Invest in ‘good cyber hygiene’ to thwart cyberattacks
In 2024, a ransomware attack on Change Healthcare — a health payment processing company that handles an estimated 15 billion medical claims annually — shook the health care industry, impacting medical practices, providers and patients.
The cyberattack knocked the UnitedHealth Group subsidiary offline, cutting off billions of dollars in payments to medical practices and jeopardizing sensitive information for millions of patients.
Source: Margaret Lozovatsky, MD, FAMIA
In an interview with NBC News, Rick Pollack — CEO of the American Hospital Association — described the attack as “the most serious incident of its kind leveled against a U.S. health care organization.”
However, it was far from an isolated incident.
“Cybersecurity attacks in health care are a problem and, by the data, they are getting much worse,” George T. “Buddy” Hickman, C-DHE, CHCIO, LCHiME, FCHiME, LFHIMSS, chief digital and information officer at Roswell Park Comprehensive Cancer Center, told Healio.
HHS statistics on cyberattacks in health care show a 239% increase in large breaches involving hacking and a 27% increase in ransomware during the last 4 years.
An estimated 725 HIPAA data breaches occurred in 2023, according to the Health Sector Coordinating Council Cybersecurity Working Group, a coalition of health care providers, medical technology companies and other entities that work with the government to mitigate cyber threats to the health care system. Another 141 ransomware attacks struck hospitals, with an average ransom of $1.5 million per institution, according to the working group.
The health care sector is ripe for attack because of the amount of money, sensitive data and personal information cybercriminals can steal and exploit, according to experts who spoke with Healio.
“We have seen it in large health organizations, smaller health systems and in individual practices,” Margaret Lozovatsky, MD, FAMIA, vice president of digital health innovations of the AMA, said. “That just speaks to the fact that technology has become such an integral part of care delivery. Every area where we are providing clinical care has the potential to be impacted, and there is a lot of vulnerabilities in those spaces.”
Matter of ‘when,’ not ‘if’
According to Hickman, the three largest attacks on the U.S. health care industry prior to 2024 targeted HCA Healthcare in 2023 (11 million patients affected), Community Health Systems in 2014 (6.1 million affected) and Tricare in 2011 (4.9 million affected).
By comparison, one-third of all Americans — or more than 110 million people — could have had their personal data compromised in the Change Healthcare ransomware attack, UnitedHealth CEO Andrew Witty told Congress in May 2024.
It could take “several months” before everyone affected would be notified, Witty added.
The success of the Change Healthcare attack appears to have prompted a new wave of similar threats. The cybersecurity firm Recorded Future tracked 44 health care attacks — including ransomware — in April 2024, the most the company has recorded during a single month in its 4 years of data collection, according to a story published in Wired.
On May 8, 2024, the nonprofit health care organization Ascension experienced a cyberattack that disrupted access to its electronic health records, patient portals, phones and the systems it uses to order tests, medications and procedures. The attack forced Ascension — which operates 140 hospitals in 19 states — to turn ambulances away from facilities.
“Despite each organization’s best efforts, they will inevitably be a target of cybercriminals,” Theresa Payton, CEO of Fortalice Solutions, a boutique cyber firm that serves the Fortune 100 and other large privately held firms, told Healio. “It’s not a matter of ‘if’ they will get in but ‘when.’ When they do, what will they get away with, and what kind of mayhem will they create?”
Payton said organizations need to prepare for this reality by focusing on minimizing and mitigating damages. “They need to ensure they can continue to function even while dealing with a cyber incident. It is easier said than done, but it is the crucial question every health care organization must address,” she said.
Multifactor authentication
The Change Healthcare attack occurred in part due to the compromised server not having multifactor authentication, Witty told Congress. Multifactor authentication forces users to input multiple pieces of information to gain access to an account, such as a password and a separate unique code to verify the user’s identity.
“It is hard to know, in retrospect, if multifactor authentication would have successfully thwarted this, but a lot of studies have shown [some] cybercriminals are using as their only attack vector credential stuffing, which is the reuse, manipulation and adjustment of past IDs and passwords. You are just playing around with different sequences and combinations,” Payton said. “According to a report by Microsoft, multifactor authentication has been found to be successful warding off 90% of credential stuffing attacks. Had the cybercriminal syndicate been one of those where that is the only thing they do, maybe we would not be talking about this.”
However, many cybercriminals are persistent, Hickman said. They can spend more than a year studying an institution, waiting for the perfect moment to strike. This reinforces the need for health care practices to be diligent about cybersecurity protocols.
Risk assessments
Multifactor authentication is critical, but it is far from the only safeguard.
Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients — a publication released in 2023 by HHS — listed 10 practices to improve cybersecurity. These strategies include email protection systems, endpoint protection systems, access management, data protection and loss prevention, asset management, network management, vulnerability management, incident response, network-connected medical device security, and cybersecurity oversight and governance.
