Q&A: Physicians call for federal action to combat rise in cyberattacks

Key takeaways:

• Cyberattackers are targeting health care organizations because of their size, sensitive data and criticality.
• Smaller practices are just as vulnerable as large organizations, an expert said.

On May 8, the health care organization Ascension experienced a cyberattack that disrupted access to its electronic health care records, patient portals, phones and systems used to order tests, medications and procedures.

The attack forced Ascension, which operates 140 hospitals across 19 states, to divert ambulances from several hospitals, an organization spokesperson said in an update.

According to reporting by CNN, the hack was a ransomware attack, and the cybercriminals used a type of ransomware known as Black Basta.

Cyberattacks are becoming increasingly more common in health care. HHS data show there has been a 239% increase in large breaches involving hacking over the last 4 years, and a 278% increase in ransomware.

The February ransomware attack on Change Healthcare, a subsidiary of UnitedHealth Group, had a “devasting impact” on physician practices across the U.S., according to the AMA. The organization conducted a survey in April to assess the challenges that physicians continue to experience following the attack. Most of the respondents said they still face barriers to claim submission (75%) and disruptions in claim payments (85%).

The Health Information Sharing and Analysis Center recently released a public advisory warning that hackers are increasing their attacks on health care with Black Basta, affecting more than 500 organizations globally. The advisory noted that health care organizations are attractive targets for hackers because their dependency on technology, size, access to personal health information and impacts on patient care disruptions.

Steven P. Furr, MD, FAAFP, president of the American Academy of Family Physicians (AAFP), spoke with Healio about how cyberattacks affect patients and providers, how practices can protect their patients’ data and more.

Healio: What groups are targeting U.S. health facilities and why?

Furr: Given the size of the health care sector and the highly sensitive information and criticality of the systems, health care organizations are a target for most of the groups performing cyberattacks. Ransomware, malware and viruses are common attack vectors. According to the AMA, in 2023, nearly 800 large data breaches involving nearly 134.8 million people were reported to the HHS Office for Civil Rights.

Healio: What vulnerabilities of the health care sector are cyberattacks exploiting? What steps can practices take to ensure data security?

Furr: The health care sector has all the same cyberattack vectors (ie, how a system can be exploited) of other sectors like vulnerabilities in operating systems and third-party applications, network attacks, viruses, malware, phishing and mal-configured systems. Additionally, smaller practices are just as vulnerable as larger health care organizations but may not have a large enough security budget or staff to protect sensitive patient information against potential cyber risks.

That said, there are a few things family physicians and practices can do to mitigate the risk of a cyberattack. The first is to ensure all computer operating systems and other software are up to date. Practice staff should also advise other clinicians and practice staff to not click on links in emails before verifying the sender's email address. Additionally, health care facilities should ensure a robust plan for backing up critical data is in place and has been adequately tested and has demonstrated that data can be restored successfully.

Healio: How do cybersecurity attacks impact patients and providers? What are the medical and legal consequences?

Furr: Recent breaches, including the cyberattack on Change Healthcare, have had far-reaching implications for family physicians and other providers of health care services, affecting their ability to receive payments and perform everyday business functions that are essential to the delivery of care to patients.

The basic functions impacted by the Change Healthcare outage include everyday administrative tasks, such as confirming patient insurance eligibility, submitting electronic prescriptions, processing electronic prior authorizations, filing claims and receiving payment for care they continue to provide. If these processes cannot be performed in a timely manner, patient care is jeopardized.

We are several months removed from the initial cyberattack, and the situation on the ground for many small practices remains dire. The AAFP continues to hear from family physicians across the country who are reaching the point of possible practice closure.

During the COVID-19 pandemic, we saw practices temporarily closing — not providing patient care and not being reimbursed for services. Today, we see practices continuing to care for patients, but their revenues are reduced to a fraction of their normal cash flow before the attack. So, while caring for patients, physicians are faced with deciding which bills to prioritize, which creditors to negotiate wit, and what they personally can do without due to the sudden and unexpected loss of revenue.

