Hospitals: ‘The No.1 Target of Ransomware’
“We’ve started to think about these as public health issues and disasters on the scale of earthquakes or hurricanes,” said Jeff Tully, a co-director of the Center for Healthcare Cybersecurity at the University of California-San Diego. “These types of cybersecurity incidents should be thought of as a matter of when, and not if.”
Josh Corman, a cybersecurity expert and advocate, said ransom crews regard hospitals as the perfect prey: “They have terrible security and they’ll pay. So almost immediately, hospitals went to the No. 1 target of ransomware.”
In 2023, the health sector experienced the largest share of ransomware attacks of 16 infrastructure sectors considered vital to national security or safety, according to an FBI report on internet crimes. In March, the federal Department of Health and Human Services said reported large breaches involving ransomware had jumped by 264% over the past five years.
A cyberattack this year on Change Healthcare, a unit of UnitedHealth Group’s Optum division that processes billions of health care transactions every year, crippled the business of providers, pharmacies, and hospitals.
In May, UnitedHealth Group CEO Andrew Witty told lawmakers the company paid a $22 million ransom as a result of the Change Healthcare attack — which occurred after hackers accessed a company portal that didn’t have multifactor authentication, a basic cybersecurity tool.
The Biden administration in recent months has pushed to bolster health care cybersecurity standards, but it’s not clear which new measures will be required.
In January, HHS nudged companies to improve email security, add multifactor authentication, and institute cybersecurity training and testing, among other voluntary measures. The Centers for Medicare & Medicaid Services is expected to release new requirements for hospitals, but the scope and timing are unclear. The same is true of an update HHS is expected to make to patient privacy regulations.
HHS said the voluntary measures “will inform the creation of new enforceable cybersecurity standards,” department spokesperson Jeff Nesbit said in a statement.
“The recent cyberattack at Ascension only underscores the need for everyone in the health care ecosystem to do their part to secure their systems and protect patients,” Nesbit said.
Meanwhile, lobbyists for the hospital industry contend cybersecurity mandates or penalties are misplaced and would curtail hospitals’ resources to fend off attacks.
“Hospitals and health systems are not the primary source of cyber risk exposure facing the health care sector,” the American Hospital Association, the largest lobbying group for U.S. hospitals, said in an April statement prepared for U.S. House lawmakers. Most large data breaches that hit hospitals in 2023 originated with third-party “business associates” or other health entities, including CMS itself, the AHA statement said.
Hospitals consolidating into large multistate health systems face increased risk of data breaches and ransomware attacks, according to one study. Ascension in 2022 was the third-largest hospital chain in the U.S. by number of beds, according to the most recent data from the federal Agency for Healthcare Research and Quality.
And while cybersecurity regulations can quickly become outdated, they can at least make it clear that if health systems fail to implement basic protections there “should be consequences for that,” Jim Bagian, a former director of the National Center for Patient Safety at the Veterans Health Administration, told Michigan Public’s Stateside.
Patients can pay the price when lapses occur. Those in hospital care face a greater likelihood of death during a cyberattack, according to researchers at the University of Minnesota School of Public Health.
Workers concerned about patient safety at Ascension hospitals in Michigan have called for the company to make changes.
“We implore Ascension to recognize the internal problems that continue to plague its hospitals, both publicly and transparently,” said Dina Carlisle, a nurse and the president of the OPEIU Local 40 union, which represents nurses at Ascension Providence Rochester. At least 125 staff members at that Ascension hospital have signed a petition asking administrators to temporarily reduce elective surgeries and nonemergency patient admissions, like under the protocols many hospitals adopted early in the covid-19 pandemic.
Watson, the Kansas ICU nurse, said in late May that nurses had urged management to bring in more nurses to help manage the workflow. “Everything that we say has fallen on deaf ears,” she said.
“It is very hard to be a nurse at Ascension right now,” Watson said in late May. “It is very hard to be a patient at Ascension right now.”
If you’re a patient or worker at an Ascension hospital and would like to tell KFF Health News about your experiences, click here to share your story with us.
KFF Health News is a national newsroom that produces in-depth journalism about health issues and is one of the core operating programs at KFF—an independent source of health policy research, polling, and journalism. Learn more about KFF.