Health care remains ripe for ransomware attacks
Federal officials and industry executives have known for years that the
The danger was obvious in 2021, when ransomware gangs struck hospitals already overwhelmed by the COVID-19 pandemic, forcing some to divert incoming emergency patients to other facilities and potentially contributing CO deadly treatment delays.
But with private sector lobbyists opposing new security requirements,
So can relatively unknown electronic clearinghouses like
Critics say the
"We need to make sure we know where these vulnerable points are,"
Some members of
"The government needs to prevent this kind of devastating hack from happening over and over again," Sen.
Deputy National Security Adviser
"The Hill has not passed any legislation providing authorities- to mandate minimum standards, which is why we have been using sector emergency authorities or rule making," Neuberger told
She said some requirements will come soon for providers that accept Medicare and Medicaid.
The
"The AHA cannot support proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault tor the success of hackers in perpetrating a crime," the association wrote in a letter to the
Last year, more health-care industry targets reported ransomware attacks to the FBI's Internet Crime Complaint Center than any other of the 16 sectors of critical infrastructure, according to the annual summary released this month.
Experts said industry resistance to mandatory security was only parr ot the problem.
Hospitals tall prey because thc\ are "eas>money," said
Asked why it has not prepared better, Natarajan said the "complexity of the sector" was part of the reason.
A single medical service can feature innumerable participants-doctors and hospitals, insurance companies, drugmakers, pharmacies and platforms like
So when hackers break into providers or others, encrypting health and billing records and demanding money to unlock them, they can also get into adjacent targets.
More than halt of all health-care attacks come in through third parties, according to Garcia, whose organization is called the
The complexity is compounded by separate regulators for many parts of the health-care economy, some of which propound different security guidelines from one another, or none at all. The higgest authority, the
C1SA named health care last year as one of its top priorities for tech security, along with water, public schools and election systems. The agency offers free vulnerability assessments and training, and it has been able to warn about 100 health-care providers in the past year that their systems were under attack before it was too late.
One key issue is whether to pay a ransom to unlock systems after hackers have seized control a( them.
In .1 statement, the White 1 louse said it "strongly discourages paying of ransoms, to stop the flow of funds to these criminals and disincentivize their attacks."
Rut many cyber-insurance companies ^\o suggest paying il data backups arc-not available.
When health providers don't pay, the results can be catastrophic.
In that case, most of the damage hit other organizations that depended on
Consumers and pharmacies still reported ongoing impacts, such as not being able to apply coupons that many use to pay tor medications. The timeline to restore the ability to submit medical claims remains unclear, some physicians said.
There was also severe collateral damage after B major attack on the network of Scripps hospitals in
Inside Scripps hospitals, critical equipment was inoperable, a doctor told The
"You had to count on the patient to tell you what medications they were taking, what surgeries they'd had, if they remembered," the doctor said. "I'm sure we made mistakes."
Some security industry veterans who had seen a rash of medical industry data breaches before covid-19 foresaw the ransomware surge that would follow, and they formed a group of volunteers to help in
The members also advised hospitals that were already under attack and in bad shape.
"1 personally have no doubt that lives were lost," said
The league's greatest successes were the handful of times that it found a critical software flaw at a hospital, confirmed that ransomware hackers were exploiting the same flaw elsewhere, and explained the situation to the hospital in time for it to catch hackers in its systems before they encrypted them. CISA now uses the same approach.*
Florida Governor Suspends City Councilwoman Indicted on Insurance Fraud Charges
June 27 – Premiums return for Indiana’s HIP, CHIP Medicaid enrollees
Advisor News
Annuity News
Health/Employee Benefits News
Life Insurance News