This spring's cyberattacks on health care providers and insurers left hospitals unable to treat patients, and Americans coast to coast struggling to obtain or afford their medications. The attacks are part of a massive increase in the prevalence of cyberattacks in the health care sector.
The February attack on Change Healthcare, which processes insurance claims, may have compromised the data of as many as one-third of Americans, according to the CEO of UnitedHealth, which owns Change Healthcare.
Experts say health care organizations are targeted in part because they store such valuable information, but there's more at play.
"I mean people can die, you know, if the hospital's not functioning," said Steven McKeon, CEO of tech firm MacguyverTech. "On the other side is, a lot of their software and their infrastructure is dated, and from a hacker standpoint, it's an easier target."
Experts think health care organizations let cybersecurity systems fall by the wayside in the shadow of high costs and under the pressure of a complex and challenging industry. Now, hackers see potential.
"There's increased vulnerability because some of these attacks are also more successful, despite there being more vigilance and preparedness," said Pavani Rangachari, a professor of health care administration at the University of New Haven.
Company News
UnitedHealth says hackers accessed personal data
The Biden administration has proposed implementing fines for organizations that suffer attacks to incentivize improved cybersecurity among insurers and providers.
"I do believe something has to happen, but I think a slap on the wrist is maybe not the most effective way of doing that," McKeon said.
The American Hospital Association also opposes the idea, arguing, "imposing fines or cutting Medicare payments would diminish hospital resources needed to combat cybercrime and would be counterproductive to our shared goal of preventing cyberattacks."
"You can measure, oftentimes, the existence of a control — you know, do they have this technical control, do they have the security thing in place — but it's really a lot more difficult to measure how effective it is," said Alex Hamerstone, the advisory solutions director at TrustedSec. "What you don't want to do is see controls being put in place or technology put in place kind of willy-nilly just to check a box rather than really work towards patient security and system security."
The February attack on Change Healthcare crippled a behemoth of the industry, leading to an antitrust argument on Capitol Hill.
"The attack shows how UnitedHealth's anti-competitive practices present a national security risk because its operations now extend through every point of our health care system," Rep. Anna Eshoo, said during an April hearing on the hack.
"Clearly [the hackers] know what they're doing, they know how to attack those that are most in need and most vulnerable," Rangachari said. "The industry, in turn, needs to be prepared accordingly."
