While going through various economic headlines last week to keep myself updated on stock market updates, I stumbled upon a concerning headline: “HealthEquity Stock Plummets as Company’s Profit Impacted by Cyber Threats, Fraud.”
Here is a snippet: “Shares of HealthEquity (HQY) dropped by 20% on Wednesday, a day after the Health Savings Account (HSA) custodian missed profit projections and provided cautious guidance due to the expenses incurred from a surge in criminal activity targeting the company. …
“In a transcript of the analyst call provided by AlphaSense, CEO Scott Cutler elaborated that similar to other financial institutions, HealthEquity has witnessed ‘escalating cyber threats and fraud attacks from malicious actors utilizing advanced technology, strategies and methodologies.”
BROADER CYBER TRENDS IN MEDICAL CARE
Undoubtedly, this narrative serves as merely one illustration of an increasing tendency towards escalating cyber intrusions against hospitals and healthcare establishments, and corporations at large.
The HIPPA Journal released an article back in January discussing the worrisome trends in healthcare cyber intrusions in 2024. Here’s an excerpt:
“Last year was a dismal period for healthcare data breaches. Although there seems to have been a minor year-over-year decline in the count of reported data breaches comprising 500 or more records, the number of individuals affected by these breaches has significantly risen.”
As outlined comprehensively in the article, the most significant healthcare data breaches in 2024 encompassed Change Healthcare, Kaiser Foundation Health Plan, Ascension Health, HealthEquity, Concentra Health Services, and Centers for Medicare and Medicaid Services.
In the case of the final example, “The Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) reported a breach of the protected health information of 3,112,815 individuals in September 2024. CMS engaged Wisconsin Physicians Service Insurance Corporation (WPS) for handling Medicare Part A/B claims, and WPS utilized file transfer software to transmit large files containing protected health information – Progress Software’s MOVEit Transfer solution.”
A CRUCIAL CONCERN
However, what is potentially a more distressing pattern than data breaches leading to financial setbacks are the healthcare consequences that these cyber intrusions impose on individuals’ well-being. The United Nations recently issued a report on the subject of “Cyberattacks on healthcare: A global threat that shouldn’t be underestimated.” Here’s how their narrative opens:
“Briefing ambassadors, Tedros Adhanom Ghebreyesus, WHO Director-General, stressed the severe consequences of cyber intrusions on hospitals and healthcare services, urging immediate and collective worldwide action to tackle this growing emergency.
“’Ransomware and other cyber attacks on hospitals and other healthcare facilities are not just matters of security and confidentiality, they can become matters of life and death,’ he remarked.
“’At best, these intrusions lead to disruptions and financial harm. At worst, they erode trust in the healthcare systems on which people rely, and even result in patient injuries and fatalities.’
“The transition of healthcare services to digital platforms, coupled with the significant value of health data, has made the sector a central target for cyber malefactors, Tedros continued, citing occurrences such as the 2020 ransomware attack on Brno University Hospital in Czechia and a breach in May 2021 on the Irish Health Service Executive (HSE).
“Cyber attacks have also extended beyond hospitals, striking the broader biomedical supply chain.”
A report with similar findings was produced by Security Intelligence: “When ransomware kills: Attacks on healthcare facilities”
“Hospitals heavily rely on digital systems for patient care management. When affected by a ransomware attack, these systems go offline, leading to frequently tragic outcomes. Studies highlight the risks: There has been a 300 percent increase in ransomware attacks on healthcare since 2015. This surge resulted in a rise in emergency cases, including strokes and cardiac arrests, at hospitals swamped by patients diverted from facilities hit by cyber intrusions.
“A research by the University of California San Diego demonstrated that ransomware attacks on hospitals trigger a spill-over effect. This means neighboring hospitals witness a surge in patients, leading to an 81 percent increase in cardiac arrest cases. Survival rates also dropped for those cases of cardiac arrest. …
“Another study focusing on two urban emergency departments neighboring a healthcare organization under attack, observed significant rises in patient volume, prolonged waiting times, and increased rates of patients ‘left without being seen’. These delays, the study notes, highlight the necessity for a disaster response strategy for such incidents.
