Central Oregon Pathology Consultants has been in business for nearly 60 years, providing molecular testing and other diagnostic services east of the Cascade Mountains.
Starting last winter, the clinic went without payments for months and survived on cash on hand, said Julie Tracewell, a manager at the clinic, which is caught in the aftermath of one of the most significant digital attacks in U.S. history, the February hack of Change Healthcare, a payment management company.
COPC has learned that Change has recently begun processing some of the unpaid claims. Tracewell said it does not know how many of the approximately 20,000 unpaid claims were outstanding as of July. The patient payment portal remains down, preventing customers from making payments.
“It will take months to calculate the total loss from this downtime,” she said.
Healthcare is the most frequent target of ransomware attacks: According to the FBI, 249 attacks will target healthcare organizations in 2023, the most of any sector.
And health care executives, lawyers and congressional officials worry the federal response has been inadequate, underfunded and too focused on protecting hospitals, even as Change demonstrated that vulnerabilities are widespread.
“The current approach to healthcare cybersecurity – self-regulation and voluntary best practices – is woefully inadequate, leaving the health care system vulnerable to criminal and foreign government hackers,” Sen. Ron Wyden (D-Ore.), chairman of the Senate Finance Committee, wrote in a recent letter to the Department of Health and Human Services.
There’s no money, said Mark Montgomery, senior director of the Cyber and Technology Innovation Center at the Foundation for Defense of Democracies. “There’s been very little to no effort to increase investment in security,” he said.
The challenge is urgent: 2024 was the year of healthcare hacking, when hundreds of hospitals across the Southeast struggled to get blood for transfusions after nonprofit blood-donation service OneBlood fell victim to a ransomware attack.
Cyberattacks complicate routine and complex tasks alike, said Nate Couture, chief information security officer at the University of Vermont Health Network, which was hit by a ransomware attack in 2020. “You can’t mix a chemotherapy cocktail by sight,” he said about cancer treatment at a June event in Washington, D.C.
In December, HHS released a strategy to help the cybersecurity sector, with several proposals focused on hospitals, including a carrot-and-stick program that would reward providers who adopt certain “mandatory” security measures and penalize those who don’t.
Even so, that narrow focus could take years to materialize: According to the Department of Health’s proposed budget, funds would begin flowing to “high-need” hospitals in fiscal year 2027.
The focus on hospitals is “not appropriate,” Ileana Peters, a former enforcement attorney for the HHS Office of Civil Rights, said in an interview. “The federal government needs to go further by also investing in the organizations that supply and contract with health care providers,” she said.
“The department’s interest in protecting the health and safety of patients puts hospitals high on our list of priority partners,” Brian Mazanec, deputy director of the Department of Health and Human Services’ Office of Strategic Preparedness and Response, said in an interview.
The nation’s health care cybersecurity responsibilities are shared among three departments within two different agencies: The Department of Health’s Office for Civil Rights acts like a police patrol, monitoring whether hospitals and other health care organizations are adequately protecting patient privacy and issuing fines if they don’t.
The Department of Health’s Office of Preparedness and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency are helping build defenses, including by requiring health software developers to use auditing techniques to review their security.
The latter two agencies are required to compile a list of “systemically important organizations” whose activities are essential to the smooth functioning of the health care system. These organizations should receive special attention, including being included in government threat reports, Josh Corman, co-founder of the cyber advocacy group I Am The Cavalry, said in an interview.
Federal officials were working on compiling a list when news of the Change hack broke, but Change Healthcare was not on it, Jen Easterly, director of the Department of Homeland Security’s cybersecurity agency, said at an event in March.
Nitin Natarajan, deputy director of the cybersecurity agency, told KFF Health News that the list was only a draft. The agency had previously estimated it would complete its list of entities across sectors in September of last year.
The HHS preparedness office is supposed to coordinate with the Department of Homeland Security’s Cybersecurity Agency and the HHS as a whole, but congressional staffers said the office’s efforts have fallen short. Matt McMurry, chief of staff to Rep. Robin Kelly (D-Ill.), said during a June meeting that the HHS had “silos of talent” and that “teams weren’t talking to each other and it wasn’t clear who[people]should go to.”
“Is the Ministry of Health’s Preparedness Agency the right place to be in charge of cybersecurity? I don’t know,” he said.
Historically, the bureau has focused on physical-world disasters like earthquakes, hurricanes, anthrax attacks and pandemics. As Trump-era agency leaders sought to expand funding and authority, they also inherited cybersecurity, said Chris Meekins, who worked for the bureau under Trump and is now an analyst at investment bank Raymond James.
But since then, Meekins said, the department has shown it “is not qualified to do it” — “We don’t have the funding, we don’t have the commitment, we don’t have the expertise.”
Annie Fixler, director of the Federal Office for Disaster Risk Reduction’s Cyber Technology and Innovation Center, said there are only “a handful” of employees working on cybersecurity. Mazanec acknowledged that number is not large, but hopes the additional funding will allow them to hire more.
The agency has been slow to respond to outside feedback: When an industry clearinghouse on cyber threats tried to work with the agency to create an incident-response process, “it took us probably three years to find people who were willing to help us with that effort,” said Jim Rouse, who was then president of the group’s Healthcare Information Sharing and Analysis Center.
During the 2017 NotPetya attack — the hack that hit hospitals and pharmaceutical company Merck hard — Health-ISAC disseminated information to its members themselves, including on how to best contain the attack, Rouse said.
Advocates have noted change hacking, which is blamed on the lack of multi-factor authentication — a technology that’s all too familiar in U.S. workplaces — and said HHS needs to use mandates and incentives to get the health sector to put better defenses in place. The department’s strategy, released in December, has relatively narrow goals for the health sector, which are largely voluntary for now. The department is “considering” creating “new enforceable” standards, Mazanec said.
Much of HHS’ strategy will be rolled out in the coming months. The department has already requested additional budgetary spending. The Preparedness Office, for example, is requesting an additional $12 million for cybersecurity. The Civil Rights Office, which will see a flat budget and fewer enforcement staff, is expected to announce updates to its privacy and security rules.
“There are still big challenges facing the industry as a whole,” Rouse said. “I don’t see anything happening that’s going to necessarily change that.”
DariusT@kff.org, @dariustahir
