Between the massive cyberattack on Optum’s Change Healthcare unit and the recent attack on St. Louis-based health system Ascension, it seems like there is a new healthcare cybersecurity incident each month creating serious headaches for healthcare providers.
The February cyberattack on Change Healthcare was the most severe cybersecurity event in the history of the U.S. healthcare sector, impacting 85 million patients’ health records. These types of incidents not only put patients’ sensitive information at risk, but they also cause major care disruptions. When Ascension — the fourth-largest health system in the country — was attacked earlier this month, ambulances had to be diverted to hospitals whose systems were still functioning, and clinicians across the country had to revert to paper recordkeeping.
These events are also devastatingly expensive. Since 2020, the healthcare industry has maintained the highest average data breach costs for 13 years in a row across all sectors — reaching $10.93 million per cybersecurity event.
When Investment Rhymes with Canada
Canada has a proud history of achievement in the areas of science and technology, and the field of biomanufacturing and life sciences is no exception.
Not surprisingly, hospital leaders are prioritizing cybersecurity more than ever before.
“We’re not taking our eyes off the ball when it comes to cybersecurity — it’s not a risk that’s going away anytime soon. It’s just increasing,” declared Dan Shoenthal, chief innovation officer at MD Anderson Cancer Center in Houston.
This piece explores reactions from five different C-suite hospital executives about the recent attack on Ascension — why it scared them, what they’re doing to prevent a similar fate at their own health system, and how they want things to change going forward.
Threats are more abundant than ever
Unlocking Transparency in PBM Pricing
The TSX Venture Exchange has a strong history of helping early-stage health and life sciences companies raise patient capital for research and development.
Budgets are tight for most hospitals throughout the country, forcing them to rethink their spending. However, cybersecurity should be off-limits when looking for areas to reduce expenses, Shoenthal said.
What is scary is that cybercriminals’ tactics are getting more sophisticated by the day, and hospitals are dealing with more security threats than ever before, he noted.
“From a cyber standpoint, there’s always somebody out there who’s ahead of you — a bad actor. And those bad actors take different forms,” Shoenthal pointed out.
Optum and Ascension aren’t exactly mom-and-pop shops — so one might assume that these organizations had industry-standard cybersecurity defenses in place. But when UnitedHealth Group CEO Andrew Witty appeared in Congress earlier this month, he admitted that the attack on Change Healthcare occurred because one of its servers didn’t have multifactor authentication.
When it comes to a hospital’s cybersecurity health, you’re only as good as you can be today, and you have to keep trying to get better each day, Shoenthal said.
Another hospital leader — Lee Schwamm, chief digital health officer at Yale New Haven Health System — also noted that cybercriminals are getting stronger each day as hospitals continue to struggle to defend themselves.
“The tools that are available now can make amateur bad actors into pretty good, bad actors,” Schwamm stated. “You can literally use LLM products and have them help you build ransomware code.”
If that isn’t scary enough from a technical defense standpoint, battling cyberattackers introduces a bit of an efficiency problem as well.
“With an increasing level of threat, you have a trade-off between security and productivity. The more you ramp down the access and close down the networks to try to keep them secure, the harder it is for workers to access what they need to get the work done,” Schwamm said.
Managing third-party risk is a Herculean task
Schwamm highlighted the fact that healthcare providers increasingly rely on a distributed architecture of software-as-a-service tools, where most apps live in the cloud. This means that a hospital’s sensitive data has to move to a lot of different places, making the data more susceptible to vulnerabilities.
“This makes it really hard on health systems because you’re only as good as your weakest vendor. But there’s hundreds and hundreds of them, and you only know that your vendor is weak when one of these exploits happens,” he declared.
Most of the time, a hospital has no way of knowing for sure that its third-party vendors are patching their systems each time a new vulnerability is discovered, Schwamm said. And in this day and age, if you don’t fix the patch on the day you were alerted, you are setting yourself up for major risk, he added.
This problem can’t be solved on the side of a C-suite executive’s desk — in Schwamm’s view, managing these risks needs to be a full-time job.
Over at CommonSpirit Health, the nation’s second-largest nonprofit hospital chain, Leah Miller knows just how serious third-party risk is.
Miller, who serves as the system’s chief clinical application and data officer, said that third-party cybersecurity incidents have been “operationalized as the norm” at CommonSpirit, given the system experiences an average of two per week.
“We have 4,800 different apps in our environment — with 1,700 attached to the EHR. That’s 4,800 vendors that can fail every day, so that’s why we have two or three events every week,” she explained.
When CommonSpirit learns that one of its third-party partners has been impacted by a cybersecurity incident, the health system takes immediate steps to halt its use of the vendor’s product and assess whether any patient information was impacted, Miller noted.
While there are obviously some cybersecurity events that are a bigger deal than others, CommonSpirit is moving away from treating these incidents like major catastrophes. These events are inevitable, so the health system is focusing on training its teams to respond to these disruptions quickly as a part of daily operations, Miller said.
Hospitals are being pickier about their vendor relationships
Each time a hospital gains a new third-party vendor, their attack surface increases. Aware of this, hospitals are thinking more carefully about the new tools and software models they are bringing into their facilities, pointed out Ashis Barad, chief digital and information officer at Pittsburgh-based Allegheny Health Network.
