Article Image

Health Care Needs Better Cybersecurity

Op-Med is a collection of original articles contributed by Doximity members.

It was the calm before the storm. During a shift on my surgery rotation, we received a massive influx of patients from a neighboring hospital. The team was confused why ambulances continued to stream in, until we realized the other hospital was the victim of a cyberattack, and their EMR system was paralyzed. They were unable to view patient charts and deliver life-saving care, and began diverting ambulances to our hospital. The incident was my first encounter with the complex way in which cybersecurity affects patient safety. Hospitals and clinics are places where trusted professionals are prepared for the worst outcomes and ready to help whoever walks through the door. However, in February, a cyber attack occurred affecting Change Healthcare (“Change"), a billing clearinghouse that processes payments from insurance companies such as Aetna and Humana, pharmacy claims transactions, prior authorizations, and other billing transactions that affect the day-to-day care of patients.

This was the largest cyberattack in U.S. health care history, affecting one-third of all medical records in the country. In response to the attack, Change immediately ceased operations and disconnected their online portal for several weeks. The shock of this impact was felt almost immediately by the health care system, as hospitals and offices endeavored to receive payment for services and patients struggled to pick up their medications. The ransomware attack held victims’ data hostage until payment was received, with Change reportedly paying $22 million in the form of Bitcoin to a group known as AlphV. Despite the FBI advising hospitals not to pay the ransom when a ransomware attack occurs, many hospital systems and insurance companies cave in and pay, incentivizing hackers to continue the practice. In 2023 alone, ransomware payments amounted to a staggering $1.1 billion. The health care industry urgently needs to invest in cybersecurity infrastructure, and the government must create more substantial protections for patient information.

The largest impacts are felt by smaller offices, who cannot postpone paying their employees and paying their facility rent. Some business owners have had to temporarily reach into their personal bank accounts to cover necessary expenses. The administrative burden of mail-in claim submissions also takes a toll on support staff, creating an excessive burden on health care offices that is especially apparent in underserved communities. Not all health care offices can qualify for a business loan, as the business of saving lives is not meant to be profitable. In March, HHS offered accelerated payment plans for Medicare providers. However, these loans are a drop in the bucket when compared to typical monthly expenses, causing offices to consider the unthinkable: whether they should close their doors to patients.

Health care’s electronic infrastructure is vulnerable, with the frequency of attacks and data breaches doubling from 2016 to 2021. While it is easy to issue a new credit card number, it is impossible to change a diagnosis. Without access to patient records, health care comes to a complete standstill and adverse outcomes ensue. Patients feel the brunt of the impact, whether it be canceled elective surgeries, rerouted ambulances, or even longer wait times. Without electronic safety measures in place and phone systems down, handwritten communications lead to more errors and delays in care. Studies have demonstrated that cyberattacks increase hospital mortality for patients that are already receiving care. Regulation of cybersecurity in health care is scarce, with few ways to detect fraud and no monitoring agencies that track stolen protected health information. Complicating the matter, hospitals are allowed to choose their own security standards, which may lead to insufficient or inconsistent protections. The White House recently released the National Cybersecurity Strategy to outline how they plan to advance security in the health care system, including minimum security standards, federal incentives to aid in building secure platforms, and increased accountability when data breaches occur. In May, the HHS launched a new $50 million investment to upgrade cybersecurity protections for health care facilities.

Despite profits for insurance and hospital groups being in the billions, industry investment in cybersecurity is scant. As a physician-in-training, I have pledged to practice beneficence, doing the best for my patients and actively removing them from harm in all forms. I cannot help but feel dismayed that despite record financial gains in the insurance industry, cybersecurity incidents continue to occur more frequently. With profits like these, there is no excuse as to why the health insurance industry has lax cybersecurity standards. Cybersecurity has become a patient safety issue and can no longer be ignored. In early April, another cyberattack was reported to have affected almost 1 million patient records. Barely one month later, a cyberattack affected Ascension, an organization that operates 140 hospitals in 19 states. UnitedHealth Group’s CEO Andrew Witty recently testified in front of the Senate Finance committee to discuss how the Change cyberattack occurred due to a lack of multi-factor authentication, which is considered an industry standard. With back to back attacks on a fragile system and lawmakers' eyes on the issue, it is now a timely moment for reform.

I have taken an oath to do no harm and to avoid causing pain and suffering to my patients. Unfortunately, health insurance companies have taken no such oath and benefit from a system that exploits doctors and patients. Although this cyberattack occurred months ago, physicians are still struggling today. The American Medical Association recently surveyed its members and found that 85% are continuing to face financial challenges in claims payments, with small practices of less than 10 physicians struggling the most. When practices close because of cyberattacks, patients lose access to their physicians and vulnerable, underserved communities are impacted the most. Simple solutions exist, such as updating old technology systems, better integration of the plethora of software platforms used, routine testing of security systems, and minimum government security standards. The practice of leaving patient data at risk for corruption in the name of higher profits needs to be stopped. Our lives, and our patients' lives depend on it.

What are your thoughts on health care's cybersecurity status? Share your solutions in the comments.

Manasvi Khullar B.S. is a medical student at Touro University California College of Osteopathic Medicine in Vallejo, California.

Image by maxkabakov / Getty 

All opinions published on Op-Med are the author’s and do not reflect the official position of Doximity or its editors. Op-Med is a safe space for free expression and diverse perspectives. For more information, or to submit your own opinion, please see our submission guidelines or email opmed@doximity.com.

More from Op-Med