Lee Milligan, chief information officer of Asante Health System in Oregon, said he is encouraged that President Joe Biden has taken steps to help protect the country from cyberthreats, but wants Washington to work more directly with health systems to take over burden of attacks. .
“It strikes me that it is ultimately up to the individual hospital systems to try – essentially in isolation – to figure this out,” he said. “If the nation-state blew up the bridges connecting the Mississippi River and connecting states A and B, would we look at it the same way? And yet the same risk to life occurs when the healthcare system is shut down.”
The relentless rise in attacks is jeopardizing patient safety and putting a strain on clinicians already exhausted by the Covid-19 pandemic. In the worst case scenario, hackers can shut down the hospital and steal patient data.
Getting hacked is expensive: A 2021 cyberattack on San Diego’s largest healthcare system, Scripps Health, cost $112.7 million. These costs put additional pressure on health systems to raise prices for services, especially when faced with competitive labor market, losses from the pandemic and rising drug prices. And now cyber insurers are limiting insurance coverage and raising premiums, further endangering healthcare systems.
Various federal efforts have been made to assist healthcare systems in the event of cyberattacks through Department of Health and Human Services, Federal Bureau of Investigation and Department of Homeland Security. However, not all health systems feel that these resources are sufficient.
“What I really wanted was for them to create a real concrete framework for a partnership between individual health systems and government either on protection or response or preferably both,” Milligan said.
The physician receives an email asking them to log into the portal to obtain a copy of their patient’s past medical records. The website the email links to is a fake, a nefarious doppelgänger made fun of by hackers. Unwittingly, the doctor provided her credentials to log into a real health records portal or uploaded a virus.
This is one of many scenarios healthcare chief information security officers are preparing for as healthcare systems prepare for a federal deadline in October to make electronic health record data available to hospital networks, which could lead to new lines of attack from cybercriminals. they said because it draws attention to new entry points for hackers.
Cyber attacks on healthcare systems are on the rise, and their costs are mushrooming. There are many reasons for the increase, experts say, including that criminals are becoming more advanced and more aspects of healthcare are online.
When Sky Lakes Medical Center, a community hospital in southern Oregon, suffered a cyberattack in late October 2020, its computers were shut down for three weeks. The most mundane things became difficult. Nurses were required to check on critical patients every 15 minutes in case their vital signs changed. Doctors wrote down their prescriptions, and plump piles of paper filled entire rooms. The hospital used up 60,000 sheets of paper in three weeks.
Sky Lakes had to rebuild or replace 2,500 computers and clean up its network to get back online. Even after additional staff was hired, it took six months to get all paper records into the system. In total, John Gade, director of information services at Sky Lakes, says his organization spent $10 million — a big expense for a non-profit with roughly $4.4 million in annual operating income (the organization paid no ransom).
For hospitals on a budget, there are questions about how well they can protect themselves. The Sky Lakes attack was part of a wave of attacks in 2020 and 2021. associated with a criminal gang in Eastern Europe.
“Our budgets usually have a margin, maybe 3 percent a year,” Gaede said, “but we have to compete with national statesmen?”
Health data is profitable on the black market, making hospitals a popular target. In addition, if the healthcare system is immune to ransomware, criminals may think they are guaranteed a payout. The ransomware links hospital records in encrypted files until the fee is paid.
“When the ransoms were $50,000, it was cheaper to pay them than to deal with a lawsuit that would have cost much more,” says Omid Rahmani, deputy director of Fitch Ratings, adding that the ransoms are now worth millions. “The landscape has changed, and because of that, the side of cyber insurance has changed – and it really has to do with the rise of ransomware.”
In its annual data breach report, IBM writes that the average global cost of a healthcare attack has risen from about $7 million to over $9 million in 2021. But fixing these violations in the US can be much more expensive. There is no definitive data on how much the US healthcare system is spending on attacks, but a few high-profile cases shed some light:
- Violation of Universal Health Serviceswhich serves 3.5 million patients, cost $67 million.
- The University of Vermont, an academic healthcare facility that sees about 168,000 patients annually, spent $54 million to recover from the 2020 attack.
- Scripps Health, which treats 700,000 patients annually, lost $112.7 million.
Health systems only partly offset these costs. Scripps received $35 million from its insurers. quarterly financial disclosures – around 30 percent of the actual value. The University of Vermont raised $30 million from its insurer while United Health Services received $26 million.
“I see the cost of recovering from a major cyberattack — whether it’s a major data theft or a disruptive ransomware attack — easily five to ten times their insurance coverage, whether you’re a small hospital or a large one,” John said. Riggi, Senior Safety Advisor, American Hospital Association.
The delta between the cost of a cyberattack and what insurers will pay out is likely to grow. Last year, in the midst of a flood of claims, Reuters reported that cyber insurers both have dropped the maximum reimbursement rates and the types of attacks they cover. In November, Lloyd’s of London, a major cyber insurance provider, announced that it would not cover cyber warfare, or cyber attacks carried out in the name of a nation state. In-kind premiums are on the rise.
“I can’t stress enough that all of the costs I’m talking about here are paid for by all of us,” says Brad Ellis, head of Fitch Ratings’ US health insurance group. “[Health systems] paid by insurance companies, and we all pay insurance premiums, which have risen significantly. And they keep going up.”
Role of government
The big question is to what extent government agencies should protect organizations that are considered critical infrastructure. Two agencies, the Cybersecurity and Infrastructure Security Agency and the Health Sector Cybersecurity Coordinating Center at the Department of Health and Human Services, provide information about attacks and how to build the infrastructure to counter them. The CISA and the FBI also have incident response teams.
Eric Goldstein, CISA’s executive assistant director of cybersecurity, said the government needs to better see how many attacks are happening and where. “It should be noted that a significant proportion of cybersecurity intrusions go unreported to the government,” he said.
Health systems are required to report disclosures to the Office of Civil Rights that affect more than 500 people. But if health data isn’t coming out, health systems shouldn’t be accountable.
But that is about to change. Last spring, Biden signed an executive order to improve national cybersecurity, which Goldstein calls “the strongest cybersecurity executive order ever,” signaling increased investment in cybersecurity.
“It’s really a sea change in how the federal government manages its own cybersecurity,” he says.
The Biden administration also met last week with several health officials and relevant senior government officials to discuss cybersecurity threats and the challenges of securing small healthcare systems.
In May, President of the Senate for Homeland Security and Government Affairs. Gary Peters (D-Mich.) issued a report demonstrating that the government does not have enough data on cyber attacks affecting critical infrastructure, such as medical facilities, to effectively defend the nation against such blows. Peters is also behind the Cyber Incident Reporting Act, a recent law that sets stringent deadlines for reporting significant cyberattacks and ransomware payments to CISA (the rule also gives CISA the power to subpoena anyone who fails to meet these deadlines). ).
In return, CISA will develop an alert system to warn potential targets of common exploits and establish a ransomware task force to prevent and stop attacks. The task force should be in place by around March next year, while the ransomware vulnerability warning pilot project has a year to get going.
Goldstein acknowledges that the government cannot proactively protect every healthcare system from cyberattacks. But he notes that CISA last year created a Joint Cyber Defense Group to work with telcos and cloud providers to secure their infrastructure, and the healthcare systems that use those networks will benefit from proxies.
“Cybersecurity is now, perhaps for the first time, being decided by the board of directors and top executives in organizations across the country,” he said, adding that this level of focus and spending is what will ultimately help counter the threat.