He said recent cyberattacks have “absolutely changed” the way his health system thinks about cybersecurity — not only with the new vendors they may bring into their ecosystem, but also with its current third-party vendors. AHN is making a point to assess the cybersecurity posture of its existing partners, some of which the health system may have had a relationship with for decades. This means asking vendors for specific information on how they secure their systems, Barad said.
All hospitals should ensure they are applying that high level of scrutiny, he noted — especially as medical devices and systems get more connected.
“Hospitals are installing a lot of IoT devices — everything’s hooking into the network. Every MRI machine is now connected to a network, but it wasn’t this way before. So I think that brings a lot of scrutiny,” he explained.
While he’s not necessarily worried that someone is going to sneak into the basement of a AHN hospital and stick a USB into an MRI machine so they can hack the network, that kind of scenario isn’t entirely impossible, Barad said.
He doesn’t necessarily have an answer to how a hospital could prevent an implausible scenario like that, but Barad thinks it might be time to start thinking about those kinds of risks. Much of today’s cybersecurity efforts in the healthcare world focus on software, but the industry has to begin considering the risks associated with hardware as well, he stated.
What needs to change?
Just like a hospital is only as strong as its weakest vendor, it’s sometimes only as strong as its weakest employee. Phishing is the leading cause of data breaches in the healthcare sector, according to The HIPAA Journal. During a phishing attack, a cybercriminal impersonates a trustworthy entity through emails or text messages to trick people into revealing sensitive information, such as passwords, credit card numbers or personal data.
This means that hospitals need to train all of their staff members to do things like spot phishing emails and use two-factor authentication correctly. Some hospitals are going further, in stating policies that restrict an employee’s access when they fail to master these skills, pointed out Schwamm of Yale New Haven Health System.
“We all send out fake phishing attacks internally to educate employees. Some healthcare organizations have a policy that if you fail six times, your email access gets restricted to read-only. And a lot of organizations ban access to personal email like Gmail at the workplace,” Schwamm said.
It’s clear that cybersecurity needs to be something that all employees are trained for, given how many different hospital staff members can be involved in the chain of custody for sensitive data, he declared.
Cybersecurity is also starting to be a higher priority in hospitals’ C-suites. During a fireside chat last week at MedCity News’ INVEST conference in Chicago, Nitin Natarajan — deputy director at the Cybersecurity and Infrastructure Security Agency (CISA) — noted that he has been having a lot more conversations about cybersecurity with hospitals’ C-suite leaders in the past few months because these leaders are finally recognizing the severity of the risk landscape.
“They truly see this as an enterprise-wide risk issue,” Natarajan remarked.
But for things to truly get better, hospitals need to invest more money into their cybersecurity efforts, according to Robert Bart, chief medical information officer at UPMC.
Research from last year shows that the healthcare sector spends much less on cybersecurity than other industries, such as banking and technology. The report reveals that healthcare organizations allocate 8.1% of their IT budget to cybersecurity, while technology and finance firms allocate 19.4% and 13.6% respectively.
“I think the answer is money — investing more, to be quite honest. That’s unfortunate because it can become a relatively large portion of a health system’s IT budget, but at the end of the day, our clinicians and the patients that we take care of trust us to keep their information as secure as possible,” Bart stated.
This reality is a lot easier to swallow for a massive organization like UPMC than it is for a small rural health system or community hospital, he noted.
Shouldn’t the government do its part?
In addition to more investment in cybersecurity, Bart called for more government assistance.
“The government needs to to assist us in creating some protections from a more national level. We’re leaving it to each independent organization or each industry vertical to have to create their own defenses. We have to do that, but there’s also an umbrella effect that the United States government can play in this to support good cybersecurity,” he declared.
To begin, Bart thinks the federal government should set minimum requirements for healthcare providers’ cyber hygiene. Good cyber hygiene means maintaining regular updates to systems and devices, using strong passwords, and training staff how to be cautious about suspicious emails and downloads.
He also thinks we need to change our perceptions surrounding blame. When a provider gets hacked, that organization is deemed at fault and must suffer the financial consequences — but Bart isn’t sure that this type of thinking is fair.
“The truth of the matter is that you can do everything correctly and follow the best industry standards, and you can still be the one that unfortunately ends up being hacked and having data at risk,” he explained. “We’re such a fault-based society — I’m not passing judgment on whether that’s good or bad; it’s just a reality. But we have to acknowledge that even the best organizations that are doing all the right things with the right intent still get attacked.”
There are small, rural hospitals all over the country that simply don’t have the resources to meet rapidly evolving industry standards for cybersecurity. The patients who rely on these hospitals shouldn’t get their access to care taken away because the facility had to shut down after the financial devastation of an attack, Bart noted.
Given this reality, Bart thinks there should be some government-issued financial protections for health systems in the case they are hit with a disastrous cyberattack. And the assistance should come sooner rather than later.
“When we moved to electronic health records, there was federal funding that underwrote the adoption of those systems — the HITECH Act under the Obama administration in 2009. Maybe there needs to be something similar that underwrites the adoption of industry-leading cybersecurity for healthcare,” he said.
Photo: WhataWin, Getty Images