WASHINGTON, D.C. – “Totally unprepared,” that’s how some cyber security experts describe the U.S. healthcare industry following a series of major cyber attacks.
Now, lawmakers want answers, questioning why this sector of critical infrastructure doesn’t have stronger security measures.
This problem drew attention in February when a cyber attack shut down systems nationwide at Change Healthcare. Now, it’s a priority, after another major attack just weeks ago on healthcare giant Ascension.
“We owe it to American patients and to our front-line healthcare providers, from health systems to clinicians and community pharmacies, to ensure that this does not and cannot happen again,” said Sen. Mike Crapo (R-Idaho) at a recent hearing.
***Please sign up for CBN Newsletters and download the CBN News app to ensure you keep receiving the latest news.***
Digital assaults against the healthcare sector have skyrocketed over the last five years. The Health and Human Services Department reported a 256 percent increase in large information breaches.
Cyber security consultant Carter Groome of First Health Advisory says the industry is playing catch-up just to meet basic standards.
“Broadly the healthcare sector is just not ready, and it’s only because we haven’t been trained over the past 15 or 20 years like the financial sector has, to protect our systems,” Groome told CBN News.
Hackers in the Change Healthcare attack, for example, gained access because a server lacked security measures many companies consider mandatory.
“Cyber criminals entered a Change Healthcare portal, ex-filtrated data, and on February the 21st, deployed ransomware. The portal they accessed was not protected by multi-factor authentication,” said UnitedHealth Group CEO Andrew Witty.
UnitedHealth owns Change Healthcare, and Witty recently told lawmakers his company still doesn’t know why those protections weren’t in place, an admission that didn’t sit well.
“This was some basic stuff that was missed, so shame on internal audit, external audit, and your systems folks tasked with redundancy. They’re not doing their job,” said Sen. Thom Tillis (R-NC).
“This hack could have been stopped with cyber security 101,” echoed Sen. Ron Wyden (D-OR).
Change Healthcare provides technology used for insurance claims. The attack prevented those from being filed nationwide.
While Witty says the compromised system is now completely rebuilt, he had to pay the hackers a $22 million ransom to get it back online.
“That’s going to further motivate more attacks because they see that and say, ‘Well, these health systems are willing to pay, they need to get back online, they need to get their data, they need to serve their communities and their patients,'” explained Groome.
Ascension Health System, meanwhile, has not revealed whether a ransom was paid, and fallout from that attack continues, affecting 140 hospitals and dozens of senior living facilities across 19 states.
The initial breach forced facilities to divert ambulances, blocked online access to records, and even affected patients getting medicine.
“They cannot scan the medication, so you cannot scan the patient’s armband, or the barcode on the medication to match to see if that is even a correct order or dose,” a nurse told ABC News.
Now, weeks later, many hospital workers still report little progress and continuing treatment delays that one ER worker described as “putting lives at risk.”
“It is, in my view, Exhibit A that the country needs tough cyber security standards and they’re needed to protect critical infrastructure and patients across the country,” said Sen. Wyden.
After the high-profile nature of these attacks garnered the attention of the federal government, HHS is now planning to invest more than $50 million in a cyber security line of defense for hospitals to handle these kinds of threats.