Cyber insecurity now impacts the health and wellness of Americans. We need a clearer treatment plan.
When a hospital in Wichita, Kansas, faced dangerous disruptions to patient care in May, it was not due to the challenges one might expect, such as hospital-acquired infections or staffing shortages. Ascension Via Christi St. Joseph experienced a cyberattack. Unfortunately, this hospital was not alone.
In February, cybercriminals hacked Change Healthcare, a subsidiary of UnitedHealth — one of our nation’s largest health care insurers. Attackers exploited UnitedHealth’s lack of multifactor authentication, severely interrupting UnitedHealth’s services. Ultimately, the attackers forced the company to pay a $22 million ransom to re-access customer data.
Cyberattacks in the health care sector are becoming as common as routine checkups — and we need a clearer treatment plan.
Last year, 1 in 3 Americans were affected by health care data breaches, and 133 million records were exposed. Cyberattacks against hospitals doubled in 2023 compared to 2022. According to a May survey conducted by the firm Software Advice, roughly 1 in 4 health care computer hacks impacted patient care.
We must take proactive steps to keep our health care networks and physical infrastructure healthy and resilient. To do so, the public and private sectors must work together to ensure accountability in implementing cybersecurity best practices and accessibility to cybersecurity services.
First, accountability. While interconnected information technology systems can make our lives easier, dependency on a handful of vendors can create concentration risk that could have significant impacts if something goes wrong.
The global IT outage in July caused by CrowdStrike’s errant update, which even impacted medical procedures, demonstrated the widespread consequences a mistake in cyberspace can have on our daily lives.
Congress must ensure the Cybersecurity and Infrastructure Security Agency strengthens its collaboration with the health care sector to identify cross-sector points of vulnerability and share information to mitigate risks to patients, providers, and networks. It’s also important to ensure CISA is not another burdensome regulator, so duplicative regulations don’t cut into the resources that businesses and health care providers need for actual cybersecurity.
Proper implementation of the landmark Cyber Incident Reporting for Critical Infrastructure Act of 2022 and harmonization of cyber regulations is imperative amid this threat landscape. CISA’s recently proposed rule for CIRCIA not only highlighted the danger of overlapping requirements but also the pitfalls of ambiguity. Third-party entities like Change Healthcare may or may not be clearly covered under the reporting requirements.
Second, accessibility. As a member of the Bipartisan Rural Healthcare Caucus and a former chief executive officer for an emergency services staffing company, I know this is often easier said than done.
Due to the cost of securing IT, nearly 40% of health care providers have no contingency plan for cyber intrusions or data leaks. Cyber hygiene should be looked at as a critical investment, not an expense, and basic cybersecurity practices should be easily accessible.
We need a new approach to teaching cyber hygiene to all professionals –– one that makes a cybersecurity mindset mission-critical and not an administrative box to check. This is especially important for professionals in one of our most targeted critical infrastructure sectors.
When it comes to the health care workforce, cybersecurity and cyber awareness are not often skillsets deemed essential. Nonetheless, every entity must have a robust cybersecurity workforce to protect Americans’ data, and non-cyber professionals must be educated in cyber hygiene to protect themselves, and their customers, from any potential threats.
Third, collaboration. Approximately 85% of the health care sector is privately owned and operated. In a Nashville roundtable this summer with CISA Director Jen Easterly, cybersecurity best practices were top-of-mind for health care stakeholders, with many mentioning the need to streamline federal cyber requirements and empower our talent pipeline.
Congress must continue facilitating communication between private industry and the federal government to address these vulnerabilities before more costly intrusions impact American families, providers, and patients.
One vulnerability to be aware of is the use of open-source software. While the open-source software used for hospital information technology increases accessibility, it can also present security risks with huge effects due to its ubiquitous nature. For example, the Log4J vulnerability, which was identified by industry last summer, left countless networks at risk of intrusion due to malicious code added to a commonly used software logging capability.
The Securing Open Source Software Act of 2023, which I introduced in the House of Representatives and helped advance through my committee, would improve how the federal government manages this risk and can set a better standard for private industry.
As a former physician, I know that health care is not just about reacting to illness or injury, but empowering healthy lifestyle choices. Likewise, cybersecurity begins with proactive cyber hygiene. Cyberspace is our shared realm to understand, advance, and defend. The health and wellness of Americans –– as well as the security of our homeland –– depends on it.
Rep. Mark Green, a Republican, is a former physician and combat veteran of Afghanistan and Iraq, where he served three tours. He is chair of the House Homeland Security Committee and serves on the House Armed Services and Foreign Affairs Committees.