Latest Ransomware Attack on U.S. Healthcare System Exposes Critical Weaknesses

CommonSpirit Health, the second-largest non-profit hospital chain in the United States, suffered a ransomware attack last week. The latest in a string of cyberattacks against the healthcare and public health sector, the incident confirms the need for better collaboration between the U.S. government and this critical infrastructure sector.

CommonSpirit — which has 140 hospitals and more than 1,000 facilities across 21 states — announced on October 4 that it was experiencing “IT security issues.” It is unclear how many hospitals have been affected, but local reporting indicates that facilities in Iowa, Nebraska, and Washington have been impacted. In at least some locations, ambulances were diverted and procedures delayed.

The healthcare sector has rapidly emerged as a key target of cyber criminals, particularly ransomware actors, since the COVID-19 pandemic’s onset. Last month, an annual survey of healthcare IT professionals found that 90 percent had experienced a cyber incident in the previous year. More than half said their facility had suffered a ransomware attack over the previous two years.

Ransomware encrypts data on a device until the device’s owner pays the attacker to release the data. When ransomware locks up a hospital’s data, it can lead to serious disruptions of medical services and complications in patient care. Among survey respondents, nearly one quarter said that ransomware attacks led to increased mortality rates at their hospitals. Last year, more than a third of respondents that ransomware attacks had led to increased post-operative complications.

Earlier this year, the White House held a roundtable discussion on improving cybersecurity in the healthcare sector. Industry leaders and government officials agreed there has been progress, but the results have been mixed. In a letter to Secretary of Health and Human Services (HHS) Xavier Becerra, Sen. Angus King (I-ME) and Rep. Mike Gallagher (R-WI) expressed concern “about the lack of robust and timely sharing of actionable threat information with industry partners and the need to dramatically scale up the Department’s capabilities and resources.” The letter also asked for details of how HHS is executing its role as the Sector Risk Management Agency (SRMA) for healthcare, which entails a statutory obligation to support and enhance the sector’s performance.

Part of the problem stems from a lack of resources. Last year, the Health Sector Coordinating Council (HSCC) — the body responsible for serving as the sector’s representative to the government — testified to HHS’s advisory body that the sector needs more grants for cybersecurity programs at hospitals and that HHS needs more funding to fulfill its SRMA role, enabling it to better engage with the sector and expand collaboration and partnership with industry.

HHS is asking for a 58 percent increase in the budget for the Office for Civil Rights (OCR) — the office responsible both for helping organizations bolster their cyber defenses and for enforcing the data privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA). The latter, however, appears to be the priority of the OCR director who told the press that more funding “will give us a stronger hammer” for enforcement.

Increasing OCR’s budget may not improve the sector’s security if the office is primarily focused on punishing hospitals for cyberattacks whose exposure of private data constitutes a HIPAA violation. Congress tasked SRMAs with providing expertise to, supporting programs for, and collaborating with industry. HSCC Executive Director Greg Garcia explained, “If OCR is looking for money that will protect hospitals … good. That’s HHS’ role — not just to penalize the victim.”

Punishing ransomware victims with HIPAA enforcement fines is unlikely to lead to greater information sharing and the collaboration necessary to strengthen national cyber resilience. Thus, before increasing OCR’s funding or other funding to HHS to execute its SRMA responsibilities, Congress should demand — as Sen. King and Rep. Gallagher requested — a detailed briefing on the steps HHS is taking to improve healthcare cybersecurity and how the department will spend resources to accomplish meaningful progress.

Annie Fixler is the deputy director of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD). Michael Sugden is a CCTI intern. For more analysis from the authors and CCTI, please subscribe HERE. Follow Annie on Twitter @afixler. Follow FDD on Twitter @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.