• Cyberattacks, especially ransomware, are crippling the U.S. healthcare system, and the federal response has been widely criticized as inadequate. Central Oregon Pathology Consultants (COPC) became a victim of one of the most significant ransomware attacks in U.S. history in February 2023. The attack targeted Change Healthcare, a major payments manager, causing billing disruptions across hospitals, clinics, and pharmacies for months, with services delayed, patients unable to pay bills, and providers losing revenue.

COPC’s practice manager, Julie Tracewell, described how her team was overwhelmed, with around 20,000 claims left in limbo. The financial losses from this attack are still unknown, but the effects could take months to resolve. Patients were unable to fill prescriptions, and healthcare providers, including hospitals and physical therapists, struggled to stay operational.

This attack underscores the healthcare sector’s vulnerability to cyber threats. According to the FBI, healthcare is the most frequent target for ransomware, with 249 reported attacks in 2023. These cyberattacks disrupt vital services and have sparked calls from healthcare executives and lawmakers for a stronger federal response.

Critics like Senator Ron Wyden (D-Ore.), chair of the Senate Finance Committee, have voiced their frustration with the Department of Health and Human Services (HHS) for relying too heavily on voluntary best practices for cybersecurity in healthcare. Wyden argues that the self-regulation approach leaves healthcare dangerously exposed to hackers, pushing for a more robust regulatory framework.

Mark Montgomery, a senior director at the Foundation for Defense of Democracies, similarly criticized the federal government’s progress on healthcare cybersecurity as almost non-existent. He pointed out that despite growing threats, the government’s response remains fragmented and sluggish.

Recent attacks, such as one on OneBlood, a nonprofit blood donation service, highlight the wider dangers of these cyber threats. The ransomware attack affected blood transfusion services at hundreds of hospitals in the southeastern U.S., showing how deeply these attacks can disrupt the healthcare system. Other notable incidents, like a 2020 ransomware attack on the University of Vermont Health Network, shut down critical technology for mixing chemotherapy treatments.

In response to these growing threats, HHS released a cybersecurity strategy in December 2023, with plans to improve security measures within the sector. The proposal focuses on incentivizing hospitals to adopt essential cybersecurity practices while penalizing those that do not. However, the rollout could take years. According to HHS’s budget proposal, cybersecurity funding for “high-needs” hospitals won’t be available until fiscal year 2027, delaying urgently needed protection.

Critics argue that HHS’s narrow focus on hospitals is not enough. Iliana Peters, a former enforcement attorney for HHS’s Office for Civil Rights, stressed the need for federal investments in the broader healthcare ecosystem, including suppliers and contractors. With many healthcare organizations interconnected, vulnerabilities in one part of the system can cascade and affect others.

HHS’s focus on hospitals is driven by its mission to protect patient safety, says Brian Mazanec, a deputy director at the Administration for Strategic Preparedness and Response (ASPR), a department within HHS responsible for cybersecurity. However, the fragmented responsibility for healthcare cybersecurity, shared among various HHS offices and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), has caused confusion and inefficiency.

CISA and HHS’s preparedness office are tasked with building cyber defenses, such as encouraging medical software developers to improve security. These agencies are also working on identifying “systemically important” healthcare entities that would receive special government support, such as threat briefings. However, Change Healthcare, the company targeted in the February attack, was not yet on this list, highlighting how slowly these critical protections are being implemented.

Critics also note that ASPR has traditionally focused on physical disasters, like hurricanes and pandemics, and inherited cybersecurity responsibility during the Trump administration. Some argue that the office lacks the expertise and resources to manage this new role effectively. Chris Meekins, a former official in ASPR, argues that the office is unprepared for the cybersecurity challenges it faces, suggesting it is out of its depth when dealing with ransomware and other cyber threats.

Staffing shortages in key federal offices compound the problem. Annie Fixler, a director at the Foundation for Defense of Democracies, noted that only a “small handful” of employees are currently focused on healthcare cybersecurity. Mazanec acknowledged the need for more staff and hoped additional funding would help hire more professionals.

The private sector has also expressed frustration with the federal response. For example, Health-ISAC, an industry group focused on cyberthreats, struggled to collaborate with HHS to create a coordinated incident response plan. During the 2017 NotPetya attack, which caused widespread damage to hospitals, Health-ISAC had to distribute threat information on its own, as federal agencies were unprepared.

The February attack on Change Healthcare, reportedly caused by a lack of multifactor authentication, highlights the need for more robust federal cybersecurity enforcement. While HHS has proposed new cybersecurity goals, most remain voluntary. Mazanec said HHS is exploring the possibility of enforceable standards, but these changes are far from being implemented.

In the meantime, the healthcare sector remains highly vulnerable to cyberattacks, and many experts believe the federal response remains insufficient. As the frequency and severity of these attacks increase, it is clear that more needs to be done to protect healthcare systems and patients from this growing threat.

To Read The Article In Full, click HERE!