Ascension declined to answer questions about claims that care has been affected by the ransomware attack. “As we have made clear throughout this cyber attack which has impacted our system and our dedicated clinical providers, caring for our patients is our highest priority,” Sean Fitzpatrick, Ascension’s vice president of external communications, said via email on June 3. “We are confident that our care providers in our hospitals and facilities continue to provide quality medical care.”

The federal government requires hospitals to protect patients’ sensitive health data, according to cybersecurity experts. However, there are no federal requirements for hospitals to prevent or prepare for cyberattacks that could compromise their electronic systems.

Hospitals: ‘The No.1 Target of Ransomware’

“We’ve started to think about these as public health issues and disasters on the scale of earthquakes or hurricanes,” said Jeff Tully, a co-director of the Center for Healthcare Cybersecurity at the University of California-San Diego. “These types of cybersecurity incidents should be thought of as a matter of when, and not if.”

Josh Corman, a cybersecurity expert and advocate, said ransom crews regard hospitals as the perfect prey: “They have terrible security and they’ll pay. So almost immediately, hospitals went to the No. 1 target of ransomware.”

In 2023, the health sector experienced the largest share of ransomware attacks of 16 infrastructure sectors considered vital to national security or safety, according to an FBI report on internet crimes. In March, the federal Department of Health and Human Services said reported large breaches involving ransomware had jumped by 264% over the past five years.

A cyberattack this year on Change Healthcare, a unit of UnitedHealth Group’s Optum division that processes billions of health care transactions every year, crippled the business of providers, pharmacies, and hospitals.

In May, UnitedHealth Group CEO Andrew Witty told lawmakers the company paid a $22 million ransom as a result of the Change Healthcare attack — which occurred after hackers accessed a company portal that didn’t have multifactor authentication, a basic cybersecurity tool.

The Biden administration in recent months has pushed to bolster health care cybersecurity standards, but it’s not clear which new measures will be required.

In January, HHS nudged companies to improve email security, add multifactor authentication, and institute cybersecurity training and testing, among other voluntary measures. The Centers for Medicare & Medicaid Services is expected to release new requirements for hospitals, but the scope and timing are unclear. The same is true of an update HHS is expected to make to patient privacy regulations.

...continued

©2024 KFF Health News. Distributed by Tribune Content Agency, LLC.