News: Warding off health care hackers

Tuesday, May 14, 2024

Warding off health care hackers

May 14, 2024

View in browser

By Chelsea Cirruzzo and Ben Leonard

Presented by The American Hospital Association

Driving The Day

A laptop affected by a ransomware attack is pictured.

Cybercriminals are attacking health care systems with ransomware more aggressively than they have in the past. | Rob Engelaar/AFP via Getty Images | Getty

HOSPITALS VS. HACKERS — The health care industry isn’t “battle-hardened” against hackers, cybersecurity experts told Pulse, as the industry reels in the wake of ransomware attacks at two major systems.

Cybercriminals took Ascension’s health records offline when they attacked the Catholic nonprofit last week. The strike followed a ransomware attack in February against Change Healthcare, a large medical bills clearinghouse owned by UnitedHealth Group.

Cybersecurity attacks in the sector have skyrocketed in recent years, with a 141 percent increase in large breaches reported to the HHS Office for Civil Rights from 2022 to 2023. Ransomware attacks have increased by 264 percent in the past five years, the agency said.

Pulse spoke with a cybersecurity expert about the methods cybercriminals use to attack health care companies and why the breaches are so difficult to contain.

“Ocean's Eleven” scheme: Toby Gouker, chief security officer of government health at First Health Advisory, which provides cybersecurity consulting to the industry, said hackers spend time in health systems doing reconnaissance before demanding a ransom.

“If you’re thinking of the movie ‘Ocean’s Eleven,’ they do that same kind of thing: They study the casino, they learn where the money is kept, where the traffic flows, where the guards are,” he said.

By the time they demand ransom, Gouker said, hackers have already locked and encrypted data and stolen backup files that could have been used to restore systems.

A new frontier: Hackers have largely steered clear of attacking health systems because they “seemed to have a little bit of ethical behavior,” Gouker said. However, law enforcement action against these groups might have changed that.

In February, the Cybersecurity and Infrastructure Security Agency said the administrator of the ransomware service behind the attack on Change Healthcare had encouraged its affiliates to target hospitals after government officials came after the group in December 2023. The agency recently warned about Black Basta, another so-called ransomware service, that it says has targeted health care organizations.

Health care systems aren’t ready for the attacks, Gouker said.

“Their defenses are a lot more immature than other industries — finance, retail, even oil and gas,” Gouker said. “Those industries are battle-hardened. They’d been attacked 10 to 15 years ago.”

What hospitals say: The American Hospital Association disagrees that its members aren’t prepared for attacks and said many of the breaches are due to vulnerabilities in third-party technology.

“Hospitals and health systems have invested billions of dollars and taken many steps to protect patients and defend their networks from cyberattacks,” an AHA spokesperson said in a statement.

The group has pushed back on HHS’ efforts to mandate cybersecurity standards, citing the costs and urging the government to do more itself.

“Cyberattacks are largely perpetrated by sophisticated foreign-based hackers who often work at the permission of and in collusion with hostile nation-states. Defeating these hackers requires the combined expertise and authorities of the federal government,” the spokesperson said.

WELCOME TO TUESDAY PULSE. Canadian wildfires could disrupt our summer again. Send your tips, scoops and feedback to ccirruzzo@politico.com and bleonard@politico.com and follow along @ChelseaCirruzzo and @_BenLeonard_.

A message from The American Hospital Association:

America’s hospitals and health systems are ready for you, 24/7. This week, almost 1 out of every 100 individuals will visit the emergency room. And by the end of this year, more than 130 million people will have made this visit. You may not know when you’ll need us; but in America’s hospitals and health systems, we’re always ready — because emergencies don’t wait for business hours. Learn more during National Hospital Week May 12 – 18.

In Congress

Rep. Cathy McMorris Rodgers (R-Wash.).

Rep. Cathy McMorris Rodgers wants to see the use of quality-adjusted life years banned in Medicaid and the VA. | J. Scott Applewhite/AP

A SHOT IN THE ARM FOR QALY BAN EFFORTS — Rep. Cathy McMorris Rodgers (R-Wash.) sees new HHS rules barring discrimination against people with disabilities as more reason to ban the use of quality-adjusted life years in federal programs, Ben reports.

QALY attempts to quantify a drug’s impact on quality of life and health outcomes. Those who support banning QALY’s use think it undervalues treatment benefits for patients with disabilities, while its backers argue it avoids overpaying for care that doesn’t deliver substantial benefits.

The Affordable Care Act banned QALYs and similar measures in Medicare “as a threshold to determine coverage.”

Rodgers, chair of the House Energy and Commerce Committee, led a bill that passed in the House earlier this year that would prohibit the use of QALYs and similar measures in Medicaid, the VA and other federal programs. Language in HHS’ new rule prohibits federally funded programs from denying benefits based on measures that discount the value of life due to disability, but Rodgers said the regulations don’t do enough.

