced more than $3 billion to struggling providers and that it anticipated more of Change’s services to be available in the coming weeks.
The Change attack is being looked into by the FBI and the Department of Health and Human Services, who are also looking into whether any patient records or personal data were accessed. People’s medical history could be exposed for years because Change’s network functions as a digital switchboard, connecting data from a patient’s initial visit to a diagnosis (e.g., cancer or depression) and subsequent treatment to a health insurer for benefits and payments.
The assault on change is only the most extreme illustration of what has almost become standard practice in the medical field. According to the data security company Emsisoft, the number of hospital systems hit by ransomware attacks—which cause computer systems to shut down until their owners pay the hackers—rose from 25 in 2022 to 46 last year. In recent years, hackers have also taken down businesses that offer services like billing and medical transcription.
What is the extent of the issue?
Health care is an area of the U.S. economy that is most vulnerable to cyberattacks, according to cybersecurity experts and government officials. It is also an essential component of the country’s key infrastructure, just like energy and water.
D.J. Patil, the chief technology officer at Devoted Health, an insurance company and a former senior data scientist at the federal Office of Science and Technology Policy, declared, “We should all be afraid.” Notwithstanding notable occurrences like the 2017 ransomware assault that locked up medical records at the National Health Service in Britain and severely disrupted patient care, he and others underlined insufficient safeguards in U.S. health systems.
Chief security officer of the Health Information Sharing and Analysis Center, Errol Weiss, said, “The entire sector is extremely under-resourced when it comes to cybersecurity and information security.” He compared the center to a virtual neighborhood watch for the industry.
The government’s awareness of the issue has increased significantly since the Change attack. Industry representatives have been in multiple meetings with the White House and federal agencies. Senators have also called for testimony from UnitedHealth’s CEO, Andrew Witty, this spring and have started their own investigations.
In order to reduce its susceptibility to systemic attacks, the financial industry has endeavored to pinpoint and reinforce susceptible points. However, according to Erik Decker, chief information security officer of Intermountain Health, a significant regional health system with its headquarters located in Salt Lake City, “health care has not gone through a mapping exercise to identify” precisely where the big choke spots are that are vulnerable to hacking.
“We need to do that—we have a lesson learned,” Mr. Decker stated. He is also the chairman of a private sector working group that provides advice to the federal government on cybersecurity in the healthcare industry.
Because a hacker might steal money from Wall Street and the country’s banking system, there is a significant financial incentive for them to strengthen their defenses, and the industry is subject to stricter government supervision.
Hacks into the healthcare system can be fatal.
Research indicates that there is an increase in hospital mortality following an attack. For example, doctors cannot verify patient allergies, send notes to colleagues, or look up previous medical care.
Because of the disruption to electronic communications, medical records, and other systems caused by the cyberattack, scheduled surgeries are canceled, and ambulances are occasionally diverted to other hospitals, even in cases of emergency. According to research, hacking creates a domino effect that lowers the standard of care at neighboring hospitals, which are compelled to admit more patients.
According to Clearwater CEO Steve Cagle, cybersecurity has turned into a patient safety concern. Clearwater is a health care compliance company.
Hackers have occasionally exposed private patient health information. The same organization that is suspected of attacking Change Healthcare requested a ransom, which Lehigh Valley Health Network declined to pay. A lawsuit filed by one of the victims claims that the hackers subsequently uploaded pictures of patients undergoing breast cancer treatment online in their underwear. Photographs of hundreds of patients were pilfered.
Why is the health care industry a target?
The value of medical records can be many times greater than that of a credit card that has been stolen. Furthermore, a person’s medical information cannot be altered, in contrast to a credit card, which can be swiftly cancelled.
According to John Riggi, national adviser for risk and cybersecurity for the trade association American Hospital Association, “we cannot rescind your diagnosis and send you a new one.”
However, he added that the information was valuable “because health care fraud is easy to commit.” Unlike banks, health insurers frequently do not use complex fraud detection techniques, making it simple to file bogus claims.
Patients have limited recourse if their personal health information is stolen, but those who are concerned about their social security numbers and other financial information being stolen can register with a credit monitoring service.
In an effort to reduce patient exposure, hospital networks and other healthcare organizations have also been quick to pay ransoms—a move that only serves to incentivize and reward hackers. The FBI urges victims of ransomware attacks not to pay, but due to the significant risks involved, the majority of hospitals comply. According to Wired’s report, Change Healthcare is said to have settled for a $22 million ransom.
Why aren’t hospitals and doctors doing more?
Smaller hospitals and physician offices frequently lack the resources to invest in more security measures or the knowledge to investigate significant concerns, despite the danger.
Furthermore, outdated technology rarely complies with modern cybersecurity requirements; instead, a disorganized collection of linked vendors and products provides digital gaps that attract hackers. Before the change was stifled, hacking had mostly targeted specific hospital systems; thus, groups misjudged their danger.
As chair of the National Committee on Vital and Health Statistics and senior vice president of Sutter Health, Jacki Monson stated, “People have to determine what they are going to spend on, and cybersecurity is not normally at the top of the list.”