Health Care: Cyber Attacks, Worrying Trends and Solutions

As I was reading various financial headlines last week to try and stay current on stock market developments, I came across a troubling headline: "HealthEquity Stock Plummets as Firm's Profit Hurt by Cyber Threats, Fraud."

Here’s an excerpt: “Shares of HealthEquity (HQY) sank 20 percent Wednesday, a day after the Health Savings Account (HSA) custodian missed profit estimates and gave weak guidance as it dealt with the costs of a rise in criminal activity targeting the firm. …

“In a transcript of the analyst call provided by AlphaSense, CEO Scott Cutler explained that along with other financial firms, HealthEquity has seen ‘increased cyber threats and fraud attacks from bad actors using sophisticated technology, techniques and methods."

WIDER CYBER TRENDS IN HEALTH CARE

Indeed, this story is just one example of a rising trend of growing cyber attacks against hospitals and health-care facilities, and companies overall.

The HIPPA Journal published an article back in January regarding the alarming trends in health-care cyber attacks in 2024. Here's an excerpt:

“Last year was an annus horribilis for health-care data breaches. While there appears to have been a slight year-over-year reduction in the number of reported data breaches of 500 or more records, the number of individuals affected by those breaches has risen considerably.”
As described in detail in the article, the biggest health-care data breaches in 2024 included Change Healthcare, Kaiser Foundation Health Plan, Ascension Health, HealthEquity, Concentra Health Services and Centers for Medicare and Medicaid Services.

In the case of the last example, “The Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) reported a breach of the protected health information of 3,112,815 individuals in September 2024. CMS contracted with Wisconsin Physicians Service Insurance Corporation (WPS) to handle Medicare Part A/B claims, and WPS used file transfer software to transfer large files containing protected health information – Progress Software’s MOVEit Transfer solution.”

A MATTER OF LIFE AND DEATH

But what is perhaps an even more troubling trend than the data breaches leading to financial loss are the health impacts that these cyber attacks have on people’s lives. The United Nations issued a report recently on the topic of "Cyberattacks on healthcare: A global threat that can’t be ignored." Here’s how their story begins:

“Briefing ambassadors, Tedros Adhanom Ghebreyesus, WHO Director-General, emphasized the severe impact of cyber attacks on hospitals and health-care services, calling for urgent and collective global action to address this growing crisis.

“'Ransomware and other cyber attacks on hospitals and other health facilities are not just issues of security and confidentiality, they can be issues of life and death,' he said.

“'At best, these attacks cause disruption and financial loss. At worst, they undermine trust in the health systems on which people depend, and even cause patient harm and death.'

“The digital transformation of health care, combined with the high value of health data, has made the sector a prime target for cyber criminals, Tedros continued, citing examples of the 2020 ransomware attack on Brno University Hospital in Czechia and a May 2021 breach of the Irish Health Service Executive (HSE).

“Cyber attacks also extended beyond hospitals to disrupt the broader biomedical supply chain.”

A similar report was written by Security Intelligence: "When ransomware kills: Attacks on healthcare facilities"

“Hospitals depend heavily on digital systems for managing patient care. When a ransomware attack strikes, these systems go offline, with often tragic results. Research highlights the risks: There’s been a 300 percent increase in ransomware attacks on health care since 2015. This led to a spike in emergency cases, including strokes and cardiac arrests, at hospitals overwhelmed by patients diverted from facilities hit by cyber attacks.

“A study by the University of California San Diego showed that ransomware attacks on hospitals cause a spillover effect. This means neighboring hospitals see a surge in patients, leading to cardiac arrest cases jumping 81 percent. Survival rates also dropped for those cardiac arrest cases. …

“Another study of two urban emergency departments adjacent to a health-care organization under attack, researchers noted significant increases in patient volume, longer waiting times and increases in patient 'left without being seen' rates. These delays, according to the study, underscore the need for a disaster response approach for such incidents.

“In some cases, the tragic consequences of ransomware in health care have been documented in legal proceedings. In 2020, a woman sued an Alabama hospital, claiming that a ransomware attack had contributed to the death of her newborn daughter.”

Another sad example came from earlier this month, this time from Industrial Cyber: "Microsoft highlights cybersecurity crisis in rural hospitals, urges enhanced measures to bolster healthcare resilience."

“Microsoft published a new white paper that shares insights gained over the past year, focusing on the current cybersecurity landscape for rural health and the role technology companies can play. It explores the current state of rural hospitals, the unique cybersecurity threats they face, and the role technology companies can play to address the immediate cyber risk and broader systemic challenges facing rural hospitals today.

“The white paper observed that ransomware attacks pose a particular threat to hospitals, which are frequently targeted by both financially motivated cyber criminals and nation-state threat groups. 'Hospitals often pay ransoms to avoid patient care disruptions, and malicious actors exploit this reality. Moreover, these types of incidents surged by nearly 130 percent that year, according to reporting from the Office of the Director of National Intelligence (ODNI), on an already high baseline following COVID-19.'”

And finally, for those who prefer to watch video explanations, we have this story from the PBS News Hour on the topic: "How a cyberattack crippled the U.S. health care system."

WHAT CAN BE DONE TO HELP HOSPITALS

On example of ways that hospitals are fighting back is to pool resources and work together to fight cyber attacks. The Michigan Healthcare Cybersecurity Council (MiHCC) is a group of Midwest hospitals that work together to fight cyber crime. According to their website, together the hospitals:

• "Engage the membership and community — Through our regular member activities throughout the state we provide opportunities for collaboration and contribution to our peers.
• "Develop valuable content — As a grouping of health sector information security practitioners we all have valuable practices and experiences to share.
• "Mine our expertise to accelerate our collective security — As leaders in our state we each have relationships, partnerships, and teams that can provide valuable insights to our respective companies and institutions.
• "Identify and align with partner organization — We seek to develop networks of networks through our sector and across others to find common cause and solutions.
• "Project a voice in service to our health-care community — Our community is large, diverse, and needs our voices to support outreach and connectedness between them.
• "Facilitate skill development and collaboration in our member’s institutions — We build deep connections between our member organizations teams’ so skills may be shared and curated with like-minded professionals."

This video/podcast provides more details on what happens when there’s a cyber attack at a hospital or health system.
Here’s a small excerpt from the video: “The MHA released a new episode of the MiCare Champion Cast exploring what happens when a hospital or health system experiences a cyber attack featuring Jack Kufahl, chief information security officer at Michigan Medicine.

"In his role, Kufahl is responsible for planning, developing, implementing, and maintaining information assurance activities across the academic medical center. Although the health system wasn’t majorly impacted by the Change Healthcare breach, Kufahl shared how his team responded and valuable insight on how to improve cybersecurity measures.”

“'I think one of the most important things any hospital or health-care organization can do is start establishing a long-term [cybersecurity] framework so that you can measure improvement over time,' said Kufahl, noting there are many accessible resources that accommodate monetary limitations."

FINAL THOUGHTS

Some readers may be wondering, “What are some of the government impacts from health-care industry cyber attacks?”

One example comes from this piece from late last year: "HHS facing challenges as lead agency for healthcare cybersecurity: GAO." Here's a brief excerpt:

• "The Department of Health and Human Services has faced challenges mitigating cybersecurity risks in the health-care sector, according to a report published Thursday by the Government Accountability Office. 
• "The department hasn’t implemented policies previously recommended by the government watchdog, including tracking industry adoption of ransomware-specific cyber practices or assessing risks from IoT or operational technology devices.
• "Until the HHS fills those gaps, the department could be unable to effectively lead the industry in cybersecurity — a potential risk for providers and patient care, according to the GAO."