Members of the Senate Finance Committee heard testimony from Andrew Whitty, CEO of UnitedHealth Group, parent company of Change Healthcare, after a cyberattack on Change Healthcare wreaked havoc on the health care system. Jacqueline Martin/AP Hide caption
Toggle caption
Jacqueline Martin/AP
Central Oregon Pathology Consultants has been in business for nearly 60 years, providing molecular testing and other diagnostic services to patients east of the Cascade Mountains.
Starting last winter, the clinic went for months without receiving any payments and operated on cash on hand, said Julie Tracewell, a manager at the clinic, which has been caught in the aftermath of one of the most significant ransomware attacks in U.S. history, the February hack of payments manager Change Healthcare.
The hack caused widespread paralysis in the US healthcare system: Hospitals, pharmacists, and even physical therapists had trouble billing doctors, and patients had trouble getting their prescriptions filled.
COPC has learned that Change has recently begun processing some of its outstanding claims. Tracewell said it does not know how many of the approximately 20,000 outstanding claims were outstanding as of July. Its patient payment portal remains down, preventing customers from making payments.
“It will take months to calculate the total loss from this downtime,” she said.
Healthcare is the most frequent target of ransomware attacks: According to the FBI, 249 attacks will target healthcare organizations in 2023, the most of any sector.
Health care executives, lawyers and lawmakers worry the federal response has been inadequate, underfunded and too focused on protecting hospitals, even as Change has demonstrated the vulnerabilities are widespread.
“The current approach to health care cybersecurity – self-regulation and voluntary best practices – is woefully inadequate, leaving the health care system vulnerable to criminal and foreign government hackers,” Sen. Ron Wyden (D-Ore.), chairman of the Senate Finance Committee, wrote in a recent letter to the Department of Health and Human Services.
There’s no money, said Mark Montgomery, senior director of the Cyber and Technology Innovation Center at the Foundation for Defense of Democracies. “There’s been very little to no effort to increase investment in security,” he said.
The challenge is urgent: 2024 was the year of healthcare hacks. In one case, nonprofit blood donation service OneBlood fell victim to a ransomware attack that disrupted hundreds of hospitals across the Southeast’s access to blood for transfusions.
Cyberattacks complicate routine and complex tasks alike, said Nate Couture, chief information security officer at the University of Vermont Health Network, which was hit by a ransomware attack in 2020. “You can’t mix a chemotherapy cocktail by eye,” he said at a June event in Washington, D.C., about cancer treatments that rely on technology that was disabled in the attack.
In December, HHS released a strategy to help the cybersecurity sector, with several proposals focused on hospitals, including a carrot-and-stick program that would reward providers who adopt certain “mandatory” security measures and penalize those who don’t.
Even so, that narrow focus could take years to materialize: According to the Department of Health’s proposed budget, funds would begin flowing to “high-need” hospitals in fiscal year 2027.
The focus on hospitals is “not appropriate,” Ileana Peters, a former enforcement attorney for the HHS Office of Civil Rights, said in an interview. “The federal government needs to go further by also investing in the organizations that supply and contract with health care providers,” she said.
“The department’s interest in protecting the health and safety of patients puts hospitals high on our list of priority partners,” Brian Mazanec, deputy director of the Department of Health and Human Services’ Office of Strategic Preparedness and Response, said in an interview.
The nation’s health care cybersecurity responsibilities are shared among three divisions within two different agencies: The Department of Health’s Office for Civil Rights acts like a police patrol, monitoring whether hospitals and other medical organizations are adequately protecting patient privacy and issuing fines if they don’t.
The Department of Health’s Office of Preparedness and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency are helping build defenses, including by requiring medical software developers to use auditing techniques to review their security.
The latter two agencies are required to compile a list of “systemically important organizations” whose activities are essential to the smooth functioning of the health care system. These organizations should receive special attention, including being included in government threat reports, Josh Corman, co-founder of the cyber advocacy group I Am The Cavalry, said in an interview.
Federal officials were working on compiling a list when news of the Change hack broke, but Change Healthcare was not on it, Jen Easterly, director of the Department of Homeland Security’s cybersecurity agency, said at an event in March.
Nitin Natarajan, deputy director of the cybersecurity agency, told KFF Health News that the list was only a draft. The agency had previously estimated it would complete its list of entities across all sectors in September of last year.
The HHS preparedness office is supposed to coordinate with the Department of Homeland Security’s Cybersecurity Agency and the HHS overall, but congressional staffers said the office’s efforts have fallen short. Matt McMurry, chief of staff to Rep. Robin Kelly (D-Ill.), said in a June meeting that the HHS had “silos of talent” and “teams weren’t talking to each other, and it wasn’t clear who[people]should go to.”
“Is the Ministry of Health’s Preparedness Agency the right place to be in charge of cybersecurity? I don’t know,” he said.
Historically, the bureau has focused on physical-world disasters like earthquakes, hurricanes, anthrax attacks and pandemics. As Trump-era agency leaders sought to expand funding and authority, they also inherited cybersecurity, said Chris Meekins, who worked for the bureau under Trump and is now an analyst at investment bank Raymond James.
But since then, Meekins said, the department has shown it “is not qualified to do it” — “We don’t have the funding, we don’t have the commitment, we don’t have the expertise.”
Annie Fixler, director of the Fed’s Cyber Technology Innovation Center, said there are only a “handful” of employees dedicated to cybersecurity. Mazanec acknowledged that number is small, but hopes the additional funding will allow the agency to hire more.
The agency has been slow to respond to outside feedback: When an industry clearinghouse on cyber threats tried to work with the agency to create an incident-response process, “it took us probably three years to find people who were willing to help us with that effort,” said Jim Rouse, who was then president of the group’s Healthcare Information Sharing and Analysis Center.
During the 2017 NotPetya attack — the hack that hit hospitals and pharmaceutical company Merck hard — Health-ISAC disseminated information to its members themselves, including on how to best contain the attack, Rouse said.
Advocates have noted change hacking, which is blamed on the lack of multi-factor authentication — a technology that’s all too familiar in U.S. workplaces — and said HHS needs to use mandates and incentives to get the health sector to put better defenses in place. The department’s strategy, released in December, has relatively narrow goals for the health sector, which are largely voluntary for now. The department is “considering” creating “new enforceable” standards, Mazanec said.
Much of HHS’ strategy will be rolled out in the coming months. The department has already requested additional budgetary spending. The Preparedness Office, for example, is requesting an additional $12 million for cybersecurity. The Civil Rights Office, which will see a flat budget and fewer enforcement staff, is expected to announce updates to its privacy and security rules.
“There are still big challenges facing the industry as a whole,” Rouse said. “I don’t see anything happening that’s going to necessarily change that.”
KFF Health News is a national newsroom producing in-depth journalism on health issues and is one of the core operating programs of KFF, an independent source of health policy research, polling and journalism.