Software and systems must be updated and patched regularly, and replaced if needed, though Payton acknowledged this can be time-consuming and expensive.
“There is a continual balancing act,” Payton said. “How do we ensure that all doctors, nurses and staff are fully trained on the technology? How do we guarantee comprehensive training for the back office while maintaining security? And, crucially, how do we keep systems operational, knowing that every minute counts in saving lives?”
Risk assessments can be performed to find deficiencies in each institution or practice’s system.
“Any of those human interactions where technology plays an enabler, those are potential places that you need to do a risk assessment and understand if a cybercriminal were to get in between the doctor, the nurse, the front office and the patient, what kind of information could be at risk?” Payton said. “Is there anything different we can be doing that is cost-effective? You do not want to take money and resources away from patient care, but you do want to protect the patient-doctor relationship.”
Invest in cybersecurity
It is important for institutions to invest in people, Hickman said, specifically those trained to protect the enterprise and its patients.
Large centers should have a chief information security officer — which some industries and states require — along with cybersecurity employees and IT professionals, Hickman said.
“And then you need the investment of a leadership governance process that assures that all things technology have a ‘cyber due diligence’ review before acquisition or before deployment,” Hickman added. “This assurance adds up to real money.”
Hickman acknowledged not every center or practice has the necessary funds to do everything. In those cases, groups must get creative rather than foregoing investment, he said. For example, leaders of institutions can ask their hospital association for guidance. They also can explore state or federal aid sources.
“Tune into what the cybersecurity firms and vendors in our industry have available,” said Hickman, citing virtual chief information security officers as one example. “This person or persons from a cybersecurity assurance firm is able to manage the cybersecurity portfolio work and guide it across several organizations. Therefore, there is a scaled economy vs. trying to hire a person for oneself. That aspect of business is continuing to increase.”
Good ‘cyber hygiene’
Training employees is vital, too, as is creating awareness of potential problems. Payton said she likes training that is “stackable” and “snackable.”
“Consider implementing a topic of the week or topic of the month,” she said. “Focus on one subject at a time, making it both engaging and informative. This approach ensures that the topic seamlessly integrates into their daily routine and thinking.”
Health care employees can take simple steps to boost security, such as creating longer passwords, changing passwords for each platform and making sure all communication is delivered via encrypted channels. They also should be instructed never to click on questionable links or attachments. If something looks convincing but an employee wants to err on the side of caution, Payton recommended the website virustotal.com. The site analyzes files, domains and URLs to detect malware or other breaches.
“It is not foolproof, but it scans over 70 different sources of information, and it can come back and tell you in a moment,” Payton said. “That can be an easy, cost-effective way for doctors to protect the work that they are doing.”
These practices can extend beyond the professional setting.
“Good cyber hygiene is critical in health care research settings, and good cybersecurity hygiene at work becomes good cybersecurity hygiene at home,” Hickman said. “Your home and family need all those same cybersecurity protections and behaviors that we practice at work.”
Have a playbook
Even if all safety measures are implemented, health care institutions of all sizes remain at risk. Consequently, employees must be prepared to respond if their system is breached.
“Have a playbook,” Payton said. “Assume your worst day happens, and have the whole organization exercise that nightmare scenario to learn where you have gaps, either in technology, visibility, insurance or response. Who do you call? What does the ‘call tree’ look like? Rehearse that exercise to make sure you have the best playbook possible.”
If medical centers or health care practices do not have this type of detailed response plan, there are ways to get started. Payton suggested contacting the nonprofit Health Information Sharing and Analysis Center or local FBI offices.
“They have a vertical around health care organizations, and they can be a great resource to tap into to do threat briefings for your doctors, nurses and front office,” Payton said. “They will not name victims, but they will tell you the different types of attacks they are seeing hit.”
Another option is to tap into the experience of other institutions or practices.
“Start by leveraging existing resources rather than reinventing the wheel,” Payton said. “Begin with what you have and feel free to make adjustments. Then, hire a skilled facilitator who can guide the process, keep discussions on track and provide objective feedback. After running through the exercise, the facilitator can highlight areas of confusion and offer targeted advice for improvement. Aim to conduct these exercises at least once a year to continuously enhance your approach.”
Cybersecurity education
Business continuity aspects are only part of the playbook, though.
“IT typically finds itself strongly focused on the disaster recovery side, meaning once the event occurred,” Hickman said. “What are all the things that IT can follow by scenario to stand up the systems again [and] get systems cooperating. That is unending work, as the systems we support are continuously changing.”
Another way to improve cybersecurity across health care is to educate professionals at earlier ages.
