A pair of recent ransomware attacks crippled computer systems at two major American health care firms, disrupting patient care and exposing fundamental weaknesses in the US health care system’s defenses against hackers.
In both cases, federal officials and private cyber experts scrambled to try to limit the damage and get computers back online. But the cascading effects from the hacks, with ambulances diverted from hospitals and pharmacies unable to process insurance, has underscored for some US lawmakers, senior Biden administration officials and policy experts that the health care system is ill-prepared for the ripple effects of a cyberattack and needs new security regulations. Health care lags other industries such as big financial institutions and energy providers when it comes to IT security, according to some experts.
“Industry has successfully demanded voluntary cybersecurity for years — and this is what we get,” Joshua Corman, a cybersecurity expert who has focused on the health sector for years, told CNN.
Sen. Ron Wyden, the Oregon Democrat who chairs the finance committee, told CNN that “every new devastating hack hammers home the need for mandatory cybersecurity standards in the health care sector, particularly when it comes to the largest companies that millions of patients depend on for care and medicine.”
Without action, the senator said, “patients’ access to care and their personal health information will be compromised and ransomed by hackers over and over again.”
In 2023, 46 hospital systems in the US, comprising 141 hospitals, were impacted by ransomware, according to a tally from cybersecurity firm Emsisoft. That’s up from 25 hospital systems hit by ransomware in 2022, according to the firm.
The two ransomware attacks hit different nerves of the health care system. In February, cybercriminals broke into an unsecured computer server used by Change Healthcare, an insurance billing giant that processes about 15 billion health care transactions annually. The hack cut off health care providers from billions of dollars of revenue, snarled service at pharmacies across the US and may have compromised the personal data of a third of Americans.
In early May, cybercriminals used a different type of ransomware in an attack on Ascension, a St. Louis-based nonprofit network that includes 140 hospitals and 40 senior living facilities in 19 states. The hack forced the health network to divert ambulances from some hospitals.
The Biden administration is preparing to issue minimum cybersecurity requirements for US hospitals, senior White House cyber official Anne Neuberger confirmed this month. The details of that proposal have yet to be finalized. But the American Hospital Association, which represents hospitals across the United States, opposes the proposal, saying it would effectively re-victimize victims of cyberattacks by imposing penalties after they are hacked.
Officials at the Department of Health and Human Services previously said they are willing to use a number of measures, including imposing monetary fines, to both force and encourage health care organizations to better secure their systems.
Momentum is also growing on Capitol Hill to force health care organizations to meet basic cybersecurity standards.
A bill introduced in March by Sen. Mark Warner, a Virginia Democrat, would allow “advanced and accelerated” Medicare payments to be sent to hacked health care providers as long as those providers and their contractors meet minimum cybersecurity standards.
An unhealthy situation
The ransomware attacks on Change Healthcare and Ascension have spotlighted the health sector’s cybersecurity weakness like no other events before it, experts told CNN.
And even if there are new regulatory requirements for cybersecurity, the sector “will continue to struggle from such attacks if the business of providing healthcare remains financially fraught [and forces] leaders to prioritize only revenue generating investments,” Carter Groome, chief executive of cybersecurity firm First Health Advisory, told CNN.
The Change Healthcare ransomware attack, in particular, has brought fresh attention from policymakers and experts on what many see as the over-consolidation of the US health care industry. If hackers can defeat security measures at one company, millions of patients who rely on that health network can be affected.
“US healthcare is in a death spiral,” said Corman, who co-founded I am the Cavalry, a volunteer group that focuses on cybersecurity for resource-poor organizations in the health sector, among others. “Distressed hospitals get acquired into too-big-to-fail conglomerates. Ransoms cause distress for the little ones, and multi-week, multi-state outages for the ones ‘saved’ by the big ones.”
Any new cybersecurity regulations should be strong enough to force meaningful improvements in the sector’s cybersecurity, Corman argued. ‘Yes. cybersecurity is costly,” he said. “As we can clearly see… neglect is more costly.”
Change Healthcare’s parent firm, UnitedHealth Group, owns a significant portion of the US health care market. The company, which reported $371 billion in revenue last year, handles one in three American patient records, according to the American Hospital Association. Optum, a UnitedHealth subsidiary, employs about 90,000 physicians.
“Your revenues are bigger than some countries’ GDP,” Sen. Marsha Blackburn, a Tennessee Republican, told UnitedHealth Group CEO Andrew Witty in a Senate hearing this month. “And how in heaven’s name did you not have the necessary redundancies so that you did not experience this attack and find yourself so vulnerable?”
The Justice Department has been pursuing an antitrust investigation into UnitedHealth Group, the Wall Street Journal reported in February.
More broadly, the Justice Department last week announced a task force to examine “health care monopolies and collusion” that will guide the department’s approach to “civil and criminal enforcement in health care markets,” where warranted.
