Cyberattacks affect healthcare. Critics call government response ‘inadequate’

Central Oregon Pathology Consultants has been in business for nearly 60 years, providing molecular testing and other diagnostic services to patients east of the Cascade Range.

Starting last winter, it worked for months without pay, living off the money it had, said practice manager Julie Tracewell. This trend is caught after one of the most important ransomware attacks in American history: the February hack of payments manager Change Healthcare.

This process crippled the US health care system. Hospitals, pharmacists and even physical therapists struggled to pay for their services. Patients found it difficult to fill their prescriptions.

COPC recently learned that Change has begun processing some of the pending applications, which numbered about 20,000 since July, but Tracewell doesn’t know which ones, he said. The patient payment portal is constantly down, meaning customers are unable to pay their accounts.

“It will take months to be able to calculate the full loss of this holiday season,” he said.

Health care is a frequent target of ransomware attacks: In 2023, the FBI says, 249 of them targeted health care facilities – the most of any sector.

Health care executives, lawyers and those in the halls of Congress worry that the federal government’s response is weak, underfunded, and too focused on protecting hospitals — just like the Amendment’s showed that the weakness is widespread.

The Department of Health and Human Services’ “current approach to healthcare cybersecurity – self-monitoring and voluntary best practices – is woefully inadequate and has left the healthcare system vulnerable of criminals and foreign government criminals,” Sen. Ron Wyden (D-Ore. ), chairman of the Senate Finance Committee, wrote in a recent letter to the agency.

The money isn’t there, said Mark Montgomery, senior director at the Center for the Defense of Democracies on Cyber ​​and Technology Innovation. He said: “We have seen an increase in power that is almost non-existent” to invest more in defense.

Work is fast – 2024 has been the year of health services. In another case, hundreds of hospitals across the Southeast faced a disruption in their ability to receive blood for transfusions after the non-profit OneBlood, a donation service, was attacked it’s a ransomware attack.

Cyberatta attacks complicate routine and complex tasks alike, said Nate Couture, chief information security officer at the University of Vermont Health Network, which was hit by a ransomware attack in 2020. “We we can’t mix a chemo cocktail with an eye,” he said. talks about cancer treatments that relied on technology crippled in the attack, at a June event in Washington, DC

In December, HHS released a cybersecurity policy aimed at supporting the agency. Several proposals targeted hospitals, including a carrot-and-stick program to reward providers who adopted certain “essential” safety practices and penalize those who did not.

Even that slim case could take years to materialize: Under the department’s proposed budget, money would begin flowing to “high-needs” hospitals in fiscal year 2027.

Focusing on hospitals “is not appropriate,” Iliana Peters, a former attorney for the HHS Office of Human Rights, said in an interview. “The federal government needs to step up” by investing in contracting and donor agencies, he said.

The department’s interest in protecting the health and safety of patients “puts hospitals near the top of our list of important partners,” Brian Mazanec, deputy director of the Policy Reform and Response Administration at HHS, said in an interview.

Responsibility for national health protection is shared by three offices within two separate agencies. The health department’s human rights office is an ongoing police force, monitoring whether hospitals and other health care organizations have adequate protections for patient privacy, and if not, they can charge.

The Department of Health’s Office of Preparedness and the Department of Homeland Security’s Office of Defense and Infrastructure are helping to build defenses — such as mandating that medical device manufacturers use the technology of testing to assess their security.

The last two are required to make a list of “key administrative bodies” whose activities are essential to the effective functioning of the health system. These organizations may receive special attention, such as being included in government threat discussions, Josh Corman, co-founder of the cyber advocacy group I Am The Cavalry, said in an interview.

Federal officials were working on the list when news of the change broke — but Change Healthcare wasn’t on it, Jen Easterly, Homeland’s cybersecurity division leader, said at the event. March.

Nitin Natarajan, deputy director of the cybersecurity agency, told KFF Health News that the list was only a draft. The agency had previously estimated that it would finalize the list of agencies – across sectors – last September.

The health department’s preparedness office is supposed to coordinate with the Department of Homeland Security and spread to the health department, but congressional staff say the office’s efforts are failing. There are “silos of excellence” at HHS, “where teams don’t talk to each other, [where it] it wasn’t clear who people should go to,” said Matt McMurray, chief of staff for Rep. Robin Kelly (D-Ill.), at the June meeting.

Is the health department’s preparedness office the “right home for cybersecurity? I’m not sure,” he said.

Historically, the office focused on global disasters – earthquakes, hurricanes, anthrax attacks, epidemics. It inherited cybersecurity when the Trump administration’s leadership took more money and authority, said Chris Meekins, who worked in the preparedness office under Trump and is now an analyst with investment bank Raymond James.

But since then, Meekins said, the agency has shown it’s “not worth doing. There’s no money there, no negotiations, no skills there.”

The preparedness office has “a handful of employees” focused on cybersecurity, said Annie Fixler, director at FDD’s Center for Cyber ​​and Technology Innovation.

The office has been slow to respond to outside comments. When the industry’s clearinghouse for cyberthreats tried to connect with it to create an incident response system, “it probably took three years to identify anyone willing to support,” said Jim Routh, group board chair, Health Information Sharing. and the Evaluation Center.

During the NotPetya attack in 2017 – a hack that caused significant damage to hospitals and the drug manufacturer Merck – Health-ISAC ended up passing on information to its members itself, including the best way to to have an attack, Routh said.

Advocates look at the Change hack — reportedly caused by a lack of multi-factor authentication, a technology widely used in American workplaces — and say HHS needs to use directives and incentives to make the agency health and adopt the best ways to protect yourself. The agency’s plan released in December outlined a relatively limited list of goals for the health care sector, most of which are voluntary at this point. The agency is “exploring” the creation of “new implementable” conditions, Mazanec said.

Much of the HHS plan is due to be announced in the coming months. The department has already asked for more money. For example, the agency is seeking an additional $12 million for cyber security. The human rights office, with a high budget and dwindling staff, needs to update its privacy and security policies.

“There are still significant challenges facing the industry as a whole,” Routh said. “I don’t see anything close to changing that.”

KFF Health News is a national newsroom that produces in-depth journalism on life issues and is one of the main programs operating in KFF – an independent source of health policy research, polls, and journalism.