Cyberattacks Targeting Healthcare
The healthcare sector has come under siege from cyberattacks, with ransomware posing a significant threat. According to the FBI, in 2023 alone, there were 249 ransomware attacks targeting health institutions, making it the most attacked sector. An example of a significant impact is the attack on Central Oregon Pathology Consultants (COPC), which saw operations affected and financial losses due to the February hack of Change Healthcare.
COPC had to manage without payments for months, relying on cash reserves while the patient payment portal remained down. As of July, about 20,000 claims were still outstanding, impacting their ability to calculate the total loss from the downtime.
Federal Response Under Scrutiny
Critics argue that the federal response to these attacks has been insufficient. The Department of Health and Human Services (HHS) has primarily focused on hospitals, but the weaknesses are widespread across the healthcare system. Senator Ron Wyden criticized the current approach, emphasizing the need for more robust practices beyond self-regulation.
Mark Montgomery from the Foundation for Defense of Democracies highlighted that investment in cybersecurity is minimal, with efforts described as "incremental to almost nonexistent."
The Need for Comprehensive Strategy
The urgency of the situation is undeniable, with 2024 continuing to see health sector cyberattacks. For example, a ransomware attack on OneBlood disrupted blood supply for transfusions. The complexity of operations like chemotherapy preparation is compromised without proper security measures.
In December, HHS proposed a cybersecurity strategy focusing on hospitals, with incentives for adopting essential practices. However, Iliana Peters, a former HHS lawyer, insists that investment should extend to suppliers and contractors within the healthcare system.
Challenges in Coordination and Implementation
The coordination between HHS and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency has faced challenges. Disorganization and insufficient staffing have been noted as significant issues. Historically focused on physical-world disasters, the preparedness office's shift to cybersecurity under Trump-era leadership is still criticized for lack of expertise.
During the NotPetya attack in 2017, Health-ISAC had to independently inform its members on response strategies, highlighting the need for better organized federal support.
Moving Forward: Proposed Measures and Funding
HHS is exploring enforceable standards for cybersecurity, aiming to release an updated strategy soon. The department has already requested additional funding, including $12 million for cybersecurity initiatives. However, privacy and security rules updates are pending due to budget constraints.
Despite these measures, experts like Routh emphasize the significant challenges that remain. Without substantial changes, the healthcare industry could continue to face vulnerabilities and threats from cyberattacks.
