Health care remains ripe for ransomware attacks

Federal officials and industry executives have known for years that the U.S. health care system was one of the critical industries most vulnerable to hacking hut failed to make the improvements that might have stopped attacks like the one that has crippled pharmacists and other medical providers for three weeks.

The danger was obvious in 2021, when ransomware gangs struck hospitals already overwhelmed by the COVID-19 pandemic, forcing some to divert incoming emergency patients to other facilities and potentially contributing CO deadly treatment delays.

But with private sector lobbyists opposing new security requirements, Congress and the regulatory wheels have ground slowly, mainly promoting best practices that hospitals can-and do-choose to ignore.

So can relatively unknown electronic clearinghouses like UnitedHealth Group's Change Healthcare, which was the object of an attack launched last month by a hacker affiliated with ransomware gang ALPHV that severed a key link between medical providers and their patients' insurance companies in the worst health-care hack ever reporred. Change Healthcare said Monday that it had provided advances of $2 billion to pharmacies, hospitals and other providers who were unable to get insurance reimbursements during the failure of its network.

Critics say the Change Healthcare fiasco, which has hurt patient care at almost three-fourths of U.S. hospitals, shows that defensive efforts are horribly inadequate. 1 hc\ say ,i complete response would include strict security requirements tor the most critical pieces of the sprawling system, followed by less stringenr hut still sufficient rules for big hospital systems. The smallest providers, which may not have any security staff, should get help, as called for in the administration's proposed budget.

"We need to make sure we know where these vulnerable points are," Nitin Natarajan, deputy director of the Department oi Homeland Security's Cybersecurity and Infrastructure Security Agency, acknowledged in an interview. "We're looking at what levers exist."

Some members of Congress say that should have happened already.

"The government needs to prevent this kind of devastating hack from happening over and over again," Sen. Ron Wyden, P-Ore, told The Washington Post. "I want to work with the Bidet) administration to ensuie there are mandatory, specific cybersecurity rules in place as soon as possible, and to ensure accountability tor CEOs."

Deputy National Security Adviser Anne Neuberger said the White House is examining what laws it can use to impose such standards on a reluctant industry, while telling executives that they are expected to comply with voluntary guidelines immediately.

"The Hill has not passed any legislation providing authorities- to mandate minimum standards, which is why we have been using sector emergency authorities or rule making," Neuberger told The Post on Monday.

She said some requirements will come soon for providers that accept Medicare and Medicaid.

The American Hospital Association said it supports voluntary cybersecurity goals aimed at defending against the most common attacks, like phishing emails. But the organization criticized mandatory measures like those proposed by the Biden administration, saying it would penalize hospitals that fail to meet certain standards, even when most of the risk comes from third-party technologies.

"The AHA cannot support proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault tor the success of hackers in perpetrating a crime," the association wrote in a letter to the House Finance Committee last week.

Last year, more health-care industry targets reported ransomware attacks to the FBI's Internet Crime Complaint Center than any other of the 16 sectors of critical infrastructure, according to the annual summary released this month.

Experts said industry resistance to mandatory security was only parr ot the problem.

Hospitals tall prey because thc\ are "eas>money," said Greg Garcia, executive director of a health-care industry cybersecurity group and a former assistant secretary oi homeland security. "If the choice is 'pay the ransom and save a life and don't pay a ransom and risk losing a life or going out of business if it's a small system,' it's kind of a no-brainer tor the hacker."

Asked why it has not prepared better, Natarajan said the "complexity of the sector" was part of the reason.

A single medical service can feature innumerable participants-doctors and hospitals, insurance companies, drugmakers, pharmacies and platforms like Change Healthcare-all of which connect electronically. That makes each piece, with its own technology and priorities, a potential gateway to the whole medical universe.

So when hackers break into providers or others, encrypting health and billing records and demanding money to unlock them, they can also get into adjacent targets.

More than halt of all health-care attacks come in through third parties, according to Garcia, whose organization is called the Health Sector Coordinating Council Cyhersecurity Working Group.

The complexity is compounded by separate regulators for many parts of the health-care economy, some of which propound different security guidelines from one another, or none at all. The higgest authority, the Department of Health and Human Services, enforces rules for securing sensitive health data and is investigating the Change Healthcare breach. HHS did not respond to requests for comment.

C1SA named health care last year as one of its top priorities for tech security, along with water, public schools and election systems. The agency offers free vulnerability assessments and training, and it has been able to warn about 100 health-care providers in the past year that their systems were under attack before it was too late.

One key issue is whether to pay a ransom to unlock systems after hackers have seized control a( them.

In .1 statement, the White 1 louse said it "strongly discourages paying of ransoms, to stop the flow of funds to these criminals and disincentivize their attacks."

Rut many cyber-insurance companies ^\o suggest paying il data backups arc-not available.

When health providers don't pay, the results can be catastrophic. Change Healthcare parent company United Healthcare Group has not denied reports that it held out for two weeks before sending S22 million to the Russian-speaking ransomware gang ALPHV.

In that case, most of the damage hit other organizations that depended on Change Healthcare, as well as patients who found they could not get lifesaving medications without paying the same price as someone with no insurance.

UnitedHealth Group said Monday it had restored Change Healthcare's platform for electronic payments and what it said was 99% of its pharmacy network services, while starting to release software for health care providers to submit medical claims for reimbursement.

Consumers and pharmacies still reported ongoing impacts, such as not being able to apply coupons that many use to pay tor medications. The timeline to restore the ability to submit medical claims remains unclear, some physicians said.

There was also severe collateral damage after B major attack on the network of Scripps hospitals in San Diego in 2021, according to a May article in JAMA Network Open, from the American Medical Association. Scripps did not pay the ransom, according to reports at the time. The study found that the amount of time patients lost Irom being diverted to other emergency rooms more than doubled in the first days after the attack.

Inside Scripps hospitals, critical equipment was inoperable, a doctor told The Washington Post, including electronic patient records. Some younger physicians who hail never before used paper charts simply went home.

"You had to count on the patient to tell you what medications they were taking, what surgeries they'd had, if they remembered," the doctor said. "I'm sure we made mistakes."

Some security industry veterans who had seen a rash of medical industry data breaches before covid-19 foresaw the ransomware surge that would follow, and they formed a group of volunteers to help in March 2020. Called the Cyber Threat Intelligence League, they scanned hospital networks from afar, looking tor vulnerabilities and alerting facilities that were in danger.

The members also advised hospitals that were already under attack and in bad shape.

"1 personally have no doubt that lives were lost," said CTI League co-founder Marc Rogers. "When you talk to a hospital in the small hours of the morning and they have no way to access patient medical history records and use more advanced systems, you know that's going to cost Lives."

The league's greatest successes were the handful of times that it found a critical software flaw at a hospital, confirmed that ransomware hackers were exploiting the same flaw elsewhere, and explained the situation to the hospital in time for it to catch hackers in its systems before they encrypted them. CISA now uses the same approach.*