Culture shift needed to reframe cybersecurity as a patient safety issue

Nine months after the ransomware attack on the health payment processing company Change Healthcare, the far-reaching impacts on medical practices, providers and patients continue to be felt.

So does the fear that similar breaches will become more common — and even more disruptive.

The cyberattack, reported on Feb. 21, knocked the UnitedHealth Group subsidiary offline, cutting off billions of dollars in payments to medical practices and jeopardizing sensitive information for millions of patients.

In an interview with NBC News, Rick Pollack, CEO of American Hospital Association, described the attack as “the most serious incident of its kind leveled against a U.S. health care organization.”

However, it was not an isolated incident.

An estimated 725 HIPAA data breaches occurred in 2023, according to the Health Sector Coordinating Council Cybersecurity Working Group, a coalition of health care providers, medical technology companies and other entities that work with the government to mitigate cyber threats to the health care system. Another 141 ransomware attacks struck hospitals, with an average ransom of $1.5 million per institution, according to the working group.

On May 8, the Ascension health care organization was struck by the same cybercriminals behind the Change Healthcare event. The attack disrupted Ascension’s 140 hospitals in at least 10 states for more than a month.

“It was a single individual who downloaded the wrong software on an email that set off this infiltration of ransomware,” Keith A. Bellovich, DO, chief medical officer at Ascension St. John Hospital in Detroit, told Healio | Nephrology News & Issues.

“It could happen anywhere; it could happen to any of us. Yes, we get frustrated with our IT teams for always trying to educate us. But we have to pay attention because this isn’t the end,” Bellovich, who is a Healio | Nephrology News & Issues Editorial Advisory Board member, said.

The health care sector is ripe for attack because of the amount of money, sensitive data and personal information cybercriminals can steal and exploit, according to experts interviewed for this article.

“We have seen it in large health organizations, smaller health systems and in individual practices,” Margaret Lozovatsky, MD, FAMIA, AMA vice president of digital health innovations, said in an interview. “That just speaks to the fact that technology has become such an integral part of care delivery. Every area where we are providing clinical care has the potential to be impacted, and there’s a lot of vulnerabilities in those spaces.”

Everyone is a target

Change Healthcare paid a $22 million ransom to the hacker to regain control of its system. However, the payment did not prevent myriad disruptions to providers and patients.

In a survey about of nearly 1,000 U.S. hospitals conducted by the American Hospital Association (AHA) on March 9-12, nearly all respondents (94%) reported financial impacts, with more than half characterizing these as “serious” or “significant.” Nearly 60% of respondents reported the impact to their revenue totaled $1 million or more per day.

“We haven’t even discussed the ongoing damage from records being released,” Theresa Payton, CEO of Fortalice Solutions, a boutique cyber firm that serves the Fortune 100 and other large privately held firms, said in an interview. “Depending on what’s in these records, there could be information that could be used for extortion and blackmail.”

One-third of all Americans — or more than 110 million people — could have had their personal data compromised in the Change Healthcare ransomware attack, UnitedHealth CEO Andrew Witty told Congress in May.

The success of the Change Healthcare attack appears to have prompted a new wave of similar threats.

“It is vitally important for organizations to prepare for this reality,” Payton, who served as the White House chief information officer from 2006 to 2008, said. “When impacted by a cybercriminal syndicate — whether they take a system offline, lock files or steal data — organizations must focus on minimizing and mitigating damages. They need to ensure they can continue to function even while dealing with a cyber incident. It’s easier said than done, but it’s the crucial question every health care organization must address.”

Operations in disarray

In the AHA survey, 74% of respondents reported direct impacts on patient care, including inability to file claims, receive payment for continuing care, confirm patient insurance eligibility, submit electronic prescriptions, process electronic prior authorizations or complete many other administrative tasks.

The cyberattack that took Ascension offline revealed how much hospitals rely on technology for daily operations.

“When your software gets infiltrated, all your vendors unplug immediately,” Bellovich said. “You don’t lose just one component of your ecosystem, you lose the entire ecosystem. The 25 or 30 different components — databases that need to talk to each other, that we built over the last 20 years — are suddenly removed. Everyone’s fearful of being infiltrated.”

At Ascension St. John Hospital, experienced nurses and physicians guided newer providers in paper charting. Printers, binders, chart boxes, triplicate forms — all commonplace supplies until recently — had to be sourced and stocked, Bellovich said.

“Simple things we take for granted on a daily basis suddenly were lost,” he said. “We have now trained to generation of physicians who have never worked without a computer.”

Within a few days, the group had designed a new spreadsheet for locating patients, Google documents for tracking and other procedures for delivering care.

