Health care's cyber defenses fall short
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Aïda Amer/Axios
A massive data breach affecting 11 million HCA Healthcare patients provided a stark reminder this week of how often the defenses of America's largest health care organizations are hacked.
Why it matters: The hospital industry keeps sensitive personal data that is among the highest value assets on the black market — and experts predict further attacks will get harder to thwart.
What they're saying: "They've got pretty lax security, generally speaking, when compared to a bank as an example," said Ross Brewer, the chief revenue officer of SimSpace, a company that regularly tests the defensive capabilities of large U.S. banks.
By the numbers: HHS data shows more than 39 million patients' information was exposed in the first half of 2023 in nearly 300 incidents, per Health IT Security.
- Healthcare breaches have doubled in the last three years, HHS reports.
- While HCA said its breach is limited to patient names, addresses, telephone numbers, emails and treatment locations and "has not caused any disruption to the day-to-day operations," incidents at other hospitals have targeted individuals' clinical and financial records and have been highly disruptive.
- And though regional health systems are frequent targets, the biggest industry players aren't immune.
- In January, Community Health Systems reported roughly 1.2 million patients had protected health information was exposed.
- Commonspirit Healthcare, one of the biggest non-profit health systems in the U.S., reported last fall more than 600,000 records were breached. The attack interrupted operations at some hospitals and resulted in about $160 million in losses.
- "Obviously, health care organizations cannot protect themselves against all cyberthreats, but if the sector is to improve its defenses it needs to severely up its game," said Andrew Whaley, senior technical director at Norwegian cybersecurity company Promon in an email.
Be smart: Breaches of health systems covered by the Health Insurance Portability and Accountability Act (HIPAA) have to be reported to federal officials.
- Oversight and enforcement falls to the HHS Office of Civil Rights, which also juggles civil rights complaints.
- "HHS spent significant time deepening its understanding of both how our adversaries are beating our hospitals' cybersecurity protections today and how cyber resilient our hospitals are to stand up against our adversaries," an HHS spokesperson said.
- The agency published an analysis and issued best practices for the sector and free online training in April and is working through policy considerations and potential minimum standards to support them, the spokesperson said.
- But the office is poorly equipped to handle the sheer volume of cyber incidents. It had a budget of $38 million in 2022 — which worked out to roughly the cost of about 20 MRI machines, Politico pointed out.
What's next: In remarks late last month, deputy national security adviser for cyber and emerging technology Anne Neuberger said the Biden administration is turning its attention to healthcare for new critical infrastructure cybersecurity regulations, reported Eric Geller, senior cybersecurity reporter at The Messenger.
- HHS requested $78 million in funding for the civil rights office in next year's budget.
Between the lines: Ask any hospital executive about their cybersecurity, and they'll assure you they've made major investments in their defenses.
- But that's part of the problem, Brewer said.
- "We've got a systemic challenge in the industry where these organizations are thinking the technology is going to save them," Brewer said. "They're not putting enough emphasis on their people running their systems and adequately testing their skills and putting them through exercises so they know what these attacks are going to look like before they find themselves in the middle of one."
- Health care organizations are major targets because they have so many locations and employees, work with large numbers of outside vendors, and have a complex web of internet-connected technology. Often, they lack full control over systems like X-ray machines and the ability to keep them up to date.
- In Nashville-based HCA's case, hackers broke into an external storage location used to automate the formatting of email messages. Compromised data lists contained 27 million rows of data, including the protected health information of about 11 million patients who received care at HCA hospitals and doctors’ offices in 20 U.S. states, per the HIPAA Journal.
The bottom line: The threats are only going to get harder to defend against, said Amy Abernethy, Verily's chief medical officer and former principal deputy commissioner of food and drugs at the FDA, told Axios.
- "Quantum [computing] is coming," she said. "If we think that we live in a complex time right now when we have the ability to have encryption that works for us, when that's really not so possible that's going to be a totally different landscape," she said. "We need to shore up what we're doing now as we think about where this future goes."
