In the three months since the crippling Change Healthcare ransomware attack, the healthcare industry has not seen changes for the better but instead only more attacks against hospitals and healthcare providers, most recently against pathology provider Synnovis. Sen. Ron Wyden (D-Ore.) wants to light a fire under the U.S. government to fast track cybersecurity improvements in this sector.
In a new letter this week, Wyden called on Department of Health and Human Services (HHS) Secretary Xavier Becerra to take “immediate, enforceable steps” that would require large healthcare organizations to bolster their cybersecurity practices. Wyden’s letter to the HHS, which is currently investigating whether a breach of protected health information occurred in the Change Healthcare attack, comes a week after he called on the SEC and FTC to investigate the “negligent cybersecurity practices” of parent company UnitedHealth Group.
“The agency’s current approach of allowing the health sector to self-regulate cybersecurity is insufficient and fails to protect personal health information as intended by Congress,” said Wyden in his letter on Wednesday. “HHS must act now to address corporations’ lax cybersecurity practices, which have enabled hackers to steal patient health information and shut down parts of the health care system, causing actual harm to patient health.”
One security gap on Change Healthcare’s end, which enabled the ransomware actors to achieve initial access, was the failure to enable multi-factor authentication (MFA) on a Citrix remote access portal account. Threat actors behind the attack were able to access this account, which didn’t have MFA, through compromised credentials.
This is a very basic cybersecurity best practice that the HHS could require for healthcare organizations, Wyden argued. But beyond MFA, there should be other minimum cybersecurity standards for what CISA has labeled “systemically important entities,” or the critical infrastructure making up the public health and safety systems in the U.S., like clearinghouses or large health systems.
“These technical standards should address how organizations protect electronic information as well as ensure the health care system’s resiliency to these attacks by continuing its critical functions including maintaining access to medical records, providing medical care, and supporting community health,” said Wyden. “HHS should reinforce these standards and ensure broad adoption by requiring entities that participate in the Medicare program to meet these requirements.”
“The current epidemic of successful cyberattacks against the health care sector is a direct result of HHS’s failure to appropriately regulate and oversee this industry, harming patients, providers, and our national security."
The standards should include requirements so that organizations can rebuild their IT infrastructure quickly - within 48 to 72 hours - if they are targeted by threat actors. In UnitedHealth’s case, while the company was able to restore its cloud-based systems within days, many of its key systems had not been engineered to run in the cloud, and instead ran in the company’s own servers, elongating their restoration process, according to UnitedHealth CEO Andrew Witty during his testimonies in May before multiple government committees. Wyden also urged the HHS to conduct regular audits of healthcare organizations and provide technical security assistance for providers.
Ransomware groups like Conti, FIN12 and Hive have targeted various hospitals, providers and clinics over the years, and in 2023 the healthcare and public health sector was the most common ransomware target of any critical infrastructure sector in 2023, according to the FBI.
"The sector and its supply chain have been constantly bombarded by financially-motivated cyberattacks for years,” said Brett Callow, threat analyst with Emsisoft. “It's a problem that governments have failed to get to grips with and, unless we [see] some bold new strategies, the attacks will invariably continue."
The HHS did not respond to a request for comment. In December, the department announced plans to update its healthcare sector cybersecurity regulations for the first time in 21 years. The updated regulations would include voluntary, healthcare-specific cybersecurity performance goals, as well as measures to increase accountability and coordination within the healthcare space. The HHS also said it would work with Congress to create incentives for hospitals to improve the cybersecurity of their systems. At the same time, the Healthcare and Public Health Sector Coordinating Council in April showcased a five-year Health Industry Cybersecurity Strategic Plan, which recommends 10 cybersecurity goals that it hopes will be implemented by 2029.
However, the performance goals wouldn’t be mandatory, and security experts worry about the long implementation timeline of five years. Wyden, for his part, said the HHS should go further.
“The current epidemic of successful cyberattacks against the health care sector is a direct result of HHS’s failure to appropriately regulate and oversee this industry, harming patients, providers, and our national security,” said Wyden in his letter. “I urge HHS to use all of its authorities to protect U.S. health care providers and patients from cybersecurity risk.”