"We’re getting closer and closer to a point where cyberattacks are going to be the cause of death for a patient,” says Gavin Quinn, chief strategy officer at Nashville-based 360 Privacy.
By Nikki Ross – Reporter, Nashville Business Journal Sep 20, 2024
Original article can be found here
If the health care industry doesn’t do something soon, patients are going to die.
“We’re getting closer and closer to a point where cyberattacks are going to be the cause of death for a patient,” said Gavin Quinn, chief strategy officer at Nashville-based 360 Privacy.
Cyberattacks on health care companies have been increasing at an alarming rate, something experts have been warning about for years. But to many onlookers, the industry hasn’t listened.
“When I heard Change Healthcare got breached ... or any of these large companies, I just kind of laugh because I’ve been trying to change corporate culture forever,” said Scott Augenbaum, a retired FBI special agent who specialized in cybersecurity. “I’ve been telling health care since 2016. ... Nobody listened.”
Photo illustration by Jason Baum | NBJ; Kevin Wurm | NBJ; Getty Images
Over the past five years, there has been a 256% increase in large health care cybersecurity breaches involving hacking reported to the U.S. Department of Health and Human Services’ Office for Civil Rights. There has also been a 264% increase in ransomware attacks. In 2023 alone, more than 134 million individuals were impacted by health care breaches, up 141% from 2021. Hacking accounted for 79% of those large data breaches.
In recent years, Nashville-area health care companies — including Community Health Systems Inc., Vanderbilt University Medical Center, Ascension Saint Thomas and HCA Healthcare Inc. — have been victims of cybersecurity attacks.
Most recently, the attack on St. Louis-based Ascension, the parent company of Saint Thomas, shut down the local hospital system’s electronic health records, plunging providers back to the days of paper documentation.
This year, Nashville-based Change Healthcare, now a subsidiary of UnitedHealth Group Inc., was the victim of a cyberattack that snarled medical processing systems nationwide and may have exposed personal data of tens of millions of Americans.
DHS’s Office for Civil Rights has listed 16 cybersecurity breaches this year, impacting 712,415 individuals in Tennessee, though that does not yet include Ascension Saint Thomas or Change Healthcare figures. Health care companies are required to report breaches that affect more than 500 people.
“There’s a ton of underreporting,” Augenbaum said. “People don’t want to report, especially when they are victimized.”
Cyberattacks on health care systems aren’t new but are getting more attention because they’re happening at a higher scale and impacting patients, according to Dan Dodson, CEO of Brentwood-based Fortified Health Security.
“The massive disruption to patient care is what really drives the attention of society,” Dodson said. “Health systems exist to serve patients in the communities to which they exist, and we can’t do that if we’re down with a cyber event. What we’re seeing really is these massive cyberattacks are taking health systems offline, which is impacting patients.”
Why health care is a target
Health care companies hold a lot of sensitive data — including medical history and Social Security numbers — and are willing to pay big bucks to get that information back.
That’s the main reason experts say the industry is rife with attacks.
“If I hold the health system ransom and I lock their systems up, they’re more likely to pay me because they need to serve patients in their community,” Dodson said. “The pressure of the patient is really driving their attack on health care.”
Retired Lt. General Charlie Moore, a visiting professor at Vanderbilt University and former deputy commander for U.S. Cyber Command, said the sheer size and scope of health care companies make them even more susceptible to attack.
“Health care in the United States to actually operate, it requires an incredible amount of digital connectedness between the providers, pharmacies, insurance companies, third- party vendors, etc.,” Moore said. “When you have that large attack surface, there’s bound to be more opportunities for penetration.”
As health care companies make acquisitions and partner with other systems, the risk of a cybersecurity incidents increases, Moore said.
“The more complex your network, the older your network, the more things you bolt on to it as you acquire companies, it just increases your cybersecurity problem,” Moore said.
The most recent CrowdStrike outage following an update pushed to Microsoft Windows devices in July impacted everything from airlines to banks — a prime example of how interconnected companies can be crippled by just one disruption.
The lack of funding for protections, grey areas on regulations and obligations and overall naiveté surrounding cybersecurity are also culprits for why health care is seeing a soaring number of breaches.
“Unfortunately, traditionally a lot of health care organizations haven’t invested all that much money and time and effort into cybersecurity, especially compared to some of the other industries, like the financial services industry,” Moore said.
Nationwide, health care companies, including providers, increased their cybersecurity budgets by 55.3% from 2022 to 2023, according to a survey of 229 health care cybersecurity professionals conducted by the Healthcare Information and Management Systems Society Inc. Historically, health care organizations spend 6% or less of their IT budgets on cybersecurity, but recent data shows that budget is now increasing to 7% to 10% or more for hospitals. More than half of the respondents said they expect cybersecurity budgets to grow again this year.
Dodson doesn’t think it’s all on the health care systems.
“I don’t think that health care organizations are trying to not take this seriously or not invest in this,” Dodson said. “We just need more capital and more funds to be able to build better defenses, quite frankly.”
