Central Oregon Pathology Consultants has been in business for nearly 60 years, offering molecular testing and other diagnostic services east of the Cascade Range.
Beginning last winter, it operated for months without being paid, surviving on cash on hand, practice manager Julie Tracewell said. The practice is caught up in the aftermath of one of the most significant digital attacks in American history: the February hack of payments manager Change Healthcare.
COPC recently learned Change has started processing some of the outstanding claims, which numbered roughly 20,000 as of July, but Tracewell doesn’t know which ones, she said. The patient payment portal remains down, meaning customers are unable to settle their accounts.
“It will take months to be able to calculate the total loss of this downtime,” she said.
Health care is the most frequent target for ransomware attacks: In 2023, the FBI says, 249 of them targeted health institutions — the most of any sector.
And health executives, lawyers, and those in the halls of Congress are worried that the federal government’s response is underpowered, underfunded, and overly focused on protecting hospitals — even as Change proved that weaknesses are widespread.
The Health and Human Services Department’s “current approach to healthcare cybersecurity — self-regulation and voluntary best practices — is woefully inadequate and has left the health care system vulnerable to criminals and foreign government hackers,” Sen. Ron Wyden (D-Ore.), chair of the Senate Finance Committee, wrote in a recent letter to the agency.
The money isn’t there, said Mark Montgomery, senior director at the Foundation for Defense of Democracies’ Center on Cyber and Technology Innovation. “We’ve seen extremely incremental to almost nonexistent efforts” to invest more in security, he said.
The task is urgent — 2024 has been a year of health care hacks. Hundreds of hospitals across the Southeast faced disruptions to their ability to obtain blood for transfusions after nonprofit OneBlood, a donation service, fell victim to a ransomware attack.
Cyberattacks complicate mundane and complex tasks alike, said Nate Couture, chief information security officer at the University of Vermont Health Network, which was struck by a ransomware attack in 2020. “We can’t mix a chemo cocktail by eye,” he said, referring to cancer treatments, at a June event in Washington, D.C.
In December, HHS put out a cybersecurity strategy meant to support the sector. Several proposals focused on hospitals, including a carrot-and-stick program to reward providers that adopted certain “essential” security practices and penalize those that didn’t.
Even that narrow focus could take years to materialize: Under the department’s budget proposal, money would start flowing to “high-needs” hospitals in fiscal year 2027.
The focus on hospitals is “not appropriate,” Iliana Peters, a former enforcement lawyer at HHS’ Office for Civil Rights, said in an interview. “The federal government needs to go further” by also investing in the organizations that supply and contract with providers, she said.
The department’s interest in protecting patient health and safety “does put hospitals near the top of our priority partners list,” Brian Mazanec, a deputy director at the Administration for Strategic Preparedness and Response at HHS, said in an interview.
Responsibility for the nation’s health cybersecurity is shared by three offices within two different agencies. The health department’s civil rights office is a sort of cop on the beat, monitoring whether hospitals and other health groups have adequate defenses for patient privacy and, if not, potentially fining them.
The health department’s preparedness office and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency help build defenses — such as mandating that medical software developers use auditing technology to check their security.
Both of the latter are required to create a list of “systemically important entities” whose operations are critical to the smooth functioning of the health system. These entities could get special attention, such as inclusion in government threat briefings, Josh Corman, a co-founder of the cyber advocacy group I Am The Cavalry, said in an interview.
Federal officials had been working on the list when news of the Change hack broke — but Change Healthcare was not on it, Jen Easterly, leader of Homeland Security’s cybersecurity agency, said at an event in March.
Nitin Natarajan, the cybersecurity agency’s deputy director, told KFF Health News that the list was just a draft. The agency previously estimated it would finish the entities list — across sectors — last September.
The health department’s preparedness office is supposed to coordinate with Homeland Security’s cybersecurity agency and across the health department, but congressional staffers said the office’s efforts fall short. There are “silos of excellence” in HHS, “where teams were not talking to each other, [where it] wasn’t clear who people should be going to,” said Matt McMurray, chief of staff for Rep. Robin Kelly (D-Ill.), at a June conference.
Is the health department’s preparedness office “the right home for cybersecurity? I’m not sure,” he said.
Historically, the office focused on physical-world disasters — earthquakes, hurricanes, anthrax attacks, pandemics. It inherited cybersecurity when Trump-era department leadership made a grab for more money and authority, said Chris Meekins, who worked for the preparedness office under Trump and is now an analyst with the investment bank Raymond James.
But since then, Meekins said, the agency has shown it’s “not qualified to do it. There isn’t the funding there, there isn’t the engagement, there isn’t the expertise there.”
The preparedness office has only a “small handful” of employees focused on cybersecurity, said Annie Fixler, director at the FDD’s Center on Cyber and Technology Innovation. Mazanec acknowledges the number isn’t high but hopes additional funding will allow for more hires.
The office has been slow to react to outside feedback. When an industry clearinghouse for cyberthreats tried to coordinate with it to create an incident response process, “it took probably three years to identify anyone willing to support” the effort, said Jim Routh, the then-board chair of the group, Health Information Sharing and Analysis Center.
During the NotPetya attack in 2017 — a hack that caused major damage to hospitals and the drugmaker Merck — Health-ISAC ended up disseminating information to its members itself, including the best method to contain the attack, Routh said.
Advocates look at the Change hack — reportedly caused by a lack of multifactor authentication, a technology very familiar in America’s workplaces — and say HHS needs to use mandates and incentives to get the health care sector to adopt better defenses. The department’s strategy released in December proposed a relatively restricted list of goals for the health care sector, which are mostly voluntary at this point. The agency is “exploring” creating “new enforceable” standards, Mazanec said.
Much of the HHS strategy is due to be rolled out over the coming months. The department has already requested more funding. The preparedness office, for example, wants an additional $12 million for cybersecurity. The civil rights office, with a flat budget and declining enforcement staff, is due to release an update to its privacy and security rules.
“There’s still significant challenges that the industry as a whole faces,” Routh said. “I don’t see anything on the horizon that’s necessarily going to change that.”