The recent cyberattack on the billing and payment colossus Change Healthcare revealed just how serious the vulnerabilities are throughout the U.S. health care system, and alerted industry leaders and policymakers to the urgent need for better digital security.
Hospitals, health insurers, physician clinics and others in the industry have increasingly been the targets of significant hacks, culminating in the assault on Change, a unit of the giant UnitedHealth Group, on Feb. 21.
The ransomware attack on the nation’s largest clearinghouse, which handles a third of all patient records, had widespread effects. Fixes and workarounds have alleviated some distress, but providers are still unable to collect billions of dollars in payments. Many smaller hospitals and medical offices are still having trouble getting paid more than a month after Change was first forced to shut down many of its systems.
Even now, very little information about the exact nature and scope of the attack has been disclosed. UnitedHealth said that it had advanced more than $3 billion to struggling providers, and that it expected more of Change’s services to be available in the coming weeks as it brought the systems back online.
The F.B.I. and the Department of Health and Human Services are investigating the Change hack, including whether patients’ records and personal information have been compromised. Because Change’s network acts as a digital switchboard that connects information from a patient’s first doctor visit to a diagnosis like cancer or depression and then subsequent treatment to a health insurer for benefits and payments, there is a risk that people’s medical history could be exposed for years.
The attack on Change is just the most far-reaching example of what has become nearly commonplace in the health care industry. Ransomware attacks, in which criminals shut down computer systems unless the owners pay the hackers, affected 46 hospital systems last year, up from 25 in 2022, according to the data security firm Emsisoft. Hackers have also taken down companies that provide services such as medical transcription and billing in recent years.
How big is the problem?
Cybersecurity consultants and government officials have consistently identified health care as the sector of the U.S. economy most susceptible to attacks, and as much a part of the nation’s critical infrastructure as energy and water.
“We should all be terrified,” said D.J. Patil, a general partner at GreatPoint Ventures and the former U.S. chief data scientist.
He and others emphasized the inadequate protections in U.S. health systems, despite dramatic events such as the 2017 ransomware attack that locked up medical records at the National Health Service in Britain, leading to massive disruption for patients.
“The entire sector is severely under-resourced when it comes to cybersecurity and information security,” said Errol Weiss, chief security officer for the Health Information Sharing and Analysis Center, which he described as a virtual neighborhood watch for the industry.
The Change attack has drawn a lot more government attention to the problem. The White House and federal agencies have held several meetings with industry officials. Congressional lawmakers have also begun inquiries, and senators have summoned UnitedHealth’s chief executive, Andrew Witty, to testify this spring.
The financial sector has worked to identify and fortify vulnerable areas to make it less prone to systemic attacks. But “health care has not gone through a mapping exercise to understand” exactly where the major choke points are that are at risk for hacks, said Erik Decker, the chief information security officer for Intermountain Health, a major regional health system headquartered in Salt Lake City.
“We have a lesson learned — we need to do that,” said Mr. Decker, who also serves as chairman of a private-sector working group on cybersecurity in health care that advises the federal government.
Wall Street and the nation’s banking system have had strong financial incentives to fortify their defenses because a hacker could steal their money, and the sector faces tougher government regulation.
Health care hacks can have deadly consequences.
Studies have shown that hospital mortality rises in the aftermath of an attack. Doctors are unable to look up past medical care, communicate notes to colleagues or check patient allergies, for example.
Scheduled surgeries are canceled, and ambulances are sometimes rerouted to other hospitals even in emergencies because the cyberattack has disrupted electronic communications or medical records and other systems. Research suggests that hacks have a cascading effect, lowering the quality of care at nearby hospitals forced to take on additional patients.
“Cybersecurity has become a patient safety issue,” said Steve Cagle, the chief executive of Clearwater, a health care compliance firm.
In some cases, hackers have made sensitive patient health data public. Lehigh Valley Health Network refused to pay a ransom that was demanded by the same entity suspects of the attack on Change Healthcare. The hackers then posted online nude photographs of patients receiving treatment for breast cancer, according to a lawsuit brought by one of the victims. Hundreds of patients’ photographs were stolen.
Why is the health care industry a target?
Medical records can command multiple times the amount of money that a stolen credit card does. And unlike a credit card, which can be quickly canceled, a person’s medical information cannot be changed.
“We can’t cancel your diagnosis and send you a new one,” said John Riggi, national adviser for cybersecurity and risk for the American Hospital Association, a trade group.
But he also said the records had value “because it’s easy to commit health care fraud.” Health insurers, unlike banks, often don’t employ elaborate methods to detect fraud, making it easy to submit false claims.
People worried about stolen social security numbers and other financial information can sign up for a credit-monitoring agency, but patients have little recourse if their personal health information is stolen.
Hospital networks and other health care groups have also been quick to pay ransoms to try to limit exposure for patients, a decision that only rewards and encourages hackers. The F.B.I. advises targets of ransomware attacks not to pay, but most hospitals do because the stakes are so high. In the case of Change Healthcare, the company is said to have paid a $22 million ransom, according to reporting by Wired.
Why aren’t hospitals and doctors doing more?
Despite the risk, smaller hospitals and doctors’ practices often don’t have the money to pay for enhanced security measures or the expertise to examine serious threats.
And older technology is rarely compatible with the latest cybersecurity standards; a hodgepodge of connected products and vendors leaves digital side doors open, luring hackers. Because hacks had largely been aimed at individual hospital systems before Change was hobbled, groups underestimated their risk.
Jacki Monson, a senior vice president of Sutter Health and the chair of the National Committee on Vital and Health Statistics, said, “People have to decide what they’re going to invest in, and cybersecurity is not usually the top of the list.”
What is the government’s response?
The regulatory framework is also old and fragmented. Hospitals are allowed to select among a range of security standards, and there is no advance auditing of compliance.
Digital security is divided among different offices within H.H.S., and much of the agency’s regulatory power still relies on a 1996 law, written before the development of modern digital health systems or the rise of ransomware hacking. The government’s regulatory focus has been on privacy and compliance rather than fortifying against attacks.
The regulation of insurer data security is even more spotty, since health insurers are largely regulated at the state level. Many vendors like Change, which provide digital services to hospitals but are not health care providers themselves, can also slip through regulatory cracks, Ms. Monson said.
That may change. The Biden administration is calling for H.H.S. to ensure that hospitals have adequate protections. The administration is also considering revisions to the regulations about how health data is shared, and may impose clearer rules for digital security measures for hospitals.
Senator Ron Wyden of Oregon, the Democratic chairman of the Senate Finance Committee, has signaled an interest in establishing tougher new rules.
“Today, there are no federal mandatory technical cybersecurity standards for the health care industry, even though people have been talking about it for ages, something like decades,” he said during a recent hearing on the president’s budget. “I want to be clear: That needs to change now.”
Updating systems across the board may be expensive, particularly for smaller organizations operating on tight budgets. When the government required hospitals to meet cybersecurity standards to set up electronic health records 20 years ago, it paired strict rules with major financial incentives.
The Biden administration has asked for an initial $800 million to help improve hospital systems as part of its recent budget proposal. But it is not clear whether Congress will be able or willing to provide funding for modernization today.
And some hospitals will continue to spend money on the latest M.R.I. technology or more nurses over stringent digital protections.
“Without additional resources to raise the bar, those health care providers and those health care payers are going to continue to make choices to pay for treatment or for cybersecurity,” said Iliana Peters, a former federal health official specializing in data security who is now a lawyer at Polsinelli, a law firm in Washington, D.C.