Latest News And Breaking Headlines

Health systems want government help fighting off the hackers

Lee Milligan, chief information officer at Oregon’s Asante Health System, said he is encouraged that President Joe Biden has taken steps to protect the nation from cyberthreats, but wants Washington to work more directly with health systems to ease the burden of the attacks on to take themselves.

“I’m surprised it’s ultimately up to the individual hospital systems to try — essentially isolated — to figure it out,” he said. “If a nation-state has bombed bridges connecting across the Mississippi River and connecting State A and B, would we look at it the same way? And yet the same danger to life happens when they shut down a health system.”

The relentless increase in attacks is endangering patient safety and burdening clinicians already exhausted by the Covid-19 pandemic. In the worst cases, hackers can shut down hospital operations and siphon patient data.

Getting hacked is pricey: A 2021 cyberattack on San Diego’s largest health system, Scripps Health, cost $112.7 million. These costs put further pressure on health systems to increase the price of services, especially as they deal with a competitive labor market, pandemic losses and rising drug prices† And now, cyber insurers are limiting coverage and raising premiums, further exposing health systems.

Several federal efforts have been made to assist health systems with cyberattacks, through the Department of Health and Human Services, the Federal Bureau of Investigations and the Department of Homeland Security. However, not all health systems feel that these resources are sufficient.

“What I really wanted was for them to set up a really specific framework for a partnership between individual health systems and government to either protect or respond, or preferably both,” Milligan said.


A doctor receives an email asking her to log into a portal to get a copy of her patient’s medical records. The website the email links to is fake, a nefarious doppelganger mocked by hackers. The doctor unknowingly entered her credentials for the real patient record or downloaded a virus.

This is one of several scenarios for which healthcare CISOs are preparing as health systems prepare for an October federal deadline to make electronic health records sharable between hospital networks, which could lead to new attacks from cybercriminals, they said, as it draws attention. for new hacker entry points.

Cyber ​​attacks on health systems are steadily increasing and their costs are skyrocketing. Experts said there are several reasons for the increase, including that criminals are becoming more sophisticated and more aspects of healthcare are online.

When a cyberattack hit Sky Lakes Medical Center, a community hospital in southern Oregon, in late October 2020, the computers were down for three weeks. The most mundane tasks became heavy. Nurses were required to monitor critical patients every 15 minutes in case their vital signs changed. Doctors scribbled their orders, and the swelling piles of paper took up entire rooms. In three weeks, the hospital had run out of 60,000 sheets of paper.

Sky Lakes had to rebuild or replace 2,500 computers and clean up its network to get back online. Even after hiring additional staff, it took six months to get all the paper records into the system. In all, Sky Lakes director of information services, John Gaede, says his organization spent $10 million — a major expense for a nonprofit with about $4.4 million in annual operating income (the organization paid no ransom).

For hospitals with limited budgets, there are questions about how well they can protect themselves. The attack on Sky Lakes was part of a wave of attacks in 2020 and 2021 connected to a criminal group in Eastern Europe

“Our budgets typically have a margin of maybe 3 percent per year,’ said Gaede, ‘but we are supposed to compete with national actors?’

Health data is lucrative on the black market, making hospitals a popular target. In addition, if a health system has ransomware insurance, criminals may think they have a payout. Ransomware links hospital records in encrypted files until a fee is paid.

“When the ransom was $50,000, it was cheaper to pay them than to file a lawsuit that would have cost a lot more,” said Omid Rahmani, associate director at Fitch Ratings, a credit rating agency, adding that ransom is now costs millions. “The landscape has changed and the cyber-insurance side has changed as a result – and that really ties into the rise of ransomware.”

In its annual cost of a data breach report, IBM writes that the global average cost of a health system attack has risen from about $7 million to more than $9 million by 2021. But fixing these breaches in the US could be much more expensive. There’s no comprehensive data on how much U.S. health care systems spend on seizures, but a few high-profile cases shed some light:

  • A breach of universal health servicesserving 3.5 million patients cost $67 million.
  • The University of Vermont, an academic medical facility with approximately 168,000 annual patients, has spent $54 million in 2020 recovering from a seizure.
  • Scripps Health, which treats 700,000 patients annually, lost $112.7 million.

Health systems only partially recoup these costs. Scripps received $35 million from its insurers, according to a quarterly financial disclosure – about 30 percent of the actual costs. The University of Vermont has raised $30 million from its insurer, while United Health Services received $26 million

“What I’m seeing is that the cost to recover from a major cyber-attack — be it a major data theft or a disruptive ransomware attack — is easily five to ten times their insurance coverage, whether you’re a small hospital. or large,” said John Riggi, senior adviser on safety at the American Hospital Association.

The delta between the cost of a cyber attack and what insurers will pay out is likely to grow. Last year, amid a deluge of claims, Reuters reported that cyber insurers were both retired on maximum reimbursement percentages and the types of attacks they cover. In November, Lloyd’s of London, a major cyber insurer, announced it would not cover cyber warfare, or cyber-attacks on behalf of a nation-state. Premiums increase in kind.

“I can’t stress it enough, all those costs I’m talking about here are paid by all of us,” said Brad Ellis, head of Fitch Ratings’ US Health Insurance Group. †[Health systems] are paid by the insurance companies and we are all paying the premiums that have risen sharply. And they continue to rise.”

The role of government

A big question is to what extent government agencies should protect organizations that are considered critical infrastructure. Two agencies – Cybersecurity and Infrastructure Security Agency and the Health Sector Cybersecurity Coordination Center under the Department of Health and Human Services – provide information about attacks and how to build infrastructure to repel them. CISA and the FBI also have incident response teams.

Eric Goldstein, executive assistant director for cybersecurity at CISA, said the government needs more insight into how many attacks are happening and where. “It is noteworthy that a significant proportion of cyber attacks are not reported to the government,” he said.

Health systems are required to report data exposures affecting more than 500 people to the Office of Civil Rights. But if health data doesn’t come out, health systems don’t have to report.

But that is about to change. Last spring, Biden signed an executive order to improve the country’s cybersecurity, which Goldstein calls “the most operationally impactful cybersecurity executive order ever,” signaling increased investment in cybersecurity.

“It is revolutionizing the way the federal government manages its own cybersecurity,” he says.

The Biden administration also held a meeting last week with several healthcare executives and relevant senior government officials to discuss cybersecurity threats and the challenge of securing smaller health systems.

In May, Senate President for Homeland Security and Government Affairs Gary Peters (D-Mich.) released a report showing that the government had insufficient data on cyber-attacks that hit critical infrastructure, such as healthcare facilities, to effectively protect the nation from such strikes. Peters also supports the Cyber ​​Incident Reporting Act, a recently passed law with tight deadlines for reporting significant cyberattacks and ransomware payments to CISA (the rule also gives CISA the power to sue anyone who fails to meet these deadlines).

In turn, CISA will design an alert system to alert potential targets to common exploits and establish a ransomware task force to prevent and disrupt attacks. The task force should be established by about March next year, while the ransomware vulnerability warning pilot has a year to get off the ground.

Goldstein acknowledges that the government may not be actively defending every health system against a cyberattack. But he notes that CISA formed the Joint Cyber ​​Defense Collaborative last year to work with telecom companies and cloud providers to secure their infrastructure, and health systems that use those networks benefit by proxy.

“Cybersecurity is now, perhaps for the first time, a matter of board of directors and C-suite at organizations across the country,” he said, adding that this level of attention and spending will ultimately help counter the threat.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More