“I never hear complaints about the EHR anymore,” he said.

In June, Ascension St. John Hospital brought its systems back online.

“We deployed close to 80 people all at once, all working on computer stations in two rooms. It was a synchronized event that had to happen in one 12-hour period,” Bellovich said.

Vulnerabilities abound

The top cyber threats for health care, as determined by industry leaders and government representatives, include social engineering, ransomware, loss or theft of equipment or data, insider accidental or malicious data loss and attacks against network-connected medical devices, according to “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” a publication released last year by HHS.

Many vulnerabilities can be exploited through insufficient protections or even human error, such as responding to email phishing schemes or opening malicious attachments, as occurred in the Ascension attack.

“[There needs to be] a culture shift from viewing cybersecurity as an [information technology] IT problem to understanding that cybersecurity is a patient safety issue,” Lozovatsky said. “[This requires] educating all of our clinicians how to do their part in protecting health care data.”

Systems also can be breached if workers use easily guessed passwords. Payton said she still sees some employees — even administrators — at health care institutions sharing passwords. In some cases, individuals use the same log-in information at their job as for social media platforms.

“Even basic digital information can be exploited for identity theft or tracking on social media,” Payton said. “Be cautious of direct messages asking you to click on links, view pictures or open files. These could be attempts to breach your health care institution through you.”

Vulnerability also can be created when health care workers text patient information to each other, Lozovatsky said.

“That is not a safe way to transfer information,” Lozovatsky said. “It is important to make sure people are using secure texting platforms.”

Cybercriminals aiming to target a health care institution have options beyond employees. Larger medical centers, for example, may have non-employees who have user accounts on the system.

“They may not always log in, so they may not notice strange behavior and activity on their accounts,” Payton said. “There may not be an easy baseline to show anomalous behavior.”

Cybercriminals also can capitalize on outdated technology to infiltrate systems. Payton referred to this as “technical debt.”

“Technical debt can manifest in various challenging ways,” she said. “It might involve being tied to a vendor platform with outdated technology and no viable alternatives. Or consider a multi-factor authentication program you implemented years ago — while it was cutting-edge at the time and required substantial investment and training, it may now be obsolete. Updating or replacing it can be complex and disruptive.”

Risk assessments: Find your deficiencies

The Change Healthcare attack occurred in part due to the compromised server not having multi-factor authentication, Witty told Congress.

Multi-factor authentication forces users to input multiple pieces of information to gain access to an account, such as a password and a separate unique code to verify the user’s identity.

UnitedHealth Group acquired Change Healthcare in 2022, and the server lacked the security protocol.

“It’s hard to know, in retrospect, if multi-factor authentication would have successfully thwarted this, but a lot of studies have shown [some] cybercriminals are using as their only attack vector credential stuffing, which is the reuse, manipulation and adjustment of past IDs and passwords. You’re just playing around with different sequences and combinations,” Payton said. “According to a report by Microsoft, multi-factor authentication has been found to be successful warding off 90% of credential stuffing attacks. Had the cybercriminal syndicate been one of those where that’s the only thing they do, maybe we wouldn’t be talking about this.”

Multi-factor authentication is critical, but not the only safeguard.

The HHS cybersecurity threat management report listed 10 practices to improve cybersecurity: email protection systems, endpoint protection systems, access management, data protection and loss prevention, asset management, network management, vulnerability management, incident response, network-connected medical device security, and cybersecurity oversight and governance.

Software and systems must be updated and patched regularly, and replaced if needed, though Payton acknowledged this can be time-consuming and expensive.

“There’s a continual balancing act,” Payton said. “How do we ensure that all doctors, nurses and staff are fully trained on the technology? How do we guarantee comprehensive training for the back office while maintaining security? And, crucially, how do we keep systems operational, knowing that every minute counts in saving lives?”

Risk assessments can be performed to find deficiencies in each institution or practice’s system.

The AMA has an educational hub on its website that features Cybersecurity for the Clinician, an eight-part video training series that explains what clinicians and trainees need to know about how cyberattacks can affect clinical operations and patient safety, as well as the actions they can take to protect systems and data.

‘Have a playbook’

Even if all safety measures are implemented, health care institutions of all sizes must be prepared to respond if their system is breached.

“Have a playbook,” Payton said. “Assume your worst day happens, and have the whole organization exercise that nightmare scenario to learn where you have gaps, either in technology, visibility, insurance or response. Who do you call?”

Ascension St. John Hospital might have benefitted from this foresight, Bellovich said.

“You can prepare for downtime when we go through software upgrades or systems will go down temporarily or even the internet will go out. You have procedures to deploy, but we do not practice being down for a month,” he said.

