The chaos ensued across hospitals and medical facilities nationwide on February 21, following a cyberattack targeting Change, a subsidiary of United Health Group (UHG). This assault rendered the mega-billing system, responsible for processing a staggering 15 billion healthcare transactions annually, completely paralyzed.
Cyberattacks such as the one perpetrated against UHG are alarming because they can potentially destabilize the U.S. healthcare industry. It should not have been necessary to launch a massive attack to alert us to the threat that professional hackers pose to national security. However, it’s better late than ever.
The American Hospitals Association reported that “94% of hospitals reported the Change Healthcare cyberattack had a financial impact on them, and more than 50% of those hospitals said the impact was significant or severe.’ A third of survey respondents stated that the attack disrupted over half of their revenues.”
Cyberattacks on U.S. healthcare providers increased by 53 percent over the last three years. From 2020 to 2022, large data breaches increased by 93 percent. Ransomware attacks against the healthcare sector, which captures sensitive data from patients and holds them for ransom, have seen a staggering 278 percent rise.
Cyberattacks on hospitals can compromise patient privacy, disrupt billing and appointment systems, disable equipment, and, in extreme situations, cause the temporary closure of entire healthcare facilities. These attacks can be extremely destabilizing to communities, and cause economic chaos and panic.
Cybercrime is treated by the federal government more like a storm or flood than as a potentially life-threatening threat from terrorists or criminals. The Treasury Department has threatened civil penalties in 2020 against victims of ransomware and cyberattacks who pay to restore their systems. This means that a person under U.S. jurisdiction can be held civilly responsible even if they did not know, or had reason to believe, that they were engaging in a business transaction with someone who is prohibited by sanctions laws and regulations.
It is expected that the Department of Health and Human Services will focus on “preparedness” in late 2023. The Department has stated that they are focused on “preparedness”. They have also declared that HHS would be a “one-stop shop for health care cyber security.” This tone of inclusion and cooperation is inclusive but unlikely to deter those willing to launch cyberattacks to terrorize hospitals or demand huge ransoms.
In 2017, the “WannaCry 2.0 cyberattack” targeted hospitals and clinics in 150 countries. It was shocking to learn that it affected 1,200 diagnostic tools as well. The FBI traced the attack to a programmer who was backed by North Korea’s regime.
The Lurie Children’s Hospital, in Chicago, was forced to shut down its network in late January this year due to “cybersecurity issues”. Email and phone services, as well as many other systems, were also affected. Some of these systems are still down today.
Saint Margaret’s Health, in Spring Valley Illinois, was forced into permanent closure in mid-2023 due to a ransomware attack that effectively prevented the hospital from submitting claims or communicating with payers. Saint Margaret’s was thrown into financial ruin by the February 2021 attack. A hospital data breach costs an average of $11 million. This is enough to close down hospitals that are struggling to survive.
These attacks are not isolated. Data security and privacy laws are the foundation of public trust in emergency preparedness, health data privacy, and security.
Healthcare facilities hope that the federal government will use the existing authority and capabilities to combat cybercrime. The healthcare facilities point out that Australia is on the offensive in its fight against cybercriminals and request that the U.S. government use all of its national security resources to “proactively disable foreign-based cyber attacks.”
The U.S. government is now threatening their healthcare providers with criminal or financial liability if they choose to pay cyber attackers. The U.S. Government should protect its citizens when patient records, basic health care systems, and services are in danger. The U.S. Government has instead decided to place the healthcare industry in a difficult position for now.