There’s some change that needs to happen at the federal level to help practices prepare for, and mitigate the impacts of future attacks.

Healio: How serious is this threat to primary care providers in smaller practices? What can they do to protect patients’ data security without hindering the quality of care?

Furr: Although large health care organizations with significant administrative/technology staff and substantial financial reserves may have weathered this storm, small physician-owned practices are in an entirely different situation — particularly primary care practices that frequently operate on razor thin margins in the best of times.

Moreover, the financial impacts of the attack are jarring. The AAFP has heard from many members that the outage has been detrimental to practices large and small, but especially small, physician-owned, independent practices.

For instance, we’ve heard from members that the outage impacted their ability to maintain payroll and forced practices to dip into their reserves, as well as scaling back staff hours to manage expenses and maintain sufficient operations.

As a first step, cybersecurity insurance should be more accessible and affordable, especially for small, physician-owned practices. Although cyber insurance is available to protect small businesses against losses stemming from a cyberattack, our members reported burdensome requirements to access coverage.

Healio: What investments are needed to strengthen cybersecurity in the U.S.?

Furr: One of the reasons why the Change Healthcare attack was so devastating is because of a lack of oversight on industry consolidation. Much of the nation’s health care system —including large and small physician practices — is reliant on the services from a small number of companies, such as Change Healthcare. That’s why the AAFP urged Congress to closely examine how unchecked consolidation impacts the overall health system from the perspective of patients and the physicians who care for them.

The AAFP shared recommendations with the House Energy and Commerce Subcommittee in the wake of the Change cyberattack. The AAFP pointed out a few considerations that Congress should explore as they pursue future legislation to strengthen the health care infrastructure to avoid another major attack.

As a first step, we need wide-scale national health care interoperability, which would enable organizations to seamlessly shift systems if one platform or technology was unavailable due to a cyberattack. This lack of interoperability, coupled with consolidation, has resulted in a health care system that is not resilient and vulnerable to future cyberattacks.

Additionally, work is needed to fortify the resiliency of our nation’s health care infrastructure. For other companies vulnerable to similar attacks, it is necessary to understand what contingencies are in place among payers and vendors if cyberattacks of similar scale and scope of Change are realized in the future.

The whole health care system is under cyberattack. There is no hospital system or medical office too big or too small that is not prone to attack.

References:

• Black basta threat actor emerges as a major threat to the healthcare industry. https://h-isac.org/black-basta-threat-actor-emerges-as-a-major-threat-to-the-healthcare-industry/. Published May 10, 2024. Accessed May 31, 2024.
• Cases currently under investigation. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf. Accessed June 3, 2024.
• Change Healthcare cyberattack. https://www.ama-assn.org/practice-management/sustainability/change-healthcare-cyberattack. Published May 20, 2024. Accessed June 3, 2024.
• Cybersecurity event update. https://about.ascension.org/en/cybersecurity-event. Accessed May 31, 2024.
• Cyberattack forces major US health care network to divert ambulances from hospitals. https://www.cnn.com/2024/05/10/tech/cyberattack-ascension-ambulances-hospitals/index.html. Published May 10, 2024. Accessed May 31, 2024.
• HHS’ Office for Civil Rights settles ransomware cyber-attack investigation. https://www.hhs.gov/about/news/2023/10/31/hhs-office-civil-rights-settles-ransomware-cyber-attack-investigation.html. Published Oct. 31, 2023. Accessed May 31, 2024.
• Joint letter to HHS on HIPAA reporting requirements re Change cyberattack. https://www.aafp.org/content/dam/AAFP/documents/advocacy/legal/hipaa/LT-HHS-Cybersecurity-052024.pdf. Accessed June 3, 2024.
• Letter to Energy and Commerce Committee on Change Healthcare cyberattack. https://www.aafp.org/dam/AAFP/documents/advocacy/legal/transparency/LT-EC-ChangeCyberattack-041624.pdf. Accessed June 3, 2024.
• #StopRansomware: Black Basta. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a. Published May 10, 2024. Accessed May 31, 2024.