Communications Director, Connecticut Hospital Association
110 Barnes Road, Wallingford, CT
rall@chime.org, 203-265-7611
DAILY NEWS CLIP: December 27, 2024
The Wall Street Journal – Friday, December 27, 2024
By James Rundle
U.S. regulators and lawmakers are proposing new rules to protect hospitals from cyberattacks in 2025 after a bruising year of hacks and software outages, but small healthcare providers worry they can’t afford to comply.
Many smaller providers say they are already fighting against hackers every day, and losing.
“It’s a constant battle. We do better, they improvise, we have to learn again,” said Todd Blum, chief executive of ENT and Allergy Associates of Florida, a group of about 100 ear, nose and throat doctors and other medical professionals.
A bipartisan bill proposed in the Senate in November would require the Department of Health and Human Services to overhaul its own cybersecurity processes, and develop incident-response plans for cyberattacks.
The bill would also add stricter cybersecurity requirements to the Health Insurance Portability and Accountability Act, including mandates for multifactor authentication and regular audits. It says that the agency must provide guidance for rural medical providers, and grants, where appropriate, to strengthen cyber defenses.
Separately, HHS submitted HIPAA updates in October, including new requirements for protecting electronic health information, to the White House for review. With approval from the Biden administration, the agency expects to issue proposed rules in December, for public review.
Cyberattacks have taken down some of the largest healthcare systems in the U.S. over the past 12 months, including one in May on Ascension Health Alliance, which operates around 140 hospitals in 19 states and the District of Columbia. Other significant attacks include a January hack at Ann & Robert H. Lurie Children’s Hospital of Chicago, which took half the year to recover, and a breach at Cedars-Sinai Medical Center in Los Angeles.
The incidents forced facilities to divert patients elsewhere, delay procedures and run up even longer-than-usual waits in emergency rooms. Staff often had to revert to manual procedures after losing access to electronic health records, sometimes resulting in months of work to reupload data when IT systems finally came back online.
As of mid-December, 567 data security incidents had been reported to HHS in 2024, cumulatively exposing the health information of nearly 170 million people. Healthcare was the third-most targeted sector in 2023, behind professional services and retail, according to an annual threat report from International Business Machines.
A February ransomware attack against UnitedHealth Group-owned Change Healthcare spurred lawmakers to propose stricter cybersecurity laws for the industry. Change, which handles insurance claims and prescriptions for a swath of U.S. healthcare organizations, was forced to disable its software after the attack. For months, health providers couldn’t transmit claims. Some took in no revenue, forcing owners to rely on lines of credit, personal savings or emergency loans from UnitedHealth to stay afloat.
Hackers also stole a trove of patient data, affecting one in three U.S. residents, according to UnitedHealth.
Health executives say providers want to better protect themselves and patients, but sometimes struggle to find the resources.
“We need to be more prepared as an industry, and I think with these major incidents, people are taking it a lot more seriously,” said Michael Mainiero, chief digital and information officer at Long Island, N.Y.-based Catholic Health, which operates more than 80 hospitals and clinics.
Mainiero deployed dozens of staff to drive out to facilities and physically reset machines during July’s CrowdStrike outage, when a faulty software update downed about 8.5 million Microsoft Windows systems worldwide, including in healthcare. The incident, along with the Change Healthcare attack, prompted him to run drills to find his organization’s weak points, he said.
“I think any hospitals doing this right now, you could say they have complete redundancy in their data center, but I guarantee there are three or four things that aren’t redundant, or could be taken out from a single point of failure,” he said.
A lack of technical resources at small organizations means that the advice, tools and other assistance provided by the federal government are relatively meaningless. Smaller clinics and specialized providers don’t know where to start and often can’t qualify for basic cyber insurance policies.
“There is no chief information security officer, there is no chief technology officer. You’re lucky if you have a director of IT in most of even what we would consider large practices,” said Joe Goldstein, the founder and president of Optimized Computer Solutions, a Cape Coral, Fla.-based managed services provider specializing in technology and security services for the healthcare sector.
Ransomware is a threat, but so is relatively small-scale online criminality that doesn’t grab headlines. Meredith Hirsh, CEO of the Hirsh Center for Arthritis and Sports Medicine, a Delray Beach, Fla.-based rheumatology clinic, said around a year and a half ago a criminal posing as one of her physicians emailed human resources and asked to change her payroll details. Hirsh had to cover the wages the doctor lost during the incident and said further fraud attempts have increased.
“Never in a million years did I think this would happen to us. Now, I get them all the time,” she said.