Central Oregon Pathology Consultants has been in business for nearly 60 years, offering molecular testing and other diagnostic services east of the Cascade Range.<\/p>\n
Beginning last winter, it operated for months without being paid, surviving on cash on hand, practice manager Julie Tracewell said. The practice is caught up in the aftermath of one of the most significant digital attacks in American history: the February hack of payments manager Change Healthcare.<\/p>\n
COPC recently learned Change has started processing some of the outstanding claims, which numbered roughly 20,000 as of July, but Tracewell doesn\u2019t know which ones, she said. The patient payment portal remains down, meaning customers are unable to settle their accounts.<\/p>\n
\u201cIt will take months to be able to calculate the total loss of this downtime,\u201d she said.<\/p>\n
Health care is the most frequent target for ransomware attacks: In 2023, the FBI says<\/a>, 249 of them targeted health institutions \u2014 the most of any sector.<\/p>\n And health executives, lawyers, and those in the halls of Congress are worried that the federal government\u2019s response is underpowered, underfunded, and overly focused on protecting hospitals \u2014 even as Change proved that weaknesses are widespread.<\/p>\n The Health and Human Services Department\u2019s \u201ccurrent approach to healthcare cybersecurity \u2014 self-regulation and voluntary best practices \u2014 is woefully inadequate and has left the health care system vulnerable to criminals and foreign government hackers,\u201d Sen. Ron Wyden (D-Ore.), chair of the Senate Finance Committee, wrote in a recent letter<\/a> to the agency.<\/p>\n The money isn\u2019t there, said Mark Montgomery, senior director at the Foundation for Defense of Democracies\u2019 Center on Cyber and Technology Innovation. \u201cWe\u2019ve seen extremely incremental to almost nonexistent efforts\u201d to invest more in security, he said.<\/p>\n The task is urgent \u2014 2024 has been a year of health care hacks. Hundreds of hospitals across the Southeast faced disruptions<\/a> to their ability to obtain blood for transfusions after nonprofit OneBlood, a donation service, fell victim to a ransomware attack.<\/p>\n Cyberattacks complicate mundane and complex tasks alike, said Nate Couture, chief information security officer at the University of Vermont Health Network, which was struck by a ransomware attack in 2020. \u201cWe can\u2019t mix a chemo cocktail by eye,\u201d he said, referring to cancer treatments, at a June event in Washington, D.C.<\/p>\n In December, HHS put out a cybersecurity strategy<\/a> meant to support the sector. Several proposals focused on hospitals, including a carrot-and-stick program to reward providers that adopted certain \u201cessential\u201d security practices and penalize those that didn\u2019t.<\/p>\n Even that narrow focus could take years to materialize: Under the department\u2019s budget proposal<\/a>, money would start flowing to \u201chigh-needs\u201d hospitals in fiscal year 2027.<\/p>\n The focus on hospitals is \u201cnot appropriate,\u201d Iliana Peters, a former enforcement lawyer at HHS\u2019 Office for Civil Rights, said in an interview. \u201cThe federal government needs to go further\u201d by also investing in the organizations that supply and contract with providers, she said.<\/p>\n The department\u2019s interest in protecting patient health and safety \u201cdoes put hospitals near the top of our priority partners list,\u201d Brian Mazanec, a deputy director at the Administration for Strategic Preparedness and Response at HHS, said in an interview.<\/p>\n Responsibility for the nation\u2019s health cybersecurity is shared by three offices within two different agencies. The health department\u2019s civil rights office is a sort of cop on the beat, monitoring whether hospitals and other health groups have adequate defenses for patient privacy and, if not, potentially fining them.<\/p>\n The health department\u2019s preparedness office and the Department of Homeland Security\u2019s Cybersecurity and Infrastructure Security Agency help build defenses \u2014 such as mandating that medical software developers use auditing technology to check their security.<\/p>\n Both of the latter are required to create a list of \u201csystemically important entities\u201d whose operations are critical to the smooth functioning of the health system. These entities could get special attention, such as inclusion in government threat briefings, Josh Corman, a co-founder of the cyber advocacy group I Am The Cavalry, said in an interview.<\/p>\n Federal officials had been working on the list when news of the Change hack broke \u2014 but Change Healthcare was not on it, Jen Easterly, leader of Homeland Security\u2019s cybersecurity agency, said at an event in March.<\/p>\n Nitin Natarajan, the cybersecurity agency\u2019s deputy director, told KFF Health News that the list was just a draft. The agency previously estimated<\/a> it would finish the entities list \u2014 across sectors \u2014 last September.<\/p>\n The health department\u2019s preparedness office is supposed to coordinate with Homeland Security\u2019s cybersecurity agency and across the health department, but congressional staffers said the office\u2019s efforts fall short. There are \u201csilos of excellence\u201d in HHS, \u201cwhere teams were not talking to each other, [where it] wasn\u2019t clear who people should be going to,\u201d said Matt McMurray, chief of staff for Rep. Robin Kelly (D-Ill.), at a June conference.<\/p>\n Is the health department\u2019s preparedness office \u201cthe right home for cybersecurity? I\u2019m not sure,\u201d he said.<\/p>\n Historically, the office focused on physical-world disasters \u2014 earthquakes, hurricanes, anthrax attacks, pandemics. It inherited cybersecurity when Trump-era department leadership made a grab for more money and authority, said Chris Meekins, who worked for the preparedness office under Trump and is now an analyst with the investment bank Raymond James.<\/p>\n But since then, Meekins said, the agency has shown it\u2019s \u201cnot qualified to do it. There isn\u2019t the funding there, there isn\u2019t the engagement, there isn\u2019t the expertise there.\u201d<\/p>\n The preparedness office has only a \u201csmall handful\u201d of employees focused on cybersecurity, said Annie Fixler, director at the FDD\u2019s Center on Cyber and Technology Innovation. Mazanec acknowledges the number isn\u2019t high but hopes additional funding will allow for more hires.<\/p>\n The office has been slow to react to outside feedback. When an industry clearinghouse for cyberthreats tried to coordinate with it to create an incident response process, \u201cit took probably three years to identify anyone willing to support\u201d the effort, said Jim Routh, the then-board chair of the group, Health Information Sharing and Analysis Center.<\/p>\n During the NotPetya attack in 2017 \u2014 a hack that caused major damage to hospitals and the drugmaker Merck \u2014 Health-ISAC ended up disseminating information to its members itself, including the best method to contain the attack, Routh said.<\/p>\n Advocates look at the Change hack \u2014 reportedly caused by a lack of multifactor authentication, a technology very familiar in America\u2019s workplaces \u2014 and say HHS needs to use mandates and incentives to get the health care sector to adopt better defenses. The department\u2019s strategy released in December proposed a relatively restricted list of goals for the health care sector, which are mostly voluntary at this point. The agency is \u201cexploring\u201d creating \u201cnew enforceable\u201d standards, Mazanec said.<\/p>\n Much of the HHS strategy is due to be rolled out over the coming months. The department has already requested more funding. The preparedness office, for example, wants an additional $12 million for cybersecurity. The civil rights office, with a flat budget and declining enforcement staff, is due to release an update to its privacy and security rules.<\/p>\n \u201cThere\u2019s still significant challenges that the industry as a whole faces,\u201d Routh said. \u201cI don\u2019t see anything on the horizon that\u2019s necessarily going to change that.\u201d<\/p>\n KFF Health News<\/a> is a national newsroom that produces in-depth journalism about health issues and is one of the core operating programs at KFF\u2014an independent source of health policy research, polling, and journalism. Learn more about KFF<\/a>.<\/p>\nUSE OUR CONTENT<\/h3>\n