Skip to main content

Damaging hacks expose the weak underbelly of America's health care system

·3 mins

A pair of recent ransomware attacks targeted computer systems at two major American health care firms, leading to disruptions in patient care and revealing vulnerabilities in the US health care system’s defenses against hackers.

The attacks prompted both federal officials and private cyber experts to work quickly to minimize the damage and restore computer functionality. However, the consequences of the hacks, including diverted ambulances and pharmacies unable to process insurance, have highlighted the inadequate preparation of the health care system for cyberattacks, emphasizing the need for new security regulations. Compared to other industries, the health care sector lags behind in IT security measures.

Lawmakers and policy experts are increasingly advocating for mandatory cybersecurity standards in the health care sector, particularly for large companies that serve millions of patients. Without action, patient access to care and their personal health information will continue to be compromised and held for ransom by hackers.

Data from a cybersecurity firm revealed that in 2023, 46 hospital systems in the US, comprising 141 hospitals, were impacted by ransomware, a significant increase from the previous year.

The two ransomware attacks targeted different aspects of the health care system. In February, cybercriminals gained access to an unsecured computer server used by a major insurance billing company, causing financial losses and disruptions in pharmacy services across the US. In May, another attack affected a nonprofit health network, resulting in diverted ambulance services.

The Biden administration plans to introduce minimum cybersecurity requirements for US hospitals, although the details are still being finalized. However, the American Hospital Association opposes the proposal, stating that it would unfairly penalize organizations that have already been victimized by cyberattacks. The Department of Health and Human Services has expressed willingness to use financial penalties to incentivize health care organizations to improve their security measures.

Efforts are also underway in Congress to enforce basic cybersecurity standards for health care organizations. Additionally, a proposed bill suggests providing Medicare payments to hacked providers that meet minimum cybersecurity standards.

The recent ransomware attacks on major health care organizations have brought attention to the sector’s vulnerabilities and raised concerns about the consolidation of the US health care industry. Hackers gaining access to one company can have widespread implications for the millions of patients reliant on the affected health network.

Experts argue that any new cybersecurity regulations should have a meaningful impact on improving the sector’s security practices, acknowledging the costs involved. Neglecting cybersecurity measures can ultimately be more costly for organizations.

The parent company of one affected firm, UnitedHealth Group, is a significant player in the US health care market and handles a large portion of American patient records. Concerns have been raised about the company’s vulnerabilities despite its substantial resources.

The Justice Department is investigating antitrust concerns related to UnitedHealth Group and has also formed a task force to examine health care monopolies and collusion more broadly.