Apryl Childs-Potter, president of the Nashville Health Care Council, said health care companies are taking cybersecurity risks seriously. She said that while CEOs used to be able to defer cyber issues to the IT department, the recent shifts in attacks have made it an enterprise risk.
“You’re seeing a lot more prioritization in the boardroom, which to me illustrates the level of importance of this as an issue and a risk,” Childs-Potter said. “Health care companies are prioritizing their cyber threat planning.”
At this point, it’s not a matter of if a company will be breached, but seemingly when.
“Ransomware is an endemic problem — it��’s not going anywhere,” said Thomas Ritter, a cybersecurity-focused lawyer and co-founder of Ritter Gallagher, which launched this year. “Unfortunately, just by the sheer nature of connectivity, cryptocurrency and the ability for these guys to get paid in a very anonymous, secure manner, it’s going to continue to be a problem for years to come.”
Cybersecurity lawyer Ryan Gallagher, co-founder of Ritter Gallagher, said it may seem like Nashville — where health care is the No. 1 employer and contributes $67.91 billion to the local economy annually — is disproportionally attacked compared to other cities, but that’s not the case.
“I don’t know that Nashville is getting it worse than anybody else, except for the fact that because we are Health Care City, we know HCA is one of the big organizations, and the endless vendor, suppliers, downstream businesses of those big conglomerates,” Gallagher said. “There are just so many in Nashville, and those are prime targets because they are not as sophisticated.”
Who is attacking health care?
The hackers aren’t teenagers sitting in their parents’ basements, pizza in hand.
The attackers who focus on the health care industry are organized individuals who are part of larger groups. One group will gain access to a company, often handing things off to another group that will then hold it for ransom. Another group will work with the health system to pay the ransom and so on.
“These are very sophisticated and complex, primarily nation-state-funded adversaries,” Dodson said. “This is a sophisticated network around the world that’s really executing these attacks, which makes it very difficult for the regulatory environment [or] FBI to track these cells and actually hold people accountable.”
Accountability is instead focused on the health care organization that was attacked as opposed to the hackers, because finding them and arresting them is next to impossible.
United Healthcare CEO Andrew Wittly, for instance, was publicly slammed by the U.S. Senate Finance Committee in May over the lack of multifactorial authentication systems, which led to its data breach.
Attacks are coming from all over the globe, according to Moore, though it doesn’t matter if the person attacking is next to you or halfway across the globe.
“One of the great benefits the United States has had historically is we’re separated by two oceans,” Moore said. “When you start talking about a digital world, and one that is completely interconnected, those geographic benefits go away.”
In the past, groups have shied away from making large attacks in the health care space because they didn’t want the government to get more involved.
“Recently the gloves have come off,” Gallagher said. “I don’t think that’s as much of a consideration anymore, partly because I think that the criminal landscape is so fragmented now.”
But that fragmentation is leading to what Ritter and Gallagher said could be a change in the tide for regulations. Right now, there are vague rules that state companies need to have a reasonable level of security. But that level is interpreted differently by different companies.
“This could be impetus for change, voluntary or forced,” Ritter said. “It seems like we’re at a point now where if hospitals and clinicians and all on down the line can’t or are unwilling to prescribe to kind of an amorphous standard ... then the government is going to force on them the minimum-security standards to do so.”
The fallout
No one thinks they are going to be the victim. Until it happens to them.
“I once had a health care company tell me they were not concerned with becoming a victim because they were a small business, according to revenue size,” Augenbaum said. “Cybercriminals do not care the size of your company: They are going to target you.”
By the time a company is the victim, there’s not much anyone can do. Augenbaum likens his former division’s response to attacks as “hospice.”
“Law enforcement does not have a magic wand,” Augenbaum said. “We can’t get your money back. Recovering stolen data is next to impossible once it gets on the dark web.”
How companies are impacted differs depending on how well it was protected before the breach.
“If their data is backed up well, if they have a good recovery plan in place, the disruption to the organization’s operation is minimalized,” Dodson said. “Most of the time you end up putting a war room together, trying to contain the blast radius of the event.”
Childs-Potter said health care is navigating a critical time when it comes to fallout from cyber attacks. There are still veteran health care leaders and workers who know how to navigate their jobs without the use of connected technologies, as Ascension had to do when they were attacked and briefly switched back to paper documentation.
She said these are the people who can help set up an analog process to help deal with the aftermath of a cyber attack.
“The window for that is right now, because you have all those seasoned leaders that were from the before times, before there was all this technology,” Childs-Potter said. “They won’t be there forever, so we should take advantage of that time now to really pick their brain and think about those solutions from the analog world.”
How else can Nashville’s companies protect themselves? Invest in cybersecurity protections now, before a breach happens.
“Don’t walk into this alone. Don’t try to handle this in-house,” Gallagher said.
Childs-Potter said cybersecurity has to be a board-level issue and leadership needs to be well versed in the threats, plans and solutions for attacks.
“The threat of cyber attacks is incredibly real,” Childs-Potter said. “They could have, they do have and continue to have pretty devastating consequences for the operations of many critical infrastructure industries, health care included.
“The reality is there has to be some systemwide safeguards and solutions — [these] are not things that individual systems can fully take on on their own.”
Related Posts
