The recent cyberattack on Change Healthcare, a major billing and payment company in the health care industry, revealed serious vulnerabilities in the U.S. health care system. This attack, which was a ransomware attack, had widespread effects on the industry. Many providers have still not been able to collect billions of dollars in payments, and smaller hospitals and medical offices are struggling to get paid even more than a month after the attack. The exact nature and scope of the attack have not been fully disclosed, and investigations are ongoing to determine if patients’ records and personal information have been compromised.
The health care industry has increasingly become a target for cyberattacks, with ransomware attacks on the rise. Cybersecurity experts and government officials have identified health care as one of the most vulnerable sectors in the U.S. economy. Studies have shown that hospital mortality rates can increase after a cyberattack, leading to canceled surgeries and disrupted patient care. Hackers have also made sensitive patient health data public in some cases, causing privacy concerns for patients.
Medical records are valuable targets for hackers because they can be used for health care fraud, and unlike stolen credit cards, they cannot be easily canceled or changed. Health care groups often pay ransoms to limit exposure for patients, even though the FBI advises against it, as the stakes are high. However, smaller hospitals and doctor’s practices often lack the resources to invest in enhanced security measures, leaving them vulnerable to cyberattacks.
The government’s response to cybersecurity threats in the health care industry has been fragmented and outdated. Hospitals have a range of security standards to choose from with no advance auditing of compliance. The regulatory framework for insurer data security is also inconsistent, as health insurers are largely regulated at the state level. The Biden administration is calling for the Department of Health and Human Services (HHS) to strengthen digital security measures for hospitals and revise regulations on data sharing.
Updating systems across the health care industry to improve cybersecurity may be costly, particularly for smaller organizations with limited budgets. The Biden administration has requested $800 million in funding to help improve hospital systems as part of its budget proposal, but it remains to be seen if Congress will provide funding for modernization. Some hospitals may prioritize spending on patient care and medical equipment over stringent digital security measures if additional resources are not provided to raise the bar on cybersecurity.