“The Biden administration’s rule — which is a small step in the right direction — is also a tacit admission that individuals are still being denied care simply because they have a disability or chronic condition,” Rodgers said Monday. “I’m working to evaluate how the rule changes the costs associated with my legislation, possibly eliminating the need for the pay-for, which had been the administration’s stated objection to the bill.”

A number of advocacy groups, including the National Down Syndrome Society, share Rodgers’ view.

THE GOLD STANDARD OF HEALTHCARE POLICY REPORTING & INTELLIGENCE: POLITICO has more than 500 journalists delivering unrivaled reporting and illuminating the policy and regulatory landscape for those who need to know what’s next. Throughout the election and the legislative and regulatory pushes that will follow, POLITICO Pro is indispensable to those who need to make informed decisions fast. The Pro platform dives deeper into critical and quickly evolving sectors and industries, like healthcare, equipping policymakers and those who shape legislation and regulation with essential news and intelligence from the world’s best politics and policy journalists.

Our newsroom is deeper, more experienced and better sourced than any other. Our healthcare reporting team—including Alice Miranda Ollstein, Megan Messerly and Robert King—is embedded with the market-moving legislative committees and agencies in Washington and across states, delivering unparalleled coverage of health policy and the healthcare industry. We bring subscribers inside the conversations that determine policy outcomes and the future of industries, providing insight that cannot be found anywhere else. Get the premier news and policy intelligence service, SUBSCRIBE TO POLITICO PRO TODAY.

AROUND THE AGENCIES

RI HOSPITAL INVESTIGATED — Rhode Island violated civil rights law by segregating children with mental health and developmental disabilities at a psychiatric hospital in Providence, HHS said Monday.

The investigation into privately run Bradley Hospital looked at children up to age 21 in state care from Jan. 1, 2017, to Sept. 30, 2022, who were admitted into the hospital. It found that many of the children with mental health concerns or developmental disabilities were kept in the hospital for weeks, months and, in some cases, more than a year than necessary — often for a lack of coordination and planning between the hospital and state.

According to HHS, a typical stay at Bradley Hospital, a facility for children, is one to two weeks. Of the 527 children admitted, 116 were kept in the hospital for more than 100 days, 42 for more than 180 days and seven for more than one year.

Why it matters: This is the first case HHS has pursued out of its Olmstead initiative, which it launched last year to protect people with disabilities from being institutionalized — a direction some states and lawmakers have supported in recent years amid a rise in homelessness and drug use disorders.

“Today’s finding follows on the heels of the Office for Civil Rights’ efforts to strengthen access to care for people with disabilities like these children in Rhode Island,” said HHS OCR Director Melanie Fontes Rainer in a statement.

What Rhode Island says: “While our Administration has taken actions to improve our current placement system, we understand that more must be done. Together, we will continue to seek short- and long-term solutions to provide each child with a behavioral health disability the appropriate services in the most integrated setting,” Olivia DaRocha, press secretary for Gov. Daniel McKee, said in a statement.

A message from The American Hospital Association:

IN THE STATES

STUDY: COVID INCENTIVES MIGHT HAVE WORKED — West Virginia’s policy that offered a $100 incentive to young adults for getting the Covid-19 vaccine was associated with a robust rise in people who got the shot, a new study says.

The study, published in Health Affairs, is the first statewide analysis of incentive programs employed during the pandemic to persuade people to be vaccinated.

West Virginia officials announced in 2021 that young adults ages 16-35 — who accounted for more than half of the state’s vaccine-hesitant population — were eligible for a $100 savings bond or gift card if they were fully vaccinated.

Researchers from Tulane University analyzed biweekly Census Bureau data from between April 26 and June 20, 2021, when West Virginia offered an incentive and found that it was associated with a nearly 12 percent increase in vaccination rates among 16- to 35-year-olds.

This association varied significantly among different groups within that age range, however: The increase in the percentage of people ages 23 and older vaccinated was larger among unemployed people and people ages 23 and older with an income below $35,000. Researchers also noted a larger increase among people who had never had a Covid infection compared with people who had gotten sick before.

The researchers also observed that this policy effect was larger than the effect noted by 12 states that entered people who got vaccinated into a lottery.

LISTEN TO POLITICO'S ENERGY PODCAST: Check out our daily five-minute brief on the latest energy and environmental politics and policy news. Don't miss out on the must-know stories, candid insights, and analysis from POLITICO's energy team. Listen today.

Names in the News

Sophie Vaughan is now manager of federal advocacy communications at the Planned Parenthood Federation of America and the Planned Parenthood Action Fund. She most recently was at Precision Strategies.

A message from The American Hospital Association:

WHAT WE'RE READING

POLITICO’s Carmen Paun reports on Melinda French Gates’ plan to leave the Bill and Melinda Gates Foundation.

Reuters reports on how new breast cancer genes discovered in women of African ancestry may help with risk screening.

Follow us on Twitter