Harmful hacks unveil the vulnerable core of America's healthcare infrastructure.
In recent occurrences, federal authorities and cyber professionals have urgently tried to minimize the ramifications and return computers to functioning order. However, the widespread consequences from the hacks, resulting in ambulances being redirected from hospitals and pharmacies not being able to process insurance, have left some American legislators, senior Biden administration officials, and policy experts debating the necessity of new security rules. Health care lags other industries like big financial institutions and energy suppliers in terms of IT security, according to several experts.
"Industry has demanded voluntary cybersecurity for years - and this is the outcome," Joshua Corman, an expert in the cybersecurity field who has concentrated on the health sector for years, shared with CNN.
Sen. Ron Wyden, the Oregon Democrat who chairs the finance committee, echoed a similar sentiment as he stated to CNN, "Every new brutal hack highlights the need for compulsory cybersecurity standards in the health sector, particularly when it comes to the largest corporations that millions of patients depend on for care and medication."
If no action is taken, "patients' access to care and their personal health information will be violated and held ransom by hackers repeatedly," Wyden warned.
Emsisoft, a cybersecurity company, recorded 46 hospital systems in the USA being impacted by ransomware in 2023 - 141 hospitals in total - which escalated from 25 hospital systems in 2022.
February's ransomware attack targeted Change Healthcare, an insurance billing enterprise that handles around 15 billion healthcare transactions every year. This incident denied revenue to healthcare providers, impacted pharmacy services across the nation, and potentially compromised the personal data of a third of American citizens.
The ransomware strike on Ascension, a St. Louis-based nonprofit network with 140 hospitals and 40 senior living facilities in 19 states, happened in early May. This attack caused ambulances to be diverted from some hospitals.
The Biden administration is anticipated to issue mandatory cybersecurity requirements for US healthcare facilities, Anne Neuberger, a senior White House cyber official, confirmed this month. However, the specifics of the proposal are yet to be determined.
The American Hospital Association (AHA), an organization that represents hospitals across the United States, opposes the administration's initiative, arguing that it would penalize victims of cyberattacks after they've been hacked.
Assistant Health and Human Services officials had previously said the department is ready to utilize multiple measures, including imposing monetary fines, to compel and encourage healthcare organizations to strengthen their systems.
Additionally, momentum is expanding at the Capitol for compelling healthcare organizations to abide by fundamental cybersecurity standards.
A bill introduced in March by Sen. Mark Warner, a Virginia Democrat, suggests "advanced and accelerated" Medicare payments for hacked healthcare providers if they meet minimum security requirements.
As the ransomware attacks on Change Healthcare and Ascension have highlighted the highly vulnerable state of the healthcare industry's cybersecurity, experts believe that new regulations alone won't resolve the issue due to the constant financial strains in healthcare.
"US health care is in a death spiral," Corman, who co-founded I Am the Cavalry, a volunteer group dedicated to cybersecurity for resource-poor organizations, voiced to CNN. "Stressed hospitals are bought into gigantic conglomerates. Ransoms cause stress for the smaller entities, while multi-week, multi-state blackouts occur for those 'saved' by the larger entities."
To make a meaningful difference in the sector's cybersecurity, Corman believes that any new regulations should be strong enough to push significant advancements. He stated, "Yes, cybersecurity is expensive - as we can clearly observe... neglect is more costly."
Change Healthcare's parent company, UnitedHealth Group, has a substantial presence in the healthcare market. With a reported $371 billion in revenue last year, this business deals with one-third of American patient records, according to the AHA. Optum, a subsidiary of UnitedHealth, employs approximately 90,000 physicians.
At a Senate hearing this month, Sen. Marsha Blackburn, a Tennessee Republican, questioned UnitedHealth Group CEO Andrew Witty concerning the lack of necessary safeguards that had facilitated the ransomware attack and made the company highly vulnerable.
In addition, the Justice Department announced the formation of a task force last week to scrutinize "health care monopolies and collusion," whose mission will guide the department's approach to "civil and criminal enforcement in health care markets" as necessary.
Read also:
- Telefónica targets market launch for hologram telephony
- vzbv: Internet companies continue to cheat despite ban
- Telefónica targets market launch for hologram telephony in 2026
- AI and climate in schools: how to keep lessons up to date
The tech sector could play a crucial role in bolstering the healthcare industry's cybersecurity defenses, as highlighted by Joshua Corman. In light of the growing cyber threats, implementing mandatory cybersecurity regulations in the business sector of healthcare is being considered by some policy experts.
Source: edition.cnn.com
