Cybersecurity in healthcare: Lawmakers seek answers from Biden administration

Lawmakers are pressing President Biden’s administration to protect the healthcare sector from cyberattacks.

U.S. Sen. Angus King, I-Maine, and U.S. Rep. Mike Gallagher, R-Wisc., wrote a letter Aug. 12 to U.S. Health and Human Services Secretary Xavier Becerra outlining their concerns. They noted the spike in ransomware attacks targeting hospitals and health systems.

• Related story: The top 10 health data breaches in the first half of 2022

“Ransomware attacks on the HPH sector have skyrocketed in the past two years as opportunistic criminals recognized that hospitals may pay quickly to resolve issues and protect patient safety,” the lawmakers wrote.

“Meanwhile, the troves of personally identifiable information and personal health information make organizations in the sector valuable targets for both criminal and nation-state hackers.”

King and Gallagher praised the Biden administration for some steps on bolstering cybersecurity in the health sector, including a recent forum at the White House. They also noted the Food and Drug Administration has placed a high priority on improving the security of medical devices, where hackers have exploited vulnerabilities.

However, King and Gallagher said they want to see more urgency from the federal government in the face of the grave threats from cyberattacks.

“We remain concerned, however, about the lack of robust and timely sharing of actionable threat information with industry partners and the need to dramatically scale up the Department’s capabilities and resources. With cyber threats growing exponentially, we must prioritize addressing the HPH sector’s cybersecurity gaps," they wrote.

The lawmakers also requested Becerra to brief the lawmakers on cybersecurity efforts. They wrote that they would like the briefing to include an assessment of several areas:

• The health department’s organizational structure relating to cybersecurity efforts;
• The department’s authority to improve cybersecurity, and any areas where the agency needs more authority;
• The resources, including staffing and funding, HHS needs to be “an effective sector risk management agency”;
• The agency’s successes and setbacks in coordinating with other agencies to protect the health sector from cyber attacks.

Analysts predicted health systems could see a greater threat from cyberattacks in 2022, and those projections are looking like they were sound.

Scores of cyberattacks have hit hospitals and health companies already this year. The health department tracks any health data breaches that affect at least 500 people. In the first six months of 2022, the health department data indicates there have been 337 breaches involving a minimum of 500 patient records.

Those attacks have affected millions of Americans. Each of the 10 biggest cyberattacks involving health data affected at least 500,000 people.

Cyberattacks are getting more costly to hospitals and health systems. The average healthcare breach now costs $10.1 million, according to an IBM Security report released last month. The cost of the typical healthcare breach rose by nearly $1 million over last year.

Beyond the cost to hospitals in money and manpower, cybersecurity experts warn that breaches threaten the safety of patients. Hospitals rely heavily on electronic medical records, and some attacks have prevented providers from accessing that data, delaying procedures.

Ransomware attacks are rising because bad actors know many health systems will pay the ransom, Troy Ament, Fortinet’s health care field chief information security officer, said at a panel during the American Hospital Association Leadership Summit in July.

“The adversaries have been able to monetize the threats,” Ament said at the AMA summit.

“In healthcare, they’ve been able to understand the operations of the environment, and shut the operations down,” he added.