Ascension attack reveals wider vulnerabilities

Delivered daily by 10 a.m., Pulse examines the latest news in health care politics and policy.

Jun 21, 2024 View in browser   By Chelsea Cirruzzo and Ben Leonard With Toni Odejimi  Driving The Day The Change Healthcare cyberattack dominated the attention of policymakers this year, but experts warn not to forget May's Ascension breach. | Jean-Philippe Ksiazek/AFP via Getty Images WHAT ASCENSION TELLS US — For most of this year, policymakers have put pressure on Change Healthcare to explain and mitigate the impacts of a February cyberattack, estimated to have impacted the data of one-third of Americans. But some cybersecurity experts say not to overlook the May cyberattack on Catholic nonprofit Ascension, which operates 140 hospitals nationwide. “Change Healthcare impacted pretty much every health care system in the country and caused them financial pain,” said Toby Gouker, chief security officer of government health at First Health Advisory, which provides cybersecurity consulting to the industry. That attack took the health care system’s electronic health records offline until they could be restored last week. It’s part of a larger wave of cybercriminals targeting health systems. According to HHS’ Office for Civil Rights, large breaches have increased by 256 percent, and ransomware attacks have risen by 264 percent over the past five years. Though smaller than the Change attack, the Ascension attack has highlighted a rocky cybersecurity landscape, including: — The impact on patient safety: Ascension providers have said that the attack forced them to resort to using paper for patient records and left them scrambling for workarounds. “These things [like EHRs] used to be at people’s fingertips,” Gouker said, but without them, patient interventions could be delayed — and could have fatal consequences. “Negotiating with hundreds of vendors each with their own unique set of requirements to reconnect was an arduous and time consuming process. However, we are encouraged by the progress we have made and continue to make in restoring our systems,” Sean Fitzpatrick, vice president VP of external communication at Ascension, said in a statement. — Health systems’ vulnerability: Cybersecurity experts have said the health care sector isn’t prepared for a barrage of attacks. Ascension said hackers got in after an employee downloaded a malicious file — a different scenario from Change, which was a result of its owner, UnitedHealth, not having yet implemented two-factor authentication. — A heightened pressure to act: Continued hacks have led to increased pressure on hospitals, HHS and lawmakers to act, with some lawmakers pushing HHS to mandate cybersecurity standards. “These attacks show a failure [of health care systems] to safeguard themselves and adopt sufficient protective measures,” Sen. Richard Blumenthal (D-Conn.) told Pulse. The hospital lobby, however, has resisted mandates, citing costs. “We need and support standards for cyber, but we also need some financial help,” for smaller and underresourced hospitals, Mari Savickis, vice president of public policy at the College of Healthcare Information Management Executives, said. WELCOME TO FRIDAY PULSE. Today’s newsletter is brought to you by the start of Cancer season AKA Chelsea’s star sign! Ben is a Virgo, so his time will come later this year. Send your tips, scoops and feedback to ccirruzzo@politico.com and bleonard@politico.com and follow along @ChelseaCirruzzo and @_BenLeonard_.   THE GOLD STANDARD OF HEALTHCARE POLICY REPORTING & INTELLIGENCE: POLITICO has more than 500 journalists delivering unrivaled reporting and illuminating the policy and regulatory landscape for those who need to know what’s next. Throughout the election and the legislative and regulatory pushes that will follow, POLITICO Pro is indispensable to those who need to make informed decisions fast. The Pro platform dives deeper into critical and quickly evolving sectors and industries, like healthcare, equipping policymakers and those who shape legislation and regulation with essential news and intelligence from the world’s best politics and policy journalists. Our newsroom is deeper, more experienced and better sourced than any other. Our healthcare reporting team—including Alice Miranda Ollstein, Megan Messerly and Robert King—is embedded with the market-moving legislative committees and agencies in Washington and across states, delivering unparalleled coverage of health policy and the healthcare industry. We bring subscribers inside the conversations that determine policy outcomes and the future of industries, providing insight that cannot be found anywhere else. Get the premier news and policy intelligence service, SUBSCRIBE TO POLITICO PRO TODAY.     Cybersecurity Andrew Witty, CEO of UnitedHealth Group, testified at a Senate hearing in May that about one-third of Americans were affected by a breach at Change Healthcare. | Jacquelyn Martin/AP BREACH NOTIFICATIONS BEGIN — Change Healthcare, the nation’s largest medical bill clearinghouse, started notifying providers and insurers on Thursday whether their patients’ or members’ data was compromised in a February cyberattack, Chelsea reports. The breach notifications come after HHS’ Office for Civil Rights clarified last month that providers could delegate the burdensome requirement of notifying affected patients to Change. Change said Thursday it would provide patients with a link to a website to help them with any questions. The company said it’s reviewed more than 90 percent of affected files and found no evidence that doctors’ charts or full medical histories were taken, but said the compromised data taken likely includes individuals’ contact and health insurance information and billing claims and potentially even Social Security numbers. “CHC is assuming responsibility for making individual notifications on behalf of those impacted customers which do not opt out of CHC’s notifications process, as outlined in the customer notice,” Change said in a press release. AROUND THE AGENCIES COURT RULES AGAINST HHS — HHS overstepped its authority when it issued guidance last year warning hospitals that tracking visitors to their websites was a violation of health privacy rules, a federal district court in Fort Worth, Texas, ruled Thursday. The decision, by Judge Mark T. Pittman, is a victory for the American Hospital Association, which sued in November. “HHS tried to tweak the definition [of “individually identifiable health information to include web visits] and got caught,” he wrote in his decision, POLITICO’s Ruth Reader reports. HHS argued that it was merely restating existing policy in a new context and that the guidance wasn’t binding. An HHS spokesperson declined to comment. Why it matters: Last year, the HHS guidance sent health systems scrambling to strip ad-targeting technology from public-facing websites to comply with the guidance. It came amid a broader crackdown on web-based health care data tracking by the FTC. Health systems had argued that they were using ad-targeting technology the same way any business would: to connect with new patients. What’s next: Health systems can again use Google Analytics and Facebook Ads to track visitors to their websites. In Congress FERTILITY CLINIC SAFETY AUDIT — Amid a flurry of competing legislation protecting in vitro fertilization, leading Senate health committee Republicans are pushing HHS to audit the safety standards at fertility clinics. How we got here: Following an Alabama Supreme Court ruling that said frozen embryos could be considered people, lawmakers have scrambled to figure out how to safeguard the popular procedure. Both Democrat- and Republican-backed bills in Congress to protect the procedure have failed. Democrats continue to emphasize they will shield reproductive health care, while many Republicans have been wary of taking sides on IVF or eager to show their support. On Thursday, Sens. Bill Cassidy (R-La.), ranking member of the Senate Health, Education, Labor and Pensions Committee, along with Sens. James Lankford (R-Okla.), Roger Marshall (R-Kan.), Tommy Tuberville (R-Ala.) and Markwayne Mullin (R-Okla.), called on HHS’ Office of Inspector General to audit the data the CDC collects on fertility centers, citing a 1992 statute that requires the fertility clinics to report certain data to the agency, which is then published publicly. The senators want OIG to evaluate “how well [fertility] clinic oversight is working to better enable Congress to evaluate what changes may need to be made,” with particular attention to embryo safety standards. Lankford, along with Sen. Cindy Hyde-Smith (R-Miss.), has also introduced legislation supported by some pro-life groups that would require HHS to increase research on reproductive health care issues, including endometriosis and fibroids.   SUBSCRIBE TO GLOBAL PLAYBOOK: Don’t miss out on POLITICO’s Global Playbook, our newsletter taking you inside pivotal discussions at the most influential gatherings in the world. Suzanne Lynch delivers the world's elite and influential moments directly to you. Stay in the global loop. SUBSCRIBE NOW.     Public Health GUN LOCKUP — A new CDC study suggests that locking and safely storing firearms could decrease gun homicides and injury to children, Toni reports. The study looked at eight states from 2021 to 2022 — years when gun homicide and suicide rates were staggeringly higher than pre-pandemic days. It included states with more restrictive gun policies, such as California, to states with more relaxed policies, such as North Carolina. Unloaded guns far surpassed loaded guns in homes. However, when a gun is loaded, it’s about a 50/50 toss-up whether that gun is stored unlocked. That’s a health hazard for children who could access the storage area, say the researchers. Homicide and suicide rates increase in homes with firearms, regardless of who owns them. Pushes to get gun owners to store their guns securely aren’t new. Some states have adopted laws to ensure that kids can’t access guns. Other states have offered incentives, such as tax breaks, to gun owners who store their guns securely in a safe. Names in the News Waheed Omer has joined Albright Stonebridge Group as a senior adviser. Omer was most recently Pfizer’s senior manager of communications for research and development. Sean P. Roddy has joined the National Association of Community Health Centers as its chief financial officer. He recently was chief financial officer for the Society for Human Resource Management. WHAT WE'RE READING NPR reports on cancer rates in Gen X that are expected to outpace boomers. Al Jazeera reports on an international program to boost vaccine production in Africa.   Follow us on Twitter Dan Goldberg @dancgoldberg Chelsea Cirruzzo @chelseacirruzzo Lauren Gardner @Gardner_LM Sophie Gardner @sophie_gardnerj Kelly Hooper @kelhoops Robert King @rking_19 Ben Leonard @_BenLeonard_ David Lim @davidalim Megan Messerly @meganmesserly Alice Miranda Ollstein @aliceollstein Carmen Paun @carmenpaun Daniel Payne @_daniel_payne Ruth Reader @RuthReader Erin Schumaker @erinlschumaker   Follow us

To change your alert settings, please log in at https://login.politico.com/?redirect=https%3A%2F%2Fwww.politico.com/settings This email was sent to edwardlorilla1986.paxforex@blogger.com by: POLITICO, LLC 1000 Wilson Blvd. Arlington, VA, 22209, USA Unsubscribe | Privacy Policy | Terms of Service