“In some instances, the tragic outcomes of ransomware in healthcare have been documented in legal proceedings. In 2020, a woman filed a lawsuit against an Alabama hospital, alleging that a ransomware attack had contributed to the death of her newborn daughter.”
Another distressing incident occurred earlier this month, this time documented by Industrial Cyber: “Microsoft highlights cybersecurity crisis in rural hospitals, advocates for bolstered healthcare resilience.to strengthen healthcare resilience.”
“A new white paper was released by Microsoft, sharing insights accumulated during the past year, emphasizing the present cybersecurity environment for rural health and the potential role that technology firms can fulfill. The document explores the current condition of rural hospitals, the distinct cybersecurity hazards they encounter, and how technology companies can contribute to addressing the immediate cyber threats and more comprehensive systemic issues encountered by rural hospitals today.
“According to the white paper noted, ransomware attacks present a significant risk to hospitals, which are frequently targets for financially-driven cyber attackers and nation-state threat actors. ‘Hospitals often pay ransoms to prevent disruptions in patient care, and malicious entities exploit this fact. Furthermore, such incidents increased by almost 130 percent that year, as per the reports from the Office of the Director of National Intelligence (ODNI), on top of an already elevated baseline following the COVID-19 pandemic.’”
For those who prefer visual explanations, a story on “How a cyberattack paralyzed the U.S. health care system” is available from the PBS News Hour.
WHAT CAN BE DONE TO SUPPORT HOSPITALS
One approach that hospitals are adopting to combat cyber threats is to combine resources and collaborate against cyber attacks. The Michigan Healthcare Cybersecurity Council (MiHCC) comprises a coalition of Midwest hospitals working in unison to counter cybercrime. According to their website, collectively these hospitals:
- “Engage members and the community — We offer opportunities for collaboration and contribution to peers through our routine member activities throughout the state.
- “Generate valuable content — As a collective of information security professionals in the healthcare sector, we possess valuable practices and experiences to share.
- “Leverage our expertise to enhance our joint security — As leaders in our region, we each hold relationships, partnerships, and teams that can supply valuable insights to our respective organizations and institutions.
- “Identify and collaborate with partner organizations — Our aim is to build networks of networks across sectors and beyond to discover common ground and solutions.
- “Voice support for our healthcare community — Given the size and diversity of our community, our voices are essential to promote outreach and connectivity.
- “Promote skill development and cooperation within our members’ institutions — We foster deep connections among the teams within our member organizations so that skills can be shared and cultivated among like-minded professionals.”
This video/podcast provides a detailed look into the impact of a cyber attack on hospitals or healthcare systems.
Here’s a brief excerpt from the video: “The MHA released a new episode of the MiCare Champion Cast examining the aftermath of a cyber attack on a hospital or health system featuring Jack Kufahl, the chief information security officer at Michigan Medicine.
“In his role, Kufahl oversees the planning, development, implementation, and maintenance of information assurance activities throughout the academic medical center. Although the healthcare system was not significantly impacted by the Change Healthcare breach, Kufahl shared insights on how his team responded and how cybersecurity measures could be improved.”
“’Establishing a long-term [cybersecurity] framework is one of the most crucial steps any hospital or healthcare organization can take to gauge improvement over time,’ emphasized Kufahl, highlighting the availability of numerous resources that can be utilized despite financial constraints.”
REFLECTIONS
Some individuals may be questioning, “What government repercussions arise from cyber attacks on the healthcare industry?”
An illustration can be found in a recent article: “HHS facing obstacles as the primary agency for healthcare cybersecurity: GAO.” Here’s a concise excerpt:
- “The Government Accountability Office published a report last Thursday stating that the Department of Health and Human Services is encountering difficulties in addressing cybersecurity risks within the healthcare sector.
- “Among the challenges identified by the government watchdog is the absence of policies recommended earlier regarding monitoring the adoption of ransomware-specific cybersecurity practices by the industry or evaluating risks from IoT or operational technology devices.
- “Until these gaps are addressed by the HHS, the department may not be able to effectively lead the industry in cybersecurity — presenting a potential risk to providers and patient care, according to the GAO.”
About Author
