Cyberattacks Against Health Care Industry Are Cause for Concern

Published March 28, 2024

On February 21, a cyberattack on a United Health Group (UHG) subsidiary called Change caused widespread chaos at hospitals and medical facilities throughout the country. The attack paralyzed the privately held mega-billing system that processes 15 billion health care transactions annually.

Cyberattacks like the one perpetuated against UHG are alarming because they could potentially destabilize the entire U.S. health care industry. Although it should not have taken a systemwide attack of this scale to wake us up to the national security threat posed by professional hackers, it is better late than never.

According to the American Hospitals Association, “94% of hospitals reported that the Change Healthcare cyberattack was impacting them financially, with more than half reporting the impact as ‘significant or serious.’ Indeed, a third of the survey respondents indicated that the attack has disrupted more than half of their revenue.”

Cyberattacks against U.S. health care providers have increased by 53 percent over the past three years. Large data breaches experienced a 93 percent spike from 2020 to 2022. Meanwhile, ransomware attacks on the health care industry, a cyberattack that captures sensitive patient data and holds it for ransom, saw a stunning 278 percent increase.

Cyberattacks against hospitals can threaten patient data privacy, incapacitate billing and appointment scheduling systems, disable equipment, and, in extreme cases, can cause the temporary shutdown of entire health care facilities. These attacks are extraordinarily destabilizing for communities and can cause widespread economic chaos and panic.

The federal government has largely treated cybercrime like a hurricane or a flood, rather than a life-threatening attack from criminals or state-sponsored terrorists. In 2020, the Treasury Department threatened civil penalties against victims of cyberattacks and ransomware that pay to get their systems back online. Incredibly, this means “that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations.”

In late 2023, the Department of Health and Human Services (HHS) stated that it is focused on “preparedness” and  declared that HHS is a “one-stop shop for health care cybersecurity which will improve coordination within HHS and the Federal Government, deepen HHS and the Federal government’s partnership with industry, improve access and uptake of government support and services, and increase HHS’s incident response capabilities.” The customer-friendly and cooperative tone is very inclusive but seems unlikely to deter those who are willing to launch cyberattacks against hospitals for huge ransom payments or to simply inflict terror.

In 2017, The “WannaCry 2.0” cyberattack targeted health care facilities in 150 countries and impacted countless hospitals and clinics. Shockingly, it also affected the use of 1,200 diagnostic devices as well. The FBI traced this attack back to a North Korean regime-backed programmer.

In late January of this year, the Lurie Children’s Hospital in Chicago was forced to take its network offline in response to a  “cybersecurity matter.” Patient charts could not be accessed, email and phone services were interrupted, and many other systems were affected. Unbelievably, some of those systems remain down to this day.

In mid-2023, Saint Margaret’s Health in Spring Valley, Illinois, was forced to close down for good, due in part to a crippling ransomware attack that effectively shut down the ability of the hospital to submit claims or communicate with payers. The attack occurred in February 2021 and sent Saint Margaret’s into a financial tailspin from which it could not recover. The average cost of a hospital data breach is now $11 million, which is more than enough to shutter hospitals struggling to stay afloat.

These attacks are not isolated. Public trust in our emergency response preparedness and health data privacy security is built on data security and privacy laws.

Rather than asking for a raft of new laws to deal with cybercrime, health care facilities are hoping the federal government uses the authority and capabilities it already has in place. They point to Australia, which is going on the offensive against cybercriminals, and ask that the U.S. government fully engage its national security capabilities to “proactively disable and disrupt foreign-based cyber threats.”

U.S. health care providers are now threatened by their own government with financial or possibly criminal liability if they choose to pay the perpetrators of cyberattacks. When patient records and fundamental health care services and systems are at risk, the U.S. government should do its job of protecting its citizens. Instead, for the time being, the U.S. government has decided to put the health care industry between a rock and a hard place.

Photo by Kai Stachowiak. Creative Commons CC0 1.0 Universal Public Domain Dedication.