Analysis: After years of ransomware attacks, health-care defenses still fail

Federal officials and industry executives have known for years that the U.S. health-care system was one of the critical industries most vulnerable to hacking but failed to make the improvements that might have stopped attacks like the one that has crippled pharmacists and other medical providers for three weeks.

But with private sector lobbyists opposing new security requirements, Congress and the regulatory wheels have ground slowly, mainly promoting best practices that hospitals can — and do — choose to ignore.

So can relatively unknown electronic clearinghouses like UnitedHealth Group’s Change Healthcare, which was the object of an attack launched last month by a hacker affiliated with ransomware gang ALPHV that severed a key link between medical providers and their patients’ insurance companies in the worst health-care hack ever reported. Change Healthcare said Monday that it had provided advances of $2 billion to pharmacies, hospitals and other providers who were unable to get insurance reimbursements during the failure of its network.

Critics say the Change Healthcare fiasco, which has hurt patient care at almost three-fourths of U.S. hospitals, shows that defensive efforts are horribly inadequate. They say a complete response would include strict security requirements for the most critical pieces of the sprawling system, followed by less stringent but still sufficient rules for big hospital systems. The smallest providers, which may not have any security staff, should get help, as called for in the administration’s proposed budget.

“We need to make sure we know where these vulnerable points are,” Nitin Natarajan, deputy director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, acknowledged in an interview. “We’re looking at what levers exist.”

Some members of Congress say that should have happened already.

“The government needs to prevent this kind of devastating hack from happening over and over again,” Sen. Ron Wyden (D-Ore.) told The Washington Post. “I want to work with the Biden administration to ensure there are mandatory, specific cybersecurity rules in place as soon as possible, and to ensure accountability for CEOs.”

Deputy national security adviser Anne Neuberger said the White House is examining what laws it can use to impose such standards on a reluctant industry, while telling executives that they are expected to comply with voluntary guidelines immediately.

“The Hill has not passed any legislation providing authorities to mandate minimum standards, which is why we have been using sector emergency authorities or rulemaking,” Neuberger told The Post on Monday.

She said some requirements will come soon for providers that accept Medicare and Medicaid.

The American Hospital Association said it supports voluntary cybersecurity goals aimed at defending against the most common attacks, like phishing emails. But the organization criticized mandatory measures like those proposed by the Biden administration, saying it would penalize hospitals that fail to meet certain standards, even when most of the risk comes from third-party technologies.