Bureaucracy is complicating health care's hacking problem

Cyber attacks on hospitals and doctors' offices are growing larger and more disruptive — and the problem is only poised to get worse without a coordinated effort from regulators to shore up health care's defenses, IT experts say.

The big picture: High-profile ransomware attacks against U.S. health systems in the last year have spotlighted the industry's persisting vulnerabilities and risks for patient safety as care is disrupted.

• More than 88 million Americans have been affected by large health care data breaches this year, up 60% from last year, the Department of Health and Human Services said this week.
• The sensitivity of patients' information makes health care a rich target for hackers to steal data or force systems offline until hospitals agree to pay a ransom.

Experts say a confusing and sometimes competing patchwork of rules and guidance from federal and state agencies is a major reason why the industry has struggled to mount more effective defenses.

• "HHS, Homeland Security, Justice, Education, Treasury, Commerce — they all have either policy in place or they're thinking about policies that are going to impact what health care cyber does," said Toby Gouker, chief security officer for government at privacy and security firm First Health Advisory.
• But "none of these people have an overarching position on it," he said. "There's no real administrative mandate to come down on us. There's all these recommendations and suggestions ... there's no leader."
• A report from Sen. Mark Warner (D-Va.), co-chair of the Senate Cybersecurity Caucus, last year called on HHS to empower a senior leader to coordinate cyber defense across sectors and galvanize a more unified industry response.
• HHS hasn't taken up that recommendation, but the Biden administration last week announced new efforts to protect health care from cyber attacks.

Between the lines: There is an endlessly complex set of data-sharing requirements, vendor relationships and technology in health systems.

• Chief information security officers are often overwhelmed by warnings and guidance about emerging threats from federal and state agencies, making it difficult to decide how to dedicate limited dollars.
• Experts say too often, health systems aren't doing simple blocking and tackling — patching old software, auditing vulnerabilities, teaching employees about phishing — as they stretch their budgets.
• But even at the many organizations that are doing the right things to protect their systems, it's not uncommon to have weak spots like decades-old equipment like X-ray machines that can't be patched anymore but are too pricey to just replace.

Between the lines: Providers often end up prioritizing the clearest standards — and the ones that come with penalties for falling short, such as the federal privacy law known as the Health Insurance Portability and Accountability Act (HIPAA).

• "[Providers] have limited resources, and the few resources that they have to focus on any sort of cybersecurity controls are going to be so that they comply with [HHS] and HIPAA because the fines are so huge," said Heather Hughes, vice president on Aon's cyber solutions team.

• But health systems aren't putting enough resources into preserving their systems' ability to operate during an attack and having strong disaster recovery plans when they're breached, Ahsan Siddiqui, director of product management at Arcserve, told Axios.
• "With health care, you get their systems down and there's a lot at stake," Siddiqui said. "It's time that regulators understand that."

The other side: Biden administration officials last week called health care cybersecurity a "priority" as they released a new toolbox of resources for health systems to defend themselves against hackers.

• HHS Deputy Secretary Andrea Palm acknowledged to Axios that officials haven't always provided consistent guidance across federal agencies.
• HHS and Homeland Security's Cybersecurity and Infrastructure Security Agency have been collaborating more often so "we're talking to the industry under a single voice, and we're not confusing the industry," she said.
• When asked by a reporter at a roundtable, Palm didn't rule out the possibility of tying minimum cybersecurity standards to providers' Medicare reimbursement.

What we're watching: Sen. Bill Cassidy (R-La.), the ranking member of the Senate health committee, and Warner are among the members of a new workgroup exploring legislative options for health care cybersecurity.

• "Just like a strong military and police force defends us against physical attacks, we must ensure health institutions can safeguard against increasing cyber threats and protect Americans' crucial health data," Cassidy said in a statement.