Health Tech, Hospitals

Healthcare Docket: A Near Doubling of Hospital System Cyberattacks Triggers Bipartisan Bill

Increasing costs and healthcare cybersecurity worries have sparked calls for new laws. The bipartisan “Strengthening Cybersecurity in Health Care Act” by four senators would require the HHS to perform routine evaluations of its systems and deliver biannual reports on practices and progress.

While the world frets over legal and clinical perils of the growing use of artificial intelligence in healthcare, cybersecurity may have become the IT genie already out of the bottle.

Attacks on healthcare information systems are accelerating at an extraordinary pace, according to numerous reports. In one evaluation, a threat analyst for the cybersecurity firm Emsisoft found that cyberattacks on hospital systems last year nearly doubled from those of 2022, rising from 25 to 46. Those 46 systems represented a total of 141 affected hospitals.

The paydays for criminal hackers and ransom seekers have gotten bigger too, with the average payout jumping from $5,000 in 2018 to $1.5 million in 2023. Another report said that about one in three Americans were affected by health-related data breaches in 2023. 

Increasing costs and healthcare cybersecurity worries have sparked draft national legislation aimed at boosting protections within the U.S. Department of Health and Human Services (HHS) purview. The bipartisan “Strengthening Cybersecurity in Health Care Act” by four senators would require the HHS to perform routine evaluations of its systems and deliver biannual reports on practices and progress.

As an example of the severity of threats facing institutions, a ransomware gang last month gave a Chicago safety-net hospital two days to cough up $900,000 or else face a leak of its patient data.

Another Chicago facility, Lurie Children’s Hospital, was forced to take its networks offline earlier this month in response to a likely ransomware attack. The response resulted in limited access to medical records and impaired phone and email communications.

Hospitals and large health systems aren’t the only victims. A Colorado ophthalmology group experienced an attack affecting 6,000 patients, while the operator of more than 100 fertility clinics nationwide has proposed a $5.75 million settlement to resolve a data breach exposing the data of about 900,000 patients.

And a respiratory homecare provider has proposed a $7.25 million settlement of a class action lawsuit over a breach affecting nearly 3 million patients.

Meanwhile, Florida prosecutors have charged a 21-year-old with leading a scamming ring that allegedly hacked into doctors’ electronic prescribing accounts and wrote tens of thousands of bogus orders for addictive drugs. Officials say the scheme mainly involved oxycodone, promethazine, and codeine. The latter two can be used to create a recreational drug known as sizzurp or purple drank.

Attacks not only increase dangers of drug misuse and medical mistakes but also expose patients to public embarrassment. Last year a leak at a Pennsylvania health network led hackers to post cancer patient photos to the dark web.

Officials linked the action to Black Cat, a ransomware gang associated with Russia. A warning from HHS alleged that the group has demanded ransoms as high as $1.5 million per incident.

In response to the wave of attacks, in January HHS unveiled a set of healthcare-specific cybersecurity performance goals aimed at helping the healthcare sector prioritize key security safeguards. The proposed “Strengthening Cybersecurity” legislation pending in the U.S. Senate would supplement those goals by requiring HHS to submit to Congress a report every two years describing how the agency is identifying and addressing vulnerabilities.

Editor’s Note: This article first appeared in the Healthcare Docket newsletter. Click here to subscribe and read the full newsletter. 

Photo: Traitov, Getty Images

Topics