Q4 Checkpoint on Cybersecurity in Healthcare: What This Year Has Taught Us So Far
Posted on: October 8th, 2024 03:16 pm
The first half of 2024 was a reckoning for healthcare cybersecurity, as threats experts had warned about for years made news headlines. With high-profile ransomware attacks and new legislation designed to reinforce healthcare cybersecurity infrastructure, healthcare leaders could no longer operate on the assumption that “it won’t happen to us.”
Instead, organizations are finally being urged to prioritize cybersecurity – and this blog explores why the first half of 2024 has brought about that shift.
Expect to learn:
- How a single cybersecurity incident cost one company $1.9 billion in 2024
- The most important new cybersecurity legislation every healthcare leader must know about
- Three ways leaders can improve their cybersecurity program in response to the evolving threat landscape
How Ransomware Attacks Shook Healthcare in 2024
Ransomware is hardly a new threat to the healthcare industry; a survey from last year found 59% of organizations had experienced such an attack. But 2024 will most likely be remembered as the year when these attacks finally gained the widespread attention they deserve, as a pair of high-profile attacks brought the need for stronger healthcare cybersecurity into relief:
1. Change Healthcare
Change Healthcare is one of the USA’s largest health information exchange (HIE) platforms, managing over 15 billion claims each year, totaling over $15 trillion. But on February 21st, 2024, reports began to emerge of system outages. Hospital billing systems stopped working, insurance claims stalled, and by the end of the day, the company issued a statement explaining that they were “experiencing a network interruption related to a cyber security issue.”
What transpired proved to be one of the most widely reported cyberattacks in recent memory. By February 29th, it was reported that a ransomware gang known as ALPHV had taken credit for the attack, and by early March, Change Healthcare agreed to pay the criminals $22 million in Bitcoin.
The following months saw continued fallout from the attack, with reports emerging that the healthcare data of roughly one-third of all Americans was compromised. This led to chaos for many small providers, with some suggesting the attack could negatively impact their credit ratings– despite having no direct responsibility for the vulnerability that caused the attack.
For Change Healthcare itself, the attack has led to:
- Eyewatering Costs: The attack is projected to cost up to $1.9 billion by the end of 2024. This is primarily due to loans the company had to give providers who were unable to submit claims during the outage, as well as the cost of mailing notifications to affected patients.
- Legal Action: By mid-year, 49 consolidated lawsuits from impacted pharmacies and healthcare providers were pending against the company.
- Public Shame: The attack led to a Senate hearing during which Change Healthcare CEO Andrew Witty was asked to testify.
During this hearing, one senator said the attack should be a “dire warning” to the industry about the potential severity of such attacks. Yet, within days, a new ransomware story would hit the headlines.
2. Ascension
With over 140 hospitals across the country, Ascension is one of the largest health systems in the US. When the company began to report “unusual activity” on their technology systems, few would have predicted the scope of the attack that was taking place.
It soon emerged that the company’s system had been infiltrated and held hostage as part of a ransomware attack. An employee had accidentally downloaded a malicious file, leading to 36 days during which the company’s electronic health records (EHRs) were unavailable, impacting providers across 12 different states.
The impact on patient care was severe: ambulances were diverted, appointments were postponed, electronic health records (EHRs) were unavailable, and various systems used to book tests and access medications were sent offline. Providers were forced to revert to paper-based processes, which created large-scale disruptions; one nurse reported “nearly giving a baby the wrong narcotic” due to administrative confusion.
Ultimately, Ascension was able to restore its system within a relatively brief timeframe. But the damage had already been done: the attackers stole files containing protected health information (PHI) and personally identifiable information (PII), and the company currently faces two class-action lawsuits that allege that the attack was “foreseeable and preventable.”
Given both the scale and volume of news coverage the Change Healthcare and Ascension attacks experienced, it is unsurprising that new legislation has been rushed through in direct response. But which new laws and requirements should healthcare leaders be most concerned about?
What New Healthcare Cybersecurity Legislation Has Been Introduced This Year?
1. Healthcare Cybersecurity Improvement Act
What is the Act?
The Healthcare Cybersecurity Improvement Act is a bipartisan bill that would require entities to “meet minimum cybersecurity standards to be eligible for Medicare accelerated and advance payment programs if such payments are needed because of a cybersecurity incident.”
Why Is It Being Enacted?
The Change Healthcare attack created renewed urgency within the Senate to address cybersecurity issues within healthcare infrastructure. The Healthcare Cybersecurity Improvement Act aims to meet this need with a set of requirements designed to “strengthen cybersecurity infrastructure and better protect patients’ personal data.”
It will contain a directive for the Department of Homeland Security and Infrastructure Security Agency (CISA) to work together with the Department of Health and Human Services (HHS) to develop resources on cyber threat indicators and appropriate defensive measures. The resources are likely to include revised cybersecurity best practices and provisions for training healthcare employees, and reporting standards may even be changed to improve cybersecurity incident responses.
