Federal officials and industry executives have known for years that the U.S. health-care system was one of the critical industries most vulnerable to hacking but failed to make the improvements that might have stopped attacks like the one that has crippled pharmacists and other medical providers for three weeks.
The danger was obvious in 2021, when ransomware gangs struck hospitals already overwhelmed by the covid-19 pandemic, forcing some to divert incoming emergency patients to other facilities and potentially contributing to deadly treatment delays.
But with private sector lobbyists opposing new security requirements, Congress and the regulatory wheels have ground slowly, mainly promoting best practices that hospitals can - and do - choose to ignore.
So can relatively unknown electronic clearinghouses like UnitedHealth Group’s Change Healthcare, which was the object of an attack launched last month by a hacker affiliated with ransomware gang ALPHV that severed a key link between medical providers and their patients’ insurance companies in the worst health-care hack ever reported. Change Healthcare said Monday that it had provided advances of $2 billion to pharmacies, hospitals and other providers who were unable to get insurance reimbursements during the failure of its network.
Critics say the Change Healthcare fiasco, which has hurt patient care at almost three-fourths of U.S. hospitals, shows that defensive efforts are horribly inadequate. They say a complete response would include strict security requirements for the most critical pieces of the sprawling system, followed by less stringent but still sufficient rules for big hospital systems. The smallest providers, which may not have any security staff, should get help, as called for in the administration’s proposed budget.
“We need to make sure we know where these vulnerable points are,” Nitin Natarajan, deputy director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, acknowledged in an interview. “We’re looking at what levers exist.”
Some members of Congress say that should have happened already.
“The government needs to prevent this kind of devastating hack from happening over and over again,” Sen. Ron Wyden (D-Ore.) told The Washington Post. “I want to work with the Biden administration to ensure there are mandatory, specific cybersecurity rules in place as soon as possible, and to ensure accountability for CEOs.”
Deputy national security adviser Anne Neuberger said the White House is examining what laws it can use to impose such standards on a reluctant industry, while telling executives that they are expected to comply with voluntary guidelines immediately.
“The Hill has not passed any legislation providing authorities to mandate minimum standards, which is why we have been using sector emergency authorities or rulemaking,” Neuberger told The Post on Monday.
She said some requirements will come soon for providers that accept Medicare and Medicaid.
The American Hospital Association said it supports voluntary cybersecurity goals aimed at defending against the most common attacks, like phishing emails. But the organization criticized mandatory measures like those proposed by the Biden administration, saying it would penalize hospitals that fail to meet certain standards, even when most of the risk comes from third-party technologies.
“The AHA cannot support proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault for the success of hackers in perpetrating a crime,” the association wrote in a letter to the House Finance Committee last week.
Last year, more health-care industry targets reported ransomware attacks to the FBI’s Internet Crime Complaint Center than any other of the 16 sectors of critical infrastructure, according to the annual summary released this month.
Experts said industry resistance to mandatory security was only part of the problem.
Hospitals fall prey because they are “easy money,” said Greg Garcia, executive director of a health-care industry cybersecurity group and a former assistant secretary of homeland security. “If the choice is ‘pay the ransom and save a life and don’t pay a ransom and risk losing a life or going out of business if it’s a small system,’ it’s kind of a no-brainer for the hacker.”
Asked why it has not prepared better, Natarajan said the “complexity of the sector” was part of the reason.
A single medical service can feature innumerable participants - doctors and hospitals, insurance companies, drugmakers, pharmacies and platforms like Change Healthcare - all of which connect electronically. That makes each piece, with its own technology and priorities, a potential gateway to the whole medical universe.
So when hackers break into providers or others, encrypting health and billing records and demanding money to unlock them, they can also get into adjacent targets.
More than half of all health-care attacks come in through third parties, according to Garcia, whose organization is called the Health Sector Coordinating Council Cybersecurity Working Group.
