Lee Milligan, chief information officer at Asante Health System in Oregon, said he was encouraged that President Joe Biden had taken steps to help protect the nation from cyber threats, but wants Washington to do more. directly with health systems to shoulder the burden of attacks. .
“It makes me think that ultimately it’s up to individual hospital systems to try – basically in isolation – to figure it out,” he said. “If a nation-state bombed bridges that cross the Mississippi River and connect states A and B, would we look at it the same way? And yet the same risk to life occurs when they shut down a healthcare system.
The relentless increase in attacks puts patient safety at risk and strains clinicians already exhausted by the Covid-19 pandemic. In the worst case, hackers can shut down hospital operations and siphon off patient data.
Getting hacked is expensive: A 2021 cyberattack on San Diego’s largest healthcare system, Scripps Health, cost $112.7 million. These costs put additional pressure on health systems to increase the price of services, especially as they face a competitive labor market, pandemic losses and rising drug prices. And now cyber-insurers are limiting coverage and increasing premiums, further exposing health systems.
Various federal efforts have been made to help healthcare systems deal with cyberattacks, through the Department of Health and Human Services, the Federal Bureau of Investigations, and the Department of Homeland Security. However, not all health systems feel that these resources are sufficient.
“What I really wanted was for them to put in place a real specific framework for a partnership between individual health systems and government on protection or response or preferably both,” Milligan said.
A doctor receives an email asking him to log into a portal to get a copy of his patient’s medical history. The website the emails link to is fake, an infamous lookalike faked by hackers. Unwittingly, the doctor gave up his login credentials to the real medical record portal or downloaded a virus.
This is one of many scenarios that healthcare CISOs are preparing for as healthcare systems prepare for an October federal deadline to make electronic health record data shareable across hospital networks. , which could lead to new lines of attack from cybercriminals, they said, as it draws attention to new entry points for hackers.
Cyberattacks against health systems are constantly increasing and their costs are exploding. Experts said there are a variety of reasons for the increase, including that criminals are getting more advanced and more aspects of healthcare are going online.
When a cyberattack hit Sky Lakes Medical Center, a community hospital in southern Oregon, in late October 2020, its computers were down for three weeks. The most mundane tasks became arduous. Nurses were to monitor critical patients every 15 minutes in case their vital signs changed. Doctors scribbled down their prescriptions and heaps of paper invaded entire rooms. In three weeks, the hospital went through 60,000 sheets of paper.
Sky Lakes had to rebuild or replace 2,500 computers and clean up its network to get back online. Even after hiring additional staff, it took six months to enter all paper records into the system. In total, John Gaede, director of information services at Sky Lakes, says his organization spent $10 million – a big expense for a nonprofit with around $4.4 million in operating revenue. annual (the organization did not pay a ransom).
For hospitals with limited budgets, one wonders how well they can protect themselves. The Sky Lakes attack was part of a wave of attacks in 2020 and 2021 linked to a criminal group in Eastern Europe.
“Our budgets usually have a margin of maybe 3% a year,” Gaede said, “but we’re supposed to compete with nation-state actors?
Health data is lucrative on the black market, making hospitals a prime target. Additionally, if a healthcare system has ransomware insurance, criminals may think they are guaranteed to get paid. Ransomware blocks hospital records in encrypted files until a fee is paid.
“At the time when the ransoms were $50,000, it was cheaper to pay them than to face a lawsuit which would have been much more expensive,” says Omid Rahmani, associate director at Fitch Ratings, an agency rating, adding that ransoms now cost millions. “The landscape has changed and because of that, the side of cyber insurance has changed – and it’s really tied to the rise of ransomware.”
In its Annual Cost of a Data Breach report, IBM writes that the global average cost of an attack on a healthcare system has risen from around $7 million to more than $9 million in 2021. But remedying these violations in the United States can be much more expensive. There isn’t comprehensive data on US healthcare system spending on attacks, but a few high-profile cases shed some light:
- A breach of universal health services, which serves 3.5 million patients, cost $67 million.
- The University of Vermont, an academic medical facility with about 168,000 annual patients, spent $54 million recovering from an attack in 2020.
- Scripps Health, which treats 700,000 patients a year, lost $112.7 million.
Health systems only partially recover these costs. Scripps received $35 million from its insurers, quarterly financial disclosure shows – about 30 % of actual cost. The University of Vermont collected $30 million from its insurer, while United Health Services received $26 million.
“What I see is that the cost of remediation after a high-impact cyber attack – whether it’s a major data theft or a disruptive ransomware attack – is easily five to ten times greater than their insurance coverage, whether you’re a small hospital or a large one,” said John Riggi, senior safety adviser at the American Hospital Association.
The delta between the cost of a cyberattack and what insurers will pay is likely to grow. Last year, amid a deluge of claims, Reuters reported that cyber insurers were withdrawing both maximum reimbursement rates and the types of attacks they covered. In November, Lloyd’s of London, a major provider of cyber insurance, announced that it would not cover cyber warfare or cyber attacks carried out in the name of a nation state. Premiums increase in kind.
“I can’t stress enough, all of these costs that I’m referring to here are paid for by all of us,” says Brad Ellis, head of the US health insurance group at Fitch Ratings. “[Health systems] are paid by the insurance companies and we all pay the premiums which have increased significantly. And they keep going up.
The role of government
A big question is to what extent government agencies should protect organizations considered critical infrastructure. Two agencies – the Cybersecurity and Infrastructure Security Agency and the Health Sector Cybersecurity Coordination Center of the Department of Health and Human Services – provide information on attacks and how to build a infrastructure to repel them. CISA and the FBI also have incident response teams.
Eric Goldstein, executive assistant director for cybersecurity at CISA, said the government needs better visibility into how many attacks are happening and where. “It should be noted that a significant portion of cybersecurity intrusions go unreported to the government,” he said.
Health systems are required to report data exposures that affect more than 500 people to the Office for Civil Rights. But if health data isn’t released, health systems don’t have to report.
But that is about to change. Last spring, Biden signed an executive order on improving the nation’s cybersecurity that Goldstein calls “the most operationally impactful cybersecurity executive order ever,” signaling increased investment in cybersecurity.
“This really marks a sea change in how the federal government handles its own cybersecurity,” he says.
The Biden administration also convened a meeting last week with several healthcare executives and relevant senior officials to discuss cybersecurity threats and the challenge of securing small healthcare systems.
In May, President of the Senate in charge of Homeland Security and Governmental Affairs Gary Peters (D-Mich.) released a report showing the government lacked sufficient data on cyberattacks hitting critical infrastructure, such as healthcare facilities, effectively protect the nation against such strikes. Peters is also the originator of the Cyber Incident Reporting Act, a recently passed law that imposes tight deadlines for reporting significant cyberattacks and ransomware payments to CISA (the rule also gives CISA the power to subpoena to appear anyone who does not meet these deadlines).
In turn, CISA will design an alert system to alert potential targets of common exploits and set up a ransomware task force to prevent and disrupt attacks. The task force is due to be in place around March next year, while the ransomware vulnerability warning pilot has a year to start.
Goldstein acknowledges that the government may not be actively defending all health systems against a cyberattack. But, he notes that CISA set up the Joint Cyber Defense Collaborative last year to work with telecommunications companies and cloud providers on securing their infrastructure, and healthcare systems, that use these. networks, should benefit by proxy.
“Cybersecurity is now, perhaps for the first time, a boardroom and C-suite issue at organizations across the country,” he said, adding that this level of attention and spending is ultimately what will help counter the threat.