UGO AMEZ/Sipa via AP Images
The mass adoption of electronic medical records in the late 2000s created digital files of personal health information that became more attractive to hold for ransom.
On Tuesday, the House Energy and Commerce Committee held a hearing on the February 21 Change Healthcare ransomware attack, which disabled a key software conduit used in billing. The hack, which cost medical providers as much as $1 billion per day, has still not been fully repaired. With nearly every hospital network financially affected, band-aid relief from Change’s parent company—the health care giant UnitedHealth—and the federal government has thus far been inadequate.
Members of the committee flared in anger at how a single, consolidated middleman network could perpetuate such lasting harm. “The attack shows how UnitedHealthcare’s anti-competitive practices present a national-security risk,” said Rep. Anna Eshoo (D-CA), ranking Democrat on the health subcommittee, a sentiment echoed by members of both parties and key witnesses, who called for an end to vertical integration in health IT.
UnitedHealth made nobody available for the hearing, though the company committed to testifying at a later date; its CEO Andrew Witty will appear before the Senate at the end of the month. The incident hasn’t affected UnitedHealth much at all; its latest quarterly earnings report beat expectations with $8.5 billion in profits, despite the attack, and the stock soared on Tuesday.
While members reckoned with these consequences of consolidation, Rep. Cathy McMorris Rodgers (R-WA), who chairs the full committee, took a different approach, praising the committee for its prescience in recognizing cybersecurity threats. What stood out was this line: “In 2020, a bill led by Dr. Burgess which passed through this committee encouraged health care organizations to adopt strong cybersecurity best practices.”
This is a very generous way of describing H.R. 7898, a bill so obscure it didn’t even have a title. A better way would be legal immunity for hospitals. The bill (now law) is a sterling example of the health care industry’s real priorities amid unending cyber attacks: Don’t get blamed for them.
The two-page bill, authored by Rep. Michael Burgess (R-TX), an ob/gyn from the Dallas suburbs, quietly passed Congress during the lame-duck session of 2020, amid talk of stolen elections and presidential transitions. It advanced in the House by voice vote, in the Senate by unanimous consent, and was signed into law by President Trump on January 5, 2021, on the eve of the attack on the Capitol.
H.R. 7898 limited penalties for health care providers whose patient records were breached in cyber attacks, as long as they had complied for one year with “recognized security practices.” These voluntary practices were self-designed by the health care sector, and experts find them to be far less than the bare minimum needed to protect health providers.
More important, the bill terminated audits of attacked hospitals, the one window regulators could have into systemic vulnerabilities and poor defenses. The law effectively states that the government would rather remain in the dark about cyber attacks than force hospitals to expend time and effort on figuring out their security deficiencies.
Four lobbying groups worked on H.R. 7898, mostly health information technology trade groups. One of them, HITRUST, is based in Burgess’s district, and one of its founding members is none other than UnitedHealth, the parent company of Change Healthcare.
Burgess’s office never responded to repeated requests for comment about the bill.
One lobbyist-directed law isn’t responsible for the Change crisis. But it’s indicative of how the health care industry has fought stronger cybersecurity standards for years, opting instead for the kind of easy-to-clear self-certification systems like those HITRUST has set up. The worldview of the industry is that they are victims of ransomware crimes, and shouldn’t have to face any government accountability along with the ransom. But this all-carrot, no-stick approach has not motivated health providers to establish the most basic safeguards to ensure the integrity of the system and prevent catastrophic disruptions that cause prolonged illnesses and even death.
PROOF OF THE SORRY STATE OF HEALTH SYSTEM CYBERSECURITY can be seen in the thousands of attacks since Hollywood Presbyterian Medical Center had to pay hackers $17,000 in Bitcoin to regain access to its computer network in 2016. The mass adoption of electronic medical records in the late 2000s created digital files of personal health information that became more attractive to hold for ransom.
Last month, Axios cited FBI crime data that reported 249 health care and public-health ransomware attacks in 2023. That’s more than in any of the 16 other critical infrastructure sectors outlined in a 2013 Presidential Policy Directive (PPD) by President Obama. But experts believe the number of health care–related attacks last year was actually up to three times higher. Even in the official numbers, we’re seeing acceleration: Eshoo said in the hearing that cyber attacks of hospitals were up 57 percent in 2022.
The increased frequency is directly proportional to the lack of safeguards. According to 2022 congressional testimony from Joshua Corman, a cybersecurity researcher who was chief strategist of the federal Cybersecurity and Infrastructure Security Agency (CISA) task force on COVID-19, 85 percent of U.S. hospitals have no experienced cybersecurity staff. “We are overdependent on many undependable things,” Corman said in that testimony.
Attacks are not mere annoyances. Last year, St. Margaret’s Hospital in Spring Valley, Illinois, closed its doors, citing a cyber attack on its computer system, becoming the first health provider to admit that a hack caused it to shut down. It is likely not the only one. And a study last October by the University of Minnesota-Twin Cities School of Public Health found that mortality rates for patients in a hospital at the time of a cyber attack increase at a relative rate of over 20 percent. This is consistent with other studies and surveys.
The health care industry has fought stronger cybersecurity standards for years, opting instead for easy-to-clear self-certification systems.
