Federal officials and industry executives have known for years that the U.S. health-care system was one of the critical industries most vulnerable to hacking but failed to make the improvements that might have stopped attacks like the one that has crippled pharmacists and other medical providers for three weeks.
The danger was obvious in 2021, when ransomware gangs struck hospitals already overwhelmed by the covid-19 pandemic, forcing some to divert incoming emergency patients to other facilities and potentially contributing to deadly treatment delays.
But with private sector lobbyists opposing new security requirements, Congress and the regulatory wheels have ground slowly, mainly promoting best practices that hospitals can — and do — choose to ignore.
So can relatively unknown electronic clearinghouses like UnitedHealth Group’s Change Healthcare, which was the object of an attack launched last month by a hacker affiliated with ransomware gang ALPHV that severed a key link between medical providers and their patients’ insurance companies in the worst health-care hack ever reported. Change Healthcare said Monday that it had provided advances of $2 billion to pharmacies, hospitals and other providers who were unable to get insurance reimbursements during the failure of its network.
Critics say the Change Healthcare fiasco, which has hurt patient care at almost three-fourths of U.S. hospitals, shows that defensive efforts are horribly inadequate. They say a complete response would include strict security requirements for the most critical pieces of the sprawling system, followed by less stringent but still sufficient rules for big hospital systems. The smallest providers, which may not have any security staff, should get help, as called for in the administration’s proposed budget.
“We need to make sure we know where these vulnerable points are,” Nitin Natarajan, deputy director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, acknowledged in an interview. “We’re looking at what levers exist.”
Some members of Congress say that should have happened already.
“The government needs to prevent this kind of devastating hack from happening over and over again,” Sen. Ron Wyden (D-Ore.) told The Washington Post. “I want to work with the Biden administration to ensure there are mandatory, specific cybersecurity rules in place as soon as possible, and to ensure accountability for CEOs.”
Deputy national security adviser Anne Neuberger said the White House is examining what laws it can use to impose such standards on a reluctant industry, while telling executives that they are expected to comply with voluntary guidelines immediately.
“The Hill has not passed any legislation providing authorities to mandate minimum standards, which is why we have been using sector emergency authorities or rulemaking,” Neuberger told The Post on Monday.
She said some requirements will come soon for providers that accept Medicare and Medicaid.
The American Hospital Association said it supports voluntary cybersecurity goals aimed at defending against the most common attacks, like phishing emails. But the organization criticized mandatory measures like those proposed by the Biden administration, saying it would penalize hospitals that fail to meet certain standards, even when most of the risk comes from third-party technologies.
“The AHA cannot support proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault for the success of hackers in perpetrating a crime,” the association wrote in a letter to the House Finance Committee last week.
Last year, more health-care industry targets reported ransomware attacks to the FBI’s Internet Crime Complaint Center than any other of the 16 sectors of critical infrastructure, according to the annual summary released this month.
Experts said industry resistance to mandatory security was only part of the problem.
Hospitals fall prey because they are “easy money,” said Greg Garcia, executive director of a health-care industry cybersecurity group and a former assistant secretary of homeland security. “If the choice is ‘pay the ransom and save a life and don’t pay a ransom and risk losing a life or going out of business if it’s a small system,’ it’s kind of a no-brainer for the hacker.”
Asked why it has not prepared better, Natarajan said the “complexity of the sector” was part of the reason.
A single medical service can feature innumerable participants — doctors and hospitals, insurance companies, drugmakers, pharmacies and platforms like Change Healthcare — all of which connect electronically. That makes each piece, with its own technology and priorities, a potential gateway to the whole medical universe.
So when hackers break into providers or others, encrypting health and billing records and demanding money to unlock them, they can also get into adjacent targets.
...
Recent Comments