“All technology training from the medical perspective is still early in its iteration because, when many of the practicing physicians trained, these technologies were not there,” Lozovatsky said. “Integrating this from the beginning in medical education — in medical training — is going to be important, and that has not necessarily kept up with the speed of change of technology.”
Some medical institutions are putting clinical technology and cybersecurity into the curriculum, but more must be done, Lozovatsky said.
“Culture change does not happen overnight,” Lozovatsky said. “It has become more and more important for us to continue to bring this to the forefront of everyone’s mind.”
Unchecked consolidation
Beyond vigilance at the individual or institutional levels, calls are intensifying for broader actions across the private sector and federal government to combat the rise in — and impacts of — cyberattacks in the health care industry.
“As a first step, cybersecurity insurance should be more accessible and affordable — especially for small, physician-owned practices,” Steven P. Furr, MD, FAAFP, president of the American Academy of Family Physicians (AAFP), told Healio. “Although cyber insurance is available to protect small businesses against losses stemming from a cyberattack, our members reported burdensome requirements to access coverage.”
The Change Healthcare attack was so devastating because of a lack of oversight on industry consolidation, Furr added.
“Much of the nation’s health care system — including large and small physician practices — is reliant on the services from a small number of companies, such as Change Healthcare. That is why the AAFP urged Congress to closely examine how unchecked consolidation impacts the overall health system from the perspective of patients and the physicians who care for them.”
The AAFP shared recommendations with the House Energy and Commerce Subcommittee, with Furr emphasizing there is no hospital system or medical office “too big or too small” to avoid cyber threats.
“As a first step, we need wide-scale national health care interoperability, which would enable organizations to seamlessly shift systems if one platform or technology was unavailable due to a cyberattack,” Furr said. “This lack of interoperability, coupled with consolidation, has resulted in a health care system that is not resilient and vulnerable to future cyberattacks.
“Additionally, work is needed to fortify the resiliency of our nation’s health care infrastructure,” he added. “For other companies vulnerable to similar attacks, it is necessary to understand what contingencies are in place among payers and vendors if cyberattacks of similar scale and scope of Change [Healthcare] are realized in the future.”
- References:
- American Hospital Association. AHA survey: Change Healthcare cyberattack significantly disrupts patient care, hospitals’ finances. Available at: https://www.aha.org/2024-03-15-aha-survey-change-healthcare-cyberattack-significantly-disrupts-patient-care-hospitals-finances. Published March 15, 2024. Accessed July 11, 2024.
- AMA. Cybersecurity for the clinician. Available at: https://edhub.ama-assn.org/hscc-education/video-player/18875913. Accessed July 10, 2014.
- AMA. Change Healthcare cyberattack. Available at: https://www.ama-assn.org/practice-management/sustainability/change-healthcare-cyberattack. Published May 20, 2024. Accessed July 10, 2024.
- Health Sector Coordinating Council Cybersecurity Working Group. Healthcare cybersecurity is in critical condition. Available at: https://healthsectorcouncil.org. Accessed July 12, 2024.
- HHS. What’s new in the HICP 2023 edition. Available at: https://405d.hhs.gov/Documents/405d-hicp-highlight.pdf. Accessed July 10, 2024.
- NBC News. Ransomware attack on U.S. health care payment processor ‘most serious incident of its kind.’ Available at: https://www.nbcnews.com/tech/security/ransomware-attack-us-health-care-payment-processor-serious-incident-ki-rcna141322. Published March 1, 2024. Accessed July 10, 2024.
- Neprash HT, et al. JAMA Health Forum. 2022; doi:10.1001/jamahealthforum.2022.4873.
- U.S. News & World Report. Explainer: What to know about the Change Healthcare cyberattack. Available at: https://www.usnews.com/news/health-news/articles/2024-03-04/explainer-what-to-know-about-the-change-healthcare-cyberattack. Published March 14, 2024. Accessed July 10, 2024.
- Wired. Ransomware is ‘more brutal’ than ever in 2024. Available at: https://www.wired.com/story/state-of-ransomware-2024. Published June 18, 2024. Accessed July 10, 2024.
- For more information:
- George T. “Buddy” Hickman, C-DHE, CHCIO, LCHiME, FCHiME, LFHIMSS, of Roswell Park Comprehensive Cancer Center, can be reached at askroswell@roswellpark.org.
- Steven P. Furr, MD, FAAFP, of the American Academy of Family Physicians, can be reached at aafp@aafp.org.
- Margaret Lozovatsky, MD, FAMIA, of the American Medical Association, can be reached at margaret.lozovatsky@ama-assn.org.
- Theresa Payton, of Fortalice Solutions, can be reached at fortalice@society22pr.com.
Click here to read the At Issue to this Cover Story.
Collapse
Read more about