In 2019, CISA published 55 national critical functions (NCFs) that need to be protected with cybersecurity measures. For the health care sector, the four NCFs are: protect sensitive information, maintain access to medical records, provide medical care, and support community health.
At the time, the Health Insurance Portability and Accountability Act (HIPAA) had a security rule, advanced under Obama, that imposed penalties for failing to protect health information, including a data breach or cyber attack. The security rule says nothing about a hospital being taken offline, disrupting timely access to care; it was just about losing the data. There was no structure in place to ensure compliance with the other three NCFs.
The Obama PPD designated the Department of Health and Human Services (HHS) to oversee the health care and public-health critical infrastructure sector, in a working group with private-sector executives. The idea was that they would outline a regulatory response. But at the same time, industry lobbyists were working to pass H.R. 7898, to limit penalties from the HIPAA security rule, the only rule in existence at that point.
Corman would later lead a successful effort to pass the PATCH Act, which requires cybersecurity compliance in medical devices that have been approved by the Food and Drug Administration, one of the first mandatory security standards for any product. But in an interview, he explained how H.R. 7898 revealed the industry’s interest in limiting liability rather than playing catch-up on cyber threats. “We were trying to make the regulations stronger,” he said. “The sector was working hard to undermine the only regulations we had.”
The exemptions in H.R. 7898 are tied to adoption of the Health Industry Cybersecurity Practices, or HICP (pronounced “hiccup”), first adopted by HHS in 2019 and updated in 2023. The Cybersecurity Act of 2015 required guidelines like these for health providers. But they are entirely voluntary and aren’t prioritized; providers cannot decipher which measures are absolutely essential. “This document is not intended to be an exhaustive or definitive source on safeguarding health information from privacy and security risks,” the 2023 HICP guide states in a disclaimer.
Outside of platitudes like “cyber safety is patient safety,” the HICP mostly tells hospitals to be aware of hacker tactics, use the most rudimentary of defenses (like multifactor authentication for email and data networks, basic encryption, or anti-malware detection), train staff to guard against being duped, and report incidents quickly. There’s a section with the breezy title of “Quick Tips to Prevent Ransomware Attacks.” This has all been about as successful as you would think.
The Biden administration has tried to get HHS to adopt stronger standards. It released a National Cybersecurity Strategy last March, and pressed all critical infrastructure sectors to adopt a common set of 38 standards called cybersecurity performance goals. But once HHS and the health industry got done with them, they became the ten practices broadly identified in HICP, along with ten more secondary “enhanced” practices. None of them are specific to the health care sector. These are baby steps on top of baby steps for the industry known to suffer the most cyber attacks.
IT’S CLEAR THAT H.R. 7898 WAS ENTIRELY ABOUT LIMITING penalties on the biggest hospitals; smaller ones—the 85 percent of facilities with no cybersecurity officer—would never be eligible for the exemption. The penalties that smaller hospitals pay aren’t exactly robust, either. In February, Green Ridge Behavioral Health was fined all of $40,000 for violating the HIPAA security rule in 2019, which HHS described as only its second-ever ransomware-related fine.
Smaller hospitals with thin operating margins say they have no capacity to invest in stronger defenses. This year’s Biden budget has called for $800 million over two years in grants to “high-need, low-resourced hospitals” for cybersecurity, along with a $500 million incentive program of higher payments to hospitals that add to their defenses. But this applies to thousands of hospitals. John Riggi, an adviser for cybersecurity for the American Hospital Association, called the offer “far from sufficient.”
So even as the hospital industry complains about lack of support from the government, it was that industry which got Congress to pass the legislation to limit their own responsibility when attacks happen. Eventually, hospitals that get hit will have to pay much more if they don’t invest in protecting their systems. “These target-rich, cyber-poor hospitals both cannot afford to spend on cyber and cannot afford not to,” Corman said.
The signal that H.R. 7898 delivered matters more than its immediate consequences. As long as health care companies engage in check-the-box cybersecurity theater, they can’t even have their systems audited in the event of an inevitable attack. Industry-written compliance requiring the most minimal possible investment, in the absence of any governmental penalties for noncompliance, is highly unlikely to generate anything approaching true cybersecurity. That’s based not only on expert opinion but the cold reality of rampant cyber attacks, including the Change incident that hit the biggest health care company in the country.
Nevertheless, there continues to be a weird level of boasting about H.R. 7898. In the 2023 version of HICP, HHS deputy secretary Andrea Palm went out of her way to praise the “outstanding work” of government and private-sector officials for creating best practices so fabulous that Congress created incentives to adopt them.
It fell to the unlikely figure of Greg Garcia, executive director of the Healthcare and Public Health Sector Coordinating Council Cybersecurity Working Group, the very public-private partnership Palm was praising, to inject a tiny dose of reality into the Tuesday hearing. As Rep. Burgess once again cautioned against “blaming the victim” for being attacked, Garcia was moved to reply that the HICP standards aren’t quite the fortress protection against cybersecurity some in Congress might assume. “Health systems have responsibility,” he said. “Yes, they are the victim. But if we live in a bad neighborhood, we don’t leave our doors unlocked and our windows open. And the internet is a bad neighborhood.”