Central Oregon Pathology Consultants has been in business for nearly 60 years, providing molecular testing and other diagnostic services east of the Cascade Range.
Starting last winter, the corporate operated for months without pay, living on money, Pra
said Tice manager Julie Tracewell. The practice is reeling from the fallout from one of the significant digital attacks in American history: the February hack of payment manager Change Healthcare.
COPC recently learned that Change had begun processing some outstanding claims, which totaled about 20,000 as of July, but Tracewell didn't know which of them, she said. The patient payment portal stays closed, stopping customers from paying their bills.
“It will take months to calculate the total loss of this downtime,” she said.
Healthcare is essentially the most common goal of ransomware attacks: In 2023 says the FBIOf these, 249 were directed at healthcare facilities – essentially the most of any sector.
And health care leaders, advocates and people in Congress are concerned that the federal government's response is insufficient, underfunded and too focused on protecting hospitals — at the same time as changes have proven that vulnerabilities are widespread.
The Department of Health and Human Services' “current approach to healthcare cybersecurity – self-regulation and voluntary best practices – is woefully inadequate and has left the healthcare system vulnerable to criminals and foreign government hackers,” said Sen. Ron Wyden (D-Ore.). , Chairman of the Senate Finance Committee, wrote in a recent letter to the agency.
The money isn't there, said Mark Montgomery, senior director of the Center on Cyber and Technology Innovation on the Foundation for Defense of Democracies. “We’ve seen extremely incremental to almost no effort” to take a position more in security, he said.
The task is urgent – 2024 has been a yr of healthcare hacks. Hundreds of hospitals throughout the Southeast faced with disruptions their ability to receive blood for transfusions after nonprofit OneBlood, a donation service, fell victim to a ransomware attack.
Cyberattacks are making on a regular basis and complicated tasks equally difficult, said Nate Couture, chief information security officer on the University of Vermont Health Network, which was hit by a ransomware attack in 2020. “We can’t mix a chemo cocktail with the eye,” he said. referring to cancer treatments, at an event in June in Washington, DC
In December, HHS develop a cybersecurity strategy is meant to support the sector. Several proposals focused on hospitals, including a carrot-and-stick program to reward providers who adopted certain “essential” safety practices and penalize those that didn’t.
It could take years for even this narrow focus to materialize: Under the Departmental budget proposalFrom the 2027 budget yr, money would flow to hospitals with “strong need”.
The give attention to hospitals is “not appropriate,” Iliana Peters, a former law enforcement attorney on the HHS Office for Civil Rights, said in an interview. “The federal government needs to go further” by also investing within the organizations that offer and contract with providers, she said.
The department's interest in protecting patient health and safety “puts hospitals at the top of our list of priority partners,” Brian Mazanec, deputy director of the Administration for Strategic Preparedness and Response at HHS, said in an interview.
Responsibility for cybersecurity within the country's healthcare system is shared by three offices in two different agencies. The Department of Health and Human Services' civil rights office is a sort of police officer on duty, monitoring whether hospitals and other health groups have adequate patient privacy protections and potentially fining them in the event that they don't.
The Department of Health and Human Services' Preparedness Office and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency are helping construct defenses—for instance, requiring medical software developers to make use of auditing technology to confirm their security.
Both are required to attract up an inventory of “systemically important units” whose operations are crucial for the right functioning of the health system. These entities could possibly be given special attention, comparable to by including them in government threat briefings, Josh Corman, co-founder of cyber advocacy group I Am The Cavalry, said in an interview.
Federal officials had been working on the list when news of the Change hack broke — but Change Healthcare was not on the list, Jen Easterly, head of Homeland Security's cybersecurity agency, said at an event in March.
Nitin Natarajan, deputy director of the cybersecurity agency, told KFF Health News that the list is barely a draft. The agency previously estimated It would finalize the entity list – across industries – last September.
The Department of Health and Human Services' preparedness office is alleged to coordinate with the Department of Homeland Security's cybersecurity agency and all the Department of Health and Human Services, but congressional staffers said the office's efforts were inadequate. There are “silos of excellence” in HHS “in which the teams don’t talk to each other, [where it] It wasn’t clear who people should turn to,” Matt McMurray, chief of staff to Rep. Robin Kelly (D-Ill.), said at a conference in June.
“Is the Health Department’s on-call office ‘the right home for cybersecurity?’ I’m not sure,” he said.
Historically, the office focused on disasters within the physical world – earthquakes, hurricanes, anthrax attacks, pandemics. It inherited cybersecurity as Trump-era department leadership sought more cash and authority, said Chris Meekins, who worked for the preparedness office under Trump and is now an analyst at investment bank Raymond James.
But since then, Meekins said, the agency has shown it’s “not qualified to do this.” There is an absence of funding, an absence of commitment, an absence of specialist knowledge.”
The on-call office has only a “small handful” of employees focused on cybersecurity, said Annie Fixler, director of the FDD Center for Cyber and Technology Innovation. Mazanec acknowledges the number just isn’t high, but hopes additional funding will allow for more hiring.
The office was slow to reply to outside feedback. When a cyber threat industry clearinghouse tried to coordinate together with her to develop an incident response process, “it probably took three years to find someone willing to support the effort,” said Jim Routh, the then CEO of the Health Information Sharing and Analysis Center group.
During the NotPetya attack in 2017 — a hack that caused widespread damage to hospitals and drugmaker Merck — Health-ISAC itself ultimately shared information with its members, including the perfect method to contain the attack, Routh said.
Advocates are taking a have a look at the change hack — said to be attributable to an absence of multifactor authentication, a technology quite common in American workplaces — and say HHS needs to make use of regulations and incentives to push the health care sector into higher defenses to introduce. The ministry's strategy, published in December, set out a comparatively limited list of targets for the health sector, most of that are voluntary at this stage. The agency is “exploring” creating “new enforceable” standards, Mazanec said.
Much of the HHS strategy is anticipated to be implemented in the approaching months. The department has already requested more funding. The Preparedness Office, for instance, is asking for a further $12 million for cybersecurity. The civil rights office, with a flat budget and shrinking enforcement staff, is anticipated to release an update to its privacy and security rules.
“The entire industry still faces major challenges,” said Routh. “I don’t see anything on the horizon that will necessarily change that.”
©2024 KFF Health News. Distributed by Tribune Content Agency, LLC.
image credit : www.mercurynews.com