The complexity is compounded by separate regulators for many parts of the health-care economy, some of which propound different security guidelines from one another, or none at all. The biggest authority, the Department of Health and Human Services, enforces rules for securing sensitive health data and is investigating the Change Healthcare breach.
CISA named health care last year as one of its top priorities for tech security, along with water, public schools and election systems. The agency offers free vulnerability assessments and training, and it has been able to warn about 100 health-care providers in the past year that their systems were under attack before it was too late.
One key issue is whether to pay a ransom to unlock systems after hackers have seized control of them.
In a statement, the White House said it “strongly discourages paying of ransoms, to stop the flow of funds to these criminals and disincentivize their attacks.”
But many cyber-insurance companies do suggest paying if data backups are not available.
When health providers don’t pay, the results can be catastrophic. Change Healthcare parent company United Healthcare Group has not denied reports that it held out for two weeks before sending $22 million to the Russian-speaking ransomware gang ALPHV.
In that case, most of the damage hit other organizations that depended on Change Healthcare, as well as patients who found they could not get lifesaving medications without paying the same price as someone with no insurance.
UnitedHealth Group said Monday it had restored Change Healthcare’s platform for electronic payments and what it said was 99 percent of its pharmacy network services, while starting to release software for health care providers to submit medical claims for reimbursement.
Consumers and pharmacies still reported ongoing impacts, such as not being able to apply coupons that many use to pay for medications. The timeline to restore the ability to submit medical claims remains unclear, some physicians said.
There was also severe collateral damage after a major attack on the network of Scripps hospitals in San Diego in 2021, according to a May article in JAMA Network Open, from the American Medical Association. Scripps did not pay the ransom, according to reports at the time. The study found that the amount of time patients lost from being diverted to other emergency rooms more than doubled in the first days after the attack.
Inside Scripps hospitals, critical equipment was inoperable, a doctor told The Washington Post, including electronic patient records. Some younger physicians who had never before used paper charts simply went home.
“You had to count on the patient to tell you what medications they were taking, what surgeries they’d had, if they remembered,” the doctor said. “I’m sure we made mistakes.”
Some security industry veterans who had seen a rash of medical industry data breaches before covid-19 foresaw the ransomware surge that would follow, and they formed a group of volunteers to help in March 2020. Called the Cyber Threat Intelligence League, they scanned hospital networks from afar, looking for vulnerabilities and alerting facilities that were in danger.
The members also advised hospitals that were already under attack and in bad shape.
“I personally have no doubt that lives were lost,” said CTI League co-founder Marc Rogers. “When you talk to a hospital in the small hours of the morning and they have no way to access patient medical history records and use more advanced systems, you know that’s going to cost lives.”
In many cases, the hospitals were leery of taking advice from strangers, even when CISA or the FBI vouched for them, Rogers recalled. Smaller hospitals often had no ties to the industry’s nonprofit security information-sharing group. Through trial and error, the league found that the best way to pass on tips and fixes was often through equipment and software vendors that already had a technical contact at the establishment.
The league’s greatest successes were the handful of times that it found a critical software flaw at a hospital, confirmed that ransomware hackers were exploiting the same flaw elsewhere, and explained the situation to the hospital in time for it to catch hackers in its systems before they encrypted them. CISA now uses the same approach.
Rogers, a former security executive at the internet security company Cloudflare, said more collaboration and better guidelines from federal agencies are only part of the answer. Left unchanged is the fact that many hospitals are small nonprofits with no one who can set up even minimal controls on online access, like multifactor authentication, instead of passwords alone.
“None of it takes into account the lack of funding to do this stuff,” Rogers said. “These hospitals are still under-resourced. If you go to a rural hospital, you would be lucky to find any cybersecurity expertise at all.”
The government approach to date, he added, means that “you’re giving them a list of things they need to do, but you’re not giving them the means to do it.”
Daniel Gilbert contributed to this report.