Lee Milligan, chief information officer at Asante Health System in Oregon, said he is encouraged that President Joe Biden has taken steps to help secure the nation against cyber threats, but wants Washington to work more directly with health systems to shoulder the burden of the attacks.
“It blows my mind that ultimately, it’s on the individual hospital systems to attempt to — essentially in isolation — figure it out,” he said. “If a nation state has bombed bridges that connect over the Mississippi River and connect state A and B, would we be looking at it in the same way? And yet the same risk to life happens when they shut down a health system.”
The unrelenting rise in attacks jeopardizes patient safety and strains clinicians already worn out by the Covid-19 pandemic. In the worst case, hackers can shut down hospital operations and siphon off patient data.
Getting hacked is pricey: A 2021 cyberattack on the largest health system in San Diego, Scripps Health, cost $112.7 million. These costs put further pressure on health systems to raise the price of services, especially as they face a competitive labor market, pandemic losses and rising drug prices. And now, cyber insurers are limiting coverage and hiking premiums, further exposing health systems.
There have been various federal efforts to assist health systems with cyberattacks, through the Department of Health and Human Services, the Federal Bureau of Investigations and the Department of Homeland Security. However, not all health systems feel like these resources are enough.
“What I really wanted was for them to put into place an actual specific framework for a partnership between individual health systems and the government on either protecting or responding or preferably both,” Milligan said.
The costs
A doctor gets an email asking her to log into a portal to get a copy of her patient’s past medical records. The website the email links to is fake, a nefarious doppelganger mocked up by hackers. Unwittingly, the doctor has given up her log-in credentials for the real health record portal or downloaded a virus.
This is one of many scenarios health care CISOs are preparing for as health systems prepare for a federal October deadline to make electronic health records data shareable among hospital networks, which could lead to new lines of attacks from cyber criminals, they said, because it draws attention to new entry points for hackers.
Cyberattacks on health systems are on a steady rise, and their costs are mushrooming. Experts said there are a variety of reasons for the increase, including that criminals are getting more advanced and more aspects of health care are online.
When a cyberattack struck Sky Lakes Medical Center, a community hospital in southern Oregon, in late October 2020, its computers were down for three weeks. The most mundane tasks became arduous. Nurses had to check on critical patients every 15 minutes in case their vital signs changed. Doctors scribbled down their orders and the swelling mounds of paper took over whole rooms. In three weeks, the hospital ran through 60,000 sheets of paper.
Sky Lakes had to rebuild or replace 2,500 computers and clean its network to get back online. Even after it hired extra staff, it took six months to input all the paper records into the system. In total, John Gaede, Sky Lakes director of information services, says his organization spent $10 million — a big expense for a nonprofit with roughly $4.4 million in annual operating income (the organization did not pay a ransom).
For hospitals with limited budgets, there are questions about how well they can protect themselves. The attack on Sky Lakes was part of a wave of attacks in 2020 and 2021 connected to a criminal group in Eastern Europe.
“Our budgets typically have a margin of maybe 3 percent a year,” Gaede said, “but we’re supposed to compete with nation-state actors?”
Health data is lucrative on the black market, making hospitals a popular target. Plus, if a health system has ransomware insurance, criminals may think they’re guaranteed a payout. Ransomware ties up hospital records in encrypted files until a fee is paid.
“Back when ransoms were $50,000, it was cheaper to pay them than to deal with a lawsuit that would have cost far more,” says Omid Rahmani, associate director at Fitch Ratings, a credit rating agency, adding that ransoms now cost millions. “The landscape’s changed and because of that the cyber insurance side has changed — and that’s really connected to the rise of ransomware.”
In its annual cost of a data breach report, IBM writes the global average cost of an attack on a health system rose from about $7 million to over $9 million in 2021. But remediating these violations in the U.S. can be far more expensive. There isn’t comprehensive data on how much U.S. health care systems are spending on attacks, but a few high-profile cases shed some light:
- A breach of Universal Health Services, which serves 3.5 million patients, cost $67 million.
- The University of Vermont, an academic medical facility with roughly 168,000 annual patients, spent $54 million to recover from an attack in 2020.
- Scripps Health, which treats 700,000 patients annually, lost $112.7 million.
Health systems are only partially recouping these costs. Scripps received $35 million from its insurers, according to a quarterly financial disclosure — about 30 percent of the actual cost. The University of Vermont collected $30 million from its insurer, while United Health Services received $26 million.
“What I’m seeing is that the cost to remediate after a high-impact cyberattack — whether it’s a large theft of data or disruptive ransomware attack — is easily five times to ten times their insurance coverage, whether you’re a small hospital or large,” said John Riggi, senior adviser on security at the American Hospital Association.
The delta between the cost of a cyberattack and what insurers will pay out is likely to grow. Last year, amid a deluge of claims, Reuters reported that cyber insurers were both pulling back on maximum reimbursement rates and the kinds of attacks they cover. In November, Lloyd’s of London, a major cyber insurance provider, announced it would not cover cyber warfare, or cyberattacks made on behalf of a nation state. Premiums are going up in kind.
“I can’t stress enough, all those costs I’m referring to here are paid for by all of us,” says Brad Ellis, head of Fitch Ratings’ U.S. Health Insurance Group. “[Health systems] are paid by the insurance companies and we all pay the premiums which have gone up by a lot. And they continue to go up.”
The government’s role
A big question is to what degree government agencies should protect organizations deemed critical infrastructure. Two agencies — Cybersecurity and Infrastructure Security Agency and the Health Sector Cybersecurity Coordination Center under the Department of Health and Human Services — provide information about attacks and how to build infrastructure to fend them off. CISA and the FBI also have incident response teams.
Eric Goldstein, executive assistant director for cybersecurity at CISA, said the government needs better visibility into how many attacks are taking place and where. “It bears noting that a significant portion of cybersecurity intrusions are not reported to the government,” he said.
Health systems are required to report data exposures that affect more than 500 people to the Office of Civil Rights. But if health data doesn’t get out, health systems don’t have to report.
But that is poised to change. Last spring, Biden signed an executive order on improving the nation’s cybersecurity that Goldstein calls “the most operationally impactful cybersecurity Executive Order ever,” signaling an increased investment in cyber security.
“It sets forth really a sea change in how the federal government manages its own cybersecurity,” he says.
The Biden administration also convened a meeting last week with several health care executives and relevant senior government officials to discuss cybersecurity threats and the challenge of securing smaller health systems.
In May, Senate Homeland Security and Governmental Affairs Chair Gary Peters (D-Mich.) released a report showing the government had insufficient data on cyberattacks hitting critical infrastructure, like health care facilities, to effectively protect the nation against such strikes. Peters is also behind the Cyber Incident Reporting Act, a recently passed law that has tight deadlines for reporting significant cyberattacks and ransomware payments to CISA (the rule also gives CISA the power to subpoena anyone who doesn’t make these deadlines).
In turn, CISA will design a warning system to alert potential targets to common exploits and set up a ransomware taskforce to prevent and disrupt attacks. The taskforce must be set up by roughly March of next year, while the ransomware vulnerability warning pilot has a year to get off the ground.
Goldstein acknowledges that the government may not be actively defending every health system from a cyberattack. But, he notes that CISA erected the Joint Cyber Defense Collaborative last year to work with telecom companies and cloud providers on securing their infrastructure, and health systems, which use these networks, stand to benefit by proxy.
“Cybersecurity is now, maybe for the first time, a board of directors and C-suite issue at organizations across the country,” he said, adding that this level of attention and spending is ultimately what will help counter the threat.