2. The HIPAA “Final Rule”
What is the Final Rule?
The HIPAA “Final Rule” amends the HIPAA Privacy Rule to prohibit the disclosure of protected health information (PHI) related to lawful reproductive health care in certain circumstances.
Why Is It Being Introduced?
These new protections were inspired by growing patient concerns that the overturning of Roe v. Wade would lead to data breaches in reproductive clinics. The HHS spoke of a “chilling effect” on women’s use of healthcare facilities, where individuals are afraid to even collect prescriptions for fear of their behavior being disclosed.
3 Risks Healthcare Organizations Still Overlook In 2024
This legislation could not be more timely. While the attacks on Change Healthcare and Ascension have drawn greater attention to cybersecurity in 2024, research suggests there are many common risks that still need to be addressed:
1. Organizational Liability
Many healthcare organizations systematically underestimate their liability for cyberattacks. It, therefore, comes as a nasty surprise when they are held accountable for attacks that are not the result of gross negligence and, in many cases, may have been difficult to avoid. In recent years, there has been a substantial increase in enforcement and HIPAA-related fines from the OCR, as well as more patient lawsuits.
The two ransomware attacks explored above illustrate this increased liability perfectly:
- The OCR ruled that entities impacted by the Change Healthcare breach could delegate their HIPAA breach notification responsibilities to Change Healthcare – which essentially has created severe costs for the organization.
- Because an employee was responsible for the infiltration of their system, Ascension has been held responsible for the attack. Recent lawsuits have claimed the company is guilty of negligence per se, breach of implied contract, unjust enrichment, and violating the Illinois Consumer Fraud and Deceptive Business Practices Act.
2. Contingency Planning
An effective response to a cyberattack can dramatically mitigate its impact. From implementing measures to mitigate the impact on patient care to identifying and eliminating threats more quickly, the right contingency plan can be a vital lifeline for healthcare entities during an attack.
However, a surprising number of organizations do not invest adequately in such measures. An HHS report from 2023 listed incident response as an area where “urgent improvements” were needed, and surveys in mid-2024 revealed that 37% of entities still do not have a cyberattack contingency plan in place.
3. Poor Risk Visibility
Healthcare leaders are still in the habit of viewing their attack surface as a series of atomized “risk factors” rather than a holistic system that is complexly linked. This is usually down to a lack of visibility: risk data is stored in disparate systems, often using different formats, which creates silos and limits organization-wide visibility.
As a result, leaders cannot see how risks in one area of their organization relate to others. They cannot see which risks are truly the most urgent, and they cannot make informed decisions about the tradeoffs involved in risk remediation decisions. All of this leads to a scattered approach to cybersecurity that wastes resources and fails to protect the organization or its patients.
How Should Healthcare Organizations Respond to These Risks?
There are three clear steps we believe almost every healthcare organization will benefit from taking in 2024 and beyond to adapt their cybersecurity programs to the evolving threat landscape:
1. Centralize Risk Data
Healthcare entities can make fast gains by simply eliminating data silos that impede their ability to view organization-wide risk. From digitizing paper-based processes to automating manual processes, even relatively small gains toward centralized data can reveal a wide range of otherwise overlooked issues – and potentially save your organization from excess liability.
This is the heart of integrated risk management: an approach that looks to unify fragmented cybersecurity projects to simultaneously reduce the managerial burden created by having dozens of projects running at once, as well as establishing a more robust organization-wide posture.
2. Adopt voluntary cybersecurity standards
While HIPAA compliance is a vital foundation for healthcare cybersecurity, it is increasingly clear that more extensive protections are required to keep up with the evolving risk landscape. This was the thinking behind the HHS’s recent cybersecurity performance goals (CPGs), and the same belief is driving a growing number of organizations to adopt the NIST cybersecurity framework (CSF) and even seek HITRUST certification.
The beauty of these voluntary standards is that they cover all of your regulatory requirements. It is not a choice between NIST or HITRUST and HIPAA; the standards simply provide extra levels of protection and robustness that are not provided by the baseline of HIPAA.
3. Undertake More Frequent Assessments
Most healthcare organizations are overwhelmed by the volume of cybersecurity assessments they currently require, but this can be quickly remediated through streamlined processes. With the right combination of technology, people, and processes, you can run more assessments while expending fewer resources – and gain a more comprehensive view of your cybersecurity posture.
Make 2024 the Turning Point in Your Cybersecurity Journey
From Change Healthcare to Ascension, this year has already demonstrated how severe the consequences of poor cybersecurity can be. But your organization still has time to address vulnerabilities and take proactive steps to improve your security program – before it’s too late.
Not sure where you should begin?
Scott Mattila, CSO, Intraprise Health
