Central Oregon Pathology Consultants has been in business for nearly 60 years, providing molecular testing and other diagnostic services east of the Cascade Range.
Starting last winter, it operated for months without getting paid, surviving on cash
says ctice manager Julie Tracewell. The practice is embroiled in the aftermath of one of the most significant digital attacks in U.S. history: the hack of payments manager Change Healthcare in February.
COPC recently learned that Change has begun processing some of the outstanding claims, which stood at about 20,000 in July, but Tracewell does not know which ones, she said. The patient payment portal remains offline, meaning customers cannot settle their bills.
“It will take months before we can calculate the total loss from this downtime,” she said.
Healthcare is the most common target of ransomware attacks: by 2023 says the FBI249 of these targeted healthcare facilities – the most of any sector.
And health officials, advocates and those in the halls of Congress are concerned that the federal government’s response is underpowered, underfunded and too focused on protecting hospitals — even as Change proved the weaknesses are widespread.
The Department of Health and Human Services’ “current approach to healthcare cybersecurity – self-regulation and voluntary best practices – is woefully inadequate and has left the healthcare system vulnerable to criminals and foreign government hackers,” Senator Ron Wyden (D-Ore. .), chairman of the Senate Finance Committee, wrote in a recent letter to the agency.
The money isn’t there, says Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies. “We have seen extremely incremental to almost non-existent efforts” to invest more in security, he said.
The task is urgent: 2024 has been a year of healthcare hacks. Hundreds of hospitals in the southeast faced with disruptions to their ability to obtain blood for transfusions after nonprofit organization OneBlood, a donation service, fell victim to a ransomware attack.
Cyberattacks complicate both mundane and complex tasks, says Nate Couture, chief information security officer at the University of Vermont Health Network, which was hit by a ransomware attack in 2020. “We can’t mix a chemo cocktail by eye,” he said, referring to cancer treatments, at a June event in Washington, D.C.
In December HHS develop a cybersecurity strategy intended to support the sector. Several proposals targeted hospitals, including a carrot-and-stick program to reward providers that adopted certain “essential” security practices and penalize those that did not.
Even that narrow focus can take years to materialize: Under the department budget proposalMoney would start flowing to high-needs hospitals in the 2027 budget year.
The focus on hospitals is “not appropriate,” Iliana Peters, a former enforcement attorney at the HHS Office for Civil Rights, said in an interview. “The federal government must go further” by also investing in the organizations that supply suppliers and contract, she said.
The department’s interest in protecting the health and safety of patients “puts hospitals at the top of our list of priority partners,” Brian Mazanec, deputy director at the Administration for Strategic Preparedness and Response at HHS, said in an interview.
Responsibility for the nation’s healthcare cybersecurity is shared by three offices within two different agencies. The Health Department’s civil rights office is a kind of police officer, monitoring whether hospitals and other health groups are providing adequate protections for patients’ privacy and, if not, potentially fining them.
The Department of Health and Human Services’ Preparedness Agency and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency are helping build defenses — such as requiring medical software developers to use audit technology to verify their security.
The latter are required to draw up a list of “systemically important entities” whose activities are crucial for the proper functioning of the healthcare system. These entities could receive special attention, such as inclusion in government threat briefings, Josh Corman, co-founder of the cyber advocacy group I Am The Cavalry, said in an interview.
Federal officials had been working on the list when news of the Change hack broke — but Change Healthcare was not on it, Jen Easterly, head of Homeland Security’s cybersecurity agency, said at an event in March.
Nitin Natarajan, deputy director of the cybersecurity agency, told KFF Health News that the list was just a draft. The agency previously estimated it was due to finalize the list of entities – across sectors – last September.
The Health Department’s preparedness office is supposed to coordinate with Homeland Security’s cybersecurity agency and the entire Department of Health, but congressional staffers said the agency’s efforts are falling short. There are “silos of excellence” in HHS, “where teams weren’t talking to each other, [where it] It wasn’t clear who people should go to,” Matt McMurray, chief of staff to Rep. Robin Kelly (D-Ill.), said at a conference in June.
Is the Department of Health Preparedness Office “the right home for cybersecurity?” I’m not sure,” he said.
Historically, the agency focused on disasters in the physical world: earthquakes, hurricanes, anthrax attacks, pandemics. It inherited cybersecurity as Trump-era department leadership grabbed for more money and authority, said Chris Meekins, who worked for the preparedness agency under Trump and is now an analyst at the investment bank Raymond James.
But since then, Meekins says, the agency has shown it is “not qualified to do it. There isn’t the funding there, there isn’t the involvement there, there isn’t the expertise there.”
The preparedness office has only a “small handful” of employees focused on cybersecurity, said Annie Fixler, director of FDD’s Center on Cyber and Technology Innovation. Mazanec acknowledges the number is not high, but hopes additional funding will allow for more hiring.
The office is slow to respond to outside feedback. When a cyber threat industry association tried to coordinate with it to set up an incident response process, “it probably took three years to identify someone willing to support that effort,” said Jim Routh, the group’s then-chairman of Health Information Sharing. and Analysis Center.
During the 2017 NotPetya attack — a hack that caused major damage to hospitals and drugmaker Merck — Health-ISAC ultimately distributed information to its members themselves, including the best method to contain the attack, Routh said.
Advocates are looking at the Change hack — reportedly caused by a lack of multifactor authentication, a technology well known in American workplaces — and saying HHS should use mandates and incentives to get the healthcare industry to adopt better defenses. The department’s strategy, published in December, proposed a relatively limited list of goals for the healthcare sector, which are largely voluntary at this point. The agency is “exploring” creating “new enforceable” standards, Mazanec said.
Much of the HHS strategy will be rolled out in the coming months. The department has already asked for more funding. For example, the preparedness agency wants an additional $12 million for cybersecurity. The civil rights agency, with a flat budget and dwindling enforcement staff, will soon release an update to its privacy and security rules.
“There are still significant challenges facing the industry as a whole,” Routh said. “I don’t see anything on the horizon that will necessarily change that.”
KFF Health News is a national newsroom that produces in-depth journalism on health issues and is one of the core operating programs of KFF – the independent source for health policy research, opinion polls and journalism.
©2024 KFF Health News. Distributed by Tribune Content Agency, LLC.