Cyber Attack on United Healthcare Division Was Unprecedented in Scope

If you've tried to fill a prescription or get preauthorization for a drug or procedure or -- if you're a health care provider -- tried to submit a bill electronically, you have experienced the widespread crippling of our healthcare infrastructure that resulted from an unprecedented cyberhack. 

As reported by KFF Health News (March 8), 

The American Hospital Association calls the suspected ransomware attack on Change Healthcare, a unit of insurance giant UnitedHealth Group’s Optum division, “the most significant and consequential incident of its kind against the U.S. health care system in history.” While doctors’ practices, hospital systems, and pharmacies struggle to find workarounds, the attack is exposing the health system’s broad vulnerability to hackers, as well as shortcomings in the Biden administration’s response.

Despite the centrality of digital record-keeping, billing, and payment systems, there turns out to be no meaningful governmental involvement in this arena.

To date, government has relied on more voluntary standards to protect the health care system’s networks, Beau Woods, a co-founder of the cyber advocacy group I Am The Cavalry, said. But “the purely optional, do-this-out-of-the-goodness-of-your-heart model clearly is not working,” he said. The federal government needs to devote greater funding, and more focus, to the problem, he said. [emphasis added]

Restoration of full operability after a cyber attack typically takes 30 days, according to Mr. Woods, which means we can all expect slower response times to virtually all requests for health-related services at least through March and probably into April. Meaningful federal action will take much, much longer.

 

Top Four Kick-the-Can Issues in Health Care

Becker's is an incredible daily resource through various newsletters aimed at hospital management, CFO's, and policy makers. From their vantage, they have a good feel for the recurring issues that government ignores and that might yield at least somewhat to public-private partnerships. Here are their top four:

1. Hospital closures. It seems lawmakers only start to take notice of hospital financial solvency when closure announcements are made. Lost in this 11th-hour dynamic is concern for patient safety and care quality. The closure of a hospital is one thing. But just as important — and often neglected — is scrutiny of the quality of care patients receive in the period leading up to the announcement of closure. 

2. Hospital staff safety. The Safety from Violence for Healthcare Employees Act was introduced in the House last April and in the Senate last September. The bipartisan legislation would make it a federal crime to knowingly assault hospital workers and enact federal protections for healthcare workers like those in effect for aircraft and airport workers. 

Since the legislation's introduction, individual acts of violence in hospitals continue to unfold and make headlines as more longitudinal data is released showing just how much more hostile healthcare settings have become. More than double the number of health workers reported harassment at work in 2022 than in 2018, including threats, bullying, verbal abuse, or other actions from patients and co-workers that create a hostile work environment, according to CDC data. More than 5,200 nursing personnel were assaulted in the second quarter of 2022, according to data from Press Ganey, amounting to about 57 assaults per day. 

3. Healthcare workforce shortages. Much attention is paid to technology solutions and AI support systems to augment the healthcare staff and workers who are in short supply. But look more closely, and the foundation of data about the U.S. workforce looks like Swiss cheese. 

There are more than 8,300 designated primary care shortage areas in the U.S., and nearly 200 of them have been federally designated as such for at least 40 years. This finding stems from an analysis that KFF Health News published last month. One area on the far south side of Chicago has been designated as a shortage area since 1978. Another area in the Baton Rouge metro area in Louisiana, has been named a shortage area since 1979, most recently with 22 full-time primary care physicians for nearly 140,000 people. 

4. Hospital cybersecurity. Becker's covered one of the earliest hospital ransomware attacks on a small hospital in Kentucky in 2016. Methodist Hospital in Henderson, Ky., operated in an internal state of emergency for five days and did not pay the ransom. Since, we've seen cybergangs and criminals grow more savvy, emboldened and nefarious in their targeting of hospitals. Health system ransomware attacks nearly doubled in 2023, with 141 U.S. hospitals affected last year and data stolen in 32 of 46 of the events. 

These attacks can wreak havoc and cause harm to entire healthcare infrastructures across state lines. Last November, the hack of 30-hospital Ardent Health Services, based in Nashville, Tenn., caused ambulances to be diverted across six states. The actors behind these attacks have also grown more cruel, hitting children's hospitals (most recently Lurie Children's, a level 1 pediatric trauma center in Chicago), demanding $900,000 from a safety-net hospital in 48 hours, publishing data about hospital staff, or activating other hospital equipment mid-attack.

SEC's Final Cybersecurity Rule and the Health Care Industry

Rachel Rose and Bob Chaput have written a helpful guide to the SEC's new final rule on cybersecurity and related issues (most especially reporting cyber breaches): "The Nexus Between the SEC’s Final Rule and the Health Care Industry" in the American Health Law Association's Health Law Weekly (Aug. 4, 2023). The first couple of paragraphs serve as an abstract for the piece (footnotes omitted):

In March 2023, we wrote the article, Why ALL Health Care Organizations Must Care About SEC Proposed Cybersecurity Rule Changes, which highlighted the U.S. Securities and Exchange Commission’s (SEC’s) March 9, 2022 announcement of its proposed rules related to cybersecurity requirements (i.e., risk management, corporate governance, and incident disclosures).

While testifying in front of the U.S. Senate Committee on Banking, Housing, and Urban Affairs, SEC Chairman Gary Gensler stated, “[t]he proposed amendments are intended to better inform investors about a registrant’s risk management, strategy, and governance and to provide timely notification of material cybersecurity incidents.” The wait is over. On July 26, 2023, the SEC released its final rule related to cybersecurity. Specifically, the final rule requires registrants and foreign issuers alike “to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.”

This article highlights some of the key areas that health care sector participants—public, private, and not-for-profit—should consider in relation to enterprise risk management and policies and procedures.

Before those of you who don't represent clients whose shares are registered with the SEC conclude this article doesn't apply to those companies, NOT SO FAST. One of the major takeaways of this article -- which is brief and to the point -- is that there is enough potential liability to go around.

The article is available to AHLA members only, which is reason enough to join if you haven't already!

Cyber attacks against hospitals increase over 2022

Hospital giant HCA announced this morning that data on 11 million patients -- patient names, phone numbers, dates of birth, appointment dates and other personal details -- had been stolen from its system and posted on-line. This comes on the heels of this morning's report in Chief Healthcare Executive that cyber breaches against hospitals in the first half of 2023 approached the number of hospital breaches for all of 2022.

All the more reason for SMU law students to sign up for our one-week August course on cyber breaches!