If medical centers or health care practices do not have a detailed response plan, there are ways to get started. Payton suggested contacting the nonprofit Health Information Sharing and Analysis Center or local FBI offices.

“They have a vertical around health care organizations, and they can be a great resource to tap into to do threat briefings for your doctors, nurses and front office,” Payton said. “They’ll tell you the different types of attacks they’re seeing.”

Another option is to tap into the experience of other institutions or practices.

“Start by leveraging existing resources rather than reinventing the wheel,” Payton said. “Begin with what you have and feel free to make adjustments. Then, hire a skilled facilitator who can guide the process, keep discussions on track and provide objective feedback. After running through the exercise, the facilitator can highlight areas of confusion and offer targeted advice for improvement. Aim to conduct these exercises at least once a year to continuously enhance your approach.”

Another way to improve cybersecurity is to educate professionals at earlier ages.

Some medical institutions are putting clinical technology and cybersecurity into the curriculum, but more must be done, Lozovatsky said. If she could design a curriculum, she would focus on case-based learning and clinical scenarios about how to protect data.

“Culture change doesn’t happen overnight,” Lozovatsky said. “It has become more and more important for us to continue to bring this to the forefront of everyone’s mind.”

Addressing ‘unchecked consolidation’ in health care

Beyond vigilance at the individual or institutional levels, calls are intensifying for broader actions across the private sector and federal government to combat the rise in — and impacts of — cyberattacks.

“As a first step, cybersecurity insurance should be more accessible and affordable — especially for small, physician-owned practices,” Steven P. Furr, MD, FAAFP, president of the American Academy of Family Physicians (AAFP), told Healio. “Although cyber insurance is available to protect small businesses against losses stemming from a cyberattack, our members reported burdensome requirements to access coverage.”

The Change Healthcare attack was so devastating because of a lack of oversight on industry consolidation, Furr added.

“Much of the nation’s health care system — including large and small physician practices — is reliant on the services from a small number of companies, such as Change Healthcare. That’s why the AAFP urged Congress to closely examine how unchecked consolidation impacts the overall health system from the perspective of patients and the physicians who care for them.”

The AAFP shared recommendations with the House Energy and Commerce Subcommittee, with Furr emphasizing there is no hospital system or medical office “too big or too small” to avoid cyber threats.

“As a first step, we need wide-scale national health care interoperability, which would enable organizations to seamlessly shift systems if one platform or technology was unavailable due to a cyberattack,” Furr said. “This lack of interoperability, coupled with consolidation, has resulted in a health care system that is not resilient and [is] vulnerable to future cyberattacks.

“Additionally, work is needed to fortify the resiliency of our nation’s health care infrastructure,” he added. “For other companies vulnerable to similar attacks, it is necessary to understand what contingencies are in place among payers and vendors if cyberattacks of similar scale and scope of Change Healthcare are realized in the future.”

• References:
• American Hospital Association. AHA survey: Change Healthcare cyberattack significantly disrupts patient care, hospitals’ finances. Available at: https://www.aha.org/2024-03-15-aha-survey-change-healthcare-cyberattack-significantly-disrupts-patient-care-hospitals-finances. Published March 15, 2024. Accessed Sept. 23, 2024.
• AMA. Cybersecurity for the clinician. Available at: https://edhub.ama-assn.org/hscc-education/video-player/18875913. Accessed Sept. 23, 2024.
• Ascension. Cybersecurity event update. Available at https://about.ascension.org/cybersecurity-event. Published May 9 to June 14, 2024. Accessed October 15, 2024.
• HHS. What’s new in the HICP 2023 edition. Available at: https://405d.hhs.gov/Documents/405d-hicp-highlight.pdf. Accessed Sept. 23, 2024.
• NBC News. Ransomware attack on US health care payment processor ‘most serious incident of its kind.’ Available at: https://www.nbcnews.com/tech/security/ransomware-attack-us-health-care-payment-processor-serious-incident-ki-rcna141322. Published March 1, 2024. Accessed Sept. 23, 2024.
• U.S. News & World Report. Explainer: What to know about the Change Healthcare cyberattack. Available at: https://www.usnews.com/news/health-news/articles/2024-03-04/explainer-what-to-know-about-the-change-healthcare-cyberattack. Published March 14, 2024. Accessed Sept. 23, 2024.

• For more information:
• Keith A. Bellovich, DO, can be reached at kbellovich@scsp.net.
• Steven P. Furr, MD, FAAFP, can be reached at aafp@aafp.org.
• Margaret Lozovatsky, MD, FAMIA, can be reached at margaret.lozovatsky@ama-assn.org.
• Theresa Payton can be reached at fortalice@society22pr.com.