America’s healthcare networks are under attack
February 21, 2024, started like any ordinary day, but ended amid one of the most consequential cyberattacks in US history. It was an incident everyone in the healthcare industry feared, but few had fully considered the potential magnitude and downstream impact. We can no longer deny that America’s health system is under attack from a faceless, increasingly sophisticated foe that continuously threatens patient safety and the fundamental operations of the entire health ecosystem.
Not only did the attack on Change Health reportedly cost the company an estimated $1 billion it also compromised patient data and put them at serious risk. Large sections of the healthcare industry were not able to automate the payment of claims, verify patient eligibility for services, or approve prescriptions. Clinics and hospitals could not pay their staff or fund the medications they needed to offer essential services such as dialysis. The financial and administrative fallout from this attack still challenges hospitals and clinics across the country. Especially hard hit are small, rural hospitals and clinics which lack the financial reserves to survive without timely insurance reimbursements.
Healthcare cybersecurity vulnerabilities extend far beyond the unsettling possibility of stolen personal data. These weaknesses can create real-world disruptions that directly impact patient care. Imagine a scenario where a ransomware attack encrypts hospital files, hindering access to electronic health records (EHRs). This can stall diagnoses, delay critical treatments, and force cancellations of surgeries. Furthermore, vulnerabilities in internet-connected medical devices like pacemakers or infusion pumps could be exploited, potentially altering settings or even rendering them inoperable, putting patient safety at risk. These are just a few examples of how cybersecurity breaches can have a chilling effect on healthcare operations, highlighting the importance of robust digital defenses in protecting both patient privacy and well-being.
While Change Healthcare is an extreme example, these attacks are happening daily. The U.S. Department of Health and Human Services (HHS), notes that the healthcare industry has seen a 239% increase in large breaches involving hacking and a 278% increase in ransomware reported in the past four years. Even in the face of this growing threat, healthcare providers only spend about 8% of their IT budgets on security, well below the cross-industry average.
It is clear the industry can no longer afford to take a ‘business-as-usual’ approach to cybercrime. The nature of the Change Healthcare attack demonstrated the far-reaching impact these incidents can have on our healthcare system and underscores the urgent need to implement more robust cybersecurity measures immediately.
We must fight robots with robots
In the past, the federal government provided incentives to encourage the modernization of healthcare systems. Regulations like the HITECH Act helped improve healthcare system connectivity and interoperability, and enabled providers to adopt EHRs and boost patient privacy protections. More specifically, in the US, it addressed healthcare cybersecurity with a two-pronged approach. First, it incentivized the adoption of EHRs with the requirement to implement HIPAA Security Rule standards, essentially pushing healthcare providers to prioritize data security. Second, it increased penalties for violating HIPAA regulations, creating a financial impetus for stronger safeguards. This resulted in improved data security practices such as access controls and encryption, along with heightened awareness within healthcare leadership.
Similar initiatives exist globally, such as the European Union’s GDPR which mandates strong data security practices across all sectors, not just healthcare, with hefty fines for non-compliance. Australia’s Mandatory Data Breach Notification Scheme exemplifies another approach, requiring transparency in case of breaches to incentivize organizations towards better data security. In conclusion, the HITECH Act stands as a successful example alongside other global initiatives in promoting data security, and healthcare has benefited from its focus on both incentives and penalties.
Regrettably, however, the industry’s voluntary standards have not kept up with the growing sophistication of cybercriminals and the increasing vulnerabilities created by expanding connectivity within an organization and across third parties. Instead, the industry is succumbing to massive ransom payments, the expense of which will ultimately be borne through higher health care costs for the government, employers, and patients.
We can’t go back to the days of paper files and faxed records – yet some were forced to do so as they coped with the recent large-scale breach. At the same time, we must also acknowledge the inevitable challenges this invaluable connectedness creates. The rise in medical devices, home health equipment, and telehealth services that are linked to monitoring and tracking systems increases the surface area vulnerable to cybercriminals. Ransom payments won’t end the problem. These attacks will not stop until our healthcare systems adopt the latest cyber defense technology—a new generation of autonomous digital infrastructure capable of protecting patient data and keeping essential healthcare systems up and running – even while under direct attack.
Nearly all cyberattacks and digital data thefts begin the same way — with human error. Autonomous computer systems prevent human beings from configuring systems. Instead, technology automatically configures them. And when human beings do not configure the systems, the opportunity for human error—and human mischief—is greatly reduced.
Autonomous computer systems are our best defense against cyberattacks on medical system infrastructure. Autonomous databases and autonomous operating systems can keep these key systems up and running, so they can protect patient data privacy, improve patient care, and ultimately help save lives.
Collaboration between the healthcare industry, technology providers, and our federal government is vital to accelerate the hardening of critical infrastructure. Government should establish tough privacy standards to protect highly sensitive patient data. We also need the government to set standards that require healthcare systems to keep working—even when under attack. Oracle Health partners with our clients to help them build these kinds of robust disaster recovery plans that encompass cyberattacks and outline steps to maintain critical operations despite security incidents. Finally, we consider resilience essential, including protocols for data backups, redundancy in critical systems, and incident response to help minimize client downtime during attacks.
Robots can be valuable assets in the fight for better healthcare cybersecurity, offering features that enhance security, improve efficiency, and ultimately protect sensitive patient data. They can continuously monitor network activity for suspicious patterns and anomalies that might indicate a cyberattack and automate the often-tedious task of vulnerability scanning across healthcare systems. They can also streamline patch management by automatically downloading and deploying security updates the moment they become available. And they can perform log analysis and incident reporting or even physical security within healthcare facilities.
Cyber criminals are using AI and digital robots to attack our systems. We must deploy our own AI-enabled robots to keep our networks safe. Autonomous databases and autonomous operating systems tip the balance of power and give us the technological advantage during a cyberattack.
The sooner we start using autonomous systems – and second-generation cloud technologies – the more secure and safer our healthcare systems and patients will be