Cyber crooks steal medical information of tens of millions of people in the U.S. every year, a number that is rising fast as health care undergoes its digital transformation.
It leads to millions of dollars in losses for hospitals, insurers and other health care organizations, threatens care delivery and exposes patients to identity theft.
But the Department of Health and Human Services’ Office for Civil Rights, which is tasked with investigating breaches, helping health care organizations bolster their defenses, and fining them for lax security, is poorly positioned to help. That’s because it has a dual mission — both to enforce the federal health privacy law known as HIPAA and to help the organizations protect themselves — and Congress has given it few resources to do the job.
“They’re a fish out of water … They were given the role of enforcement under HIPAA but weren’t given the resources to support that role,” said Mac McMillan, CEO of CynergisTek, a Texas firm that helps health care organizations improve their cybersecurity.
Due to its shoestring budget, the Office for Civil Rights has fewer investigators than many local police departments, and its investigators have to deal with more than a hundred cases at a time. The office had a budget of $38 million in 2022 — the cost of about 20 MRI machines that can cost $1 million to $3 million a pop.
Another problem is that the office relies on the cooperation of the victims, the institutions that hackers have targeted, to provide evidence of the crimes. Those victims may sometimes be reluctant to report breaches, since HHS could then accuse them of violating HIPAA and levy fines that come on top of costs stemming from the breach and the ransoms often demanded by the hackers.
Depending on the circumstances, it can seem like blaming the victim, especially since the hackers are sometimes funded or directed by foreign governments. And it’s raised questions about whether the U.S. government should be doing more to protect health organizations.
In an Aug. 11 letter to HHS Secretary Xavier Becerra, Sen. Angus King (I-Maine) and Rep. Mike Gallagher (R-Wis.), past co-chairs of a cybersecurity commission that examined the danger, raised that point, questioning the government’s “lack of robust and timely sharing of actionable threat information with industry partners.”
‘A stronger hammer’
The scope of the threat is massive and the consequences of breaches severe. According to a 2021 survey by the Healthcare Information and Management Systems Society, more than two-thirds of health care organizations had a “significant” incident in the previous year — mostly phishing or ransomware attacks.
These episodes pose potentially significant financial consequences and can threaten patients’ lives. A recent report from cybersecurity company Cynerio and the Ponemon Institute, a cybersecurity research center, found that about 1 in 4 cyberattacks resulted in increased mortality by delaying care.
Experts said the health care sector is particularly vulnerable to attacks, partly due to its digital transformation and partly due to its vulnerability to ransomware. Disrupting care could endanger patients’ lives, which can leave health care organizations feeling forced to fork over ransoms. In 2021 alone, hackers accessed records of nearly 50 million people, raising privacy concerns and leaving many vulnerable to fraud.