Critics say government response to cyberattacks on healthcare is weak and patchy

Central Oregon Pathology Consultants (COPC) has been in business for nearly 60 years, providing molecular testing and other diagnostic services east of the Cascade Range.

Since last winter, the practice has been working without pay for months and has had to survive on cash, said practice manager Julie Tracewell. The practice is in the aftermath of one of the worst digital attacks in American history: the hacking of the payment service provider Change Healthcare in February.

COPC recently learned that Change has begun processing some of the outstanding claims, which totaled about 20,000 as of July. However, Tracewell does not know what those claims are, she said. The patient payment portal remains down, meaning customers cannot pay their bills.

“It will take months to calculate the full damage caused by this downtime,” she said.

Healthcare is the most common target of ransomware attacks: in 2023, according to the FBI, 249 of them targeted healthcare facilities – more than any other sector.

And health care leaders, advocates and representatives in Congress are concerned that the federal government's response is underpowered, underfunded and too focused on protecting hospitals – even though Change has proven there are many weaknesses.

“HHS’s current approach to healthcare cybersecurity – self-regulation and voluntary best practices – is woefully inadequate and has left the healthcare system vulnerable to criminals and foreign government hackers,” Sen. Ron Wyden (D-Ore.), chairman of the Senate Finance Committee, wrote in a recent letter to the agency.

The money isn't there, said Mark Montgomery, senior director of the Foundation for Defense of Democracies' Center on Cyber ​​and Technology Innovation. “We've seen extremely incremental to almost no effort” to invest more in security, he said.

The task is urgent – ​​2024 was a year of hacker attacks on the healthcare system. Hundreds of hospitals in the Southeast faced disruptions to blood donations after the nonprofit donation service OneBlood fell victim to a ransomware attack.

Cyberattacks complicate everyday and complex tasks alike, said Nate Couture, chief information security officer at the University of Vermont Health Network, which was hit by a ransomware attack in 2020. “We can't mix a chemo cocktail by eye,” he said, referring to cancer treatments at an event in Washington, DC, in June.

In December, the Department of Health released a cybersecurity strategy designed to support the sector, with several proposals focused on hospitals, including a carrot-and-stick program to reward providers who adopted certain “essential” security practices and penalize those who did not.

Even this narrow focus could take years to become a reality: According to the ministry's draft budget, funds would flow to hospitals with “high needs” starting in fiscal year 2027.

The focus on hospitals is “not appropriate,” Iliana Peters, a former attorney in the Health Department's Office for Civil Rights, said in an interview. “The federal government needs to go further” by also investing in the organizations that supply and contract with the providers, she said.

The department's interest in protecting patient health and safety “puts hospitals at the top of our list of priority partners,” said Brian Mazanec, deputy director of HHS's Administration for Strategic Preparedness and Response, in an interview.

Responsibility for cybersecurity in the nation's health care system is shared between three offices in two different agencies. The Department of Health and Human Services' Office for Civil Rights is a sort of patrolman, monitoring whether hospitals and other health care organizations have adequate safeguards in place for their patients' privacy. If they don't, it may impose fines.

The Department of Health and Human Services' Office of Preparedness and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency are helping to build defenses – for example, by requiring medical software developers to use auditing technologies to monitor their security.

Both are required to compile a list of “systemically important companies” whose operations are critical to the smooth functioning of the health care system. These companies could receive special attention, such as through inclusion in government threat briefings, Josh Corman, co-founder of the cyber advocacy group I Am The Cavalry, said in an interview.

When news of the Change hack broke, federal officials had been working on the list – but Change Healthcare was not on it, said Jen Easterly, head of the Department of Homeland Security's cybersecurity agency, at an event in March.

Nitin Natarajan, deputy director of the Cyber ​​Security Agency, said KFF Health News that the list was only a draft. The agency had previously expected to finalize the list of companies – across all sectors – last September.

The Health and Human Services Office of Readiness is supposed to work with the Department of Homeland Security's Cybersecurity Agency and the entire Health and Human Services Department, but congressional aides said the office's efforts were inadequate. There were “silos of excellence” in HHS “where teams were not talking to each other, [where it] It wasn't clear who people should turn to,” said Matt McMurray, chief of staff to Rep. Robin Kelly (D-Ill.), at a conference in June.

Is the Health Department's on-call office “the right place for cybersecurity? I'm not sure,” he said.

In the past, the office focused on real-world disasters – earthquakes, hurricanes, anthrax attacks, pandemics. Cybersecurity took over as department leadership reached for more money and authority in the Trump era, says Chris Meekins, who worked for the Office of Emergency Preparedness under Trump and is now an analyst at investment bank Raymond James.

But since then, Meekins said, the agency has shown that it is “not qualified to do this. It lacks the resources, the commitment and the expertise.”

The on-call office has only a “small handful” of employees focused on cybersecurity, said Annie Fixler, director of the Foundation for Defense of Democracies' Center for Cyber ​​and Technology Innovation. Mazanec acknowledged the number is not high, but hopes additional funding will allow for the hiring of more staff.

The office was slow to respond to outside feedback. When an industry cyber threat clearinghouse tried to work with the office to develop an incident response process, “it probably took three years to find someone willing to support the effort,” said Jim Routh, then-board chairman of the Health Information Sharing and Analysis Center (ISAC) group.

During the NotPetya attack in 2017 – a hacking attack that caused major damage to hospitals and drugmaker Merck – Health-ISAC itself ended up sharing information with its members, including the best method to contain the attack, Routh said.

Advocates look at the change hack — allegedly caused by the lack of multifactor authentication, a technology widely used in American workplaces — and say HHS needs to use mandates and incentives to push the health sector toward better defenses. The department's strategy, released in December, proposed a relatively limited list of goals for the health sector, which are mostly voluntary at this point. The agency is “exploring” the creation of “new enforceable” standards, Mazanec said.

Much of the HHS strategy is expected to be implemented in the coming months. The department has already requested more funding. The Office of Readiness, for example, wants an additional $12 million for cybersecurity. The Office for Civil Rights, which has a stagnant budget and declining staff, is expected to update its privacy and security rules.

“The industry as a whole still faces major challenges,” Routh said. “I don't see anything on the horizon that will necessarily change that.”

KFF Health News is a national newsroom that produces in-depth coverage of health issues and is one of the core operating programs of KFF – an independent source of health policy research, polling and journalism. Learn more about KFF.