Healthcare cyber hacking $22 million ‘transaction’ Personal medical information becomes expensive
Hospitals, health insurers, physician clinics and other industries are increasingly becoming prime targets for hacking as cyberattacks in the U.S. increasingly result in medical records being stolen for large sums of money.
Cyberattacks on the U.S. healthcare system culminated in an attack on Change Healthcare, a subsidiary of UnitedHealth Group, the largest information center in the U.S. that handles one-third of all patient records. The New York Times reported on the 30th of last month that it revealed how serious the vulnerabilities were overall.
The FBI and the Department of Health and Human Services are investigating the Change hack, including whether patient records and personal information were compromised.
Change's network acts as a digital exchange that links information to health insurers for benefits and payments, from a patient's first doctor's visit to a diagnosis like cancer or depression, and subsequent treatment, so people's medical records are exposed for years. The danger grew.
As for why the healthcare industry is being targeted, the NYT said, “Medical records can demand several times more money than a stolen credit card, and unlike credit cards, which can be canceled quickly, personal medical information cannot be changed.” “Personal health “If information is stolen, patients have little relief,” he said.
The NYT described this cyberattack as “just the most widespread example of what has become almost universal in the healthcare industry,” and according to data security company Emsisoft, criminals are forced to shut down computer systems unless owners pay the hackers. Ransomware attacks affected 46 hospital systems last year, up from 25 in 2022, and hackers have taken down companies that provide services such as medical transcription and billing in recent years, it said.
“We can’t cancel your diagnosis and send you a new diagnosis,” said John Riggi, national counsel for cybersecurity risk at the American Hospital Association. “Those records are valuable because they make it easy to commit health care fraud.” “There is,” he told the NYT.
Unlike banks, health insurers often don't use sophisticated methods to detect fraud, making it easy for them to submit false claims, and people worried about their Social Security numbers and other financial information being stolen can seek relief by registering with a credit monitoring agency. However, there is little relief for patients whose personal health information has been stolen.
In response to medical hacking incidents, hospital networks and other medical groups quickly transacted and paid demands to limit patient exposure, and in this Change Healthcare incident, a ransom of $22 million was reportedly paid.
The NYT said, “Although the FBI advises against being the target of ransomware attacks, most hospitals pay up because the risks are too high.”
“There are no federally mandated technical cybersecurity standards for the healthcare industry today,” Sen. Ron Wyden of Oregon, the Democratic chairman of the Senate Finance Committee, said during a recent budget hearing. “People have been talking about this for decades.” “Despite this, there are no federally mandated technical cybersecurity standards for the healthcare industry. It’s time for that to change.”
The Biden administration has asked Congress for an initial $800 million to help improve hospital systems as part of its latest budget proposal, but it is not clear whether Congress is currently able or willing to provide funding for modernization, the NYT said.
Most hospitals are investing in the latest MRI technology or diagnostic equipment and continuing to spend money on more nurses, without spending money on strict digital protection.
As hospitals and doctors neglect to pay for increased security measures, the hodgepodge of healthcare-connected products and suppliers is leaving the digital door open for hackers.
Change Incidents: Previous hacks have mainly targeted individual hospital systems, causing several health care organizations to underestimate their risks.
The 2017 incident in which medical records from the UK's National Health Service were locked due to a ransomware attack, causing enormous confusion for patients, exposed loopholes in the single healthcare system ahead of the US.
Cybersecurity consultants and government officials have identified health care as the most vulnerable sector of the U.S. economy to attack, and it is as much a part of America's critical infrastructure as energy and water, according to the New York Times.
D.J., chief technology officer at insurance company Devoted Health and former chief data scientist at the federal Office of Science and Technology Policy. “We should all be terrified,” Patil told the New York Times. “The entire sector is severely under-resourced when it comes to cybersecurity and information security.”
“People have to decide what to invest in, and cybersecurity is usually not at the top of the list,” said Jackie Monson, senior vice president at Sutter Health and chair of the National Committee on Vital and Health Statistics. “No,” he told the NYT.
In the Change Healthcare incident, on February 21, the ‘Assurance’ app and the ‘Relay Exchange’ app were paralyzed by a cyber attack by a hacking group known as Black Cat (ALPV).
‘Assurance’ is a medical billing and remittance management system, and ‘Relay Exchange’ is a system for checking and resolving errors in claimed insurance.
Change Healthcare is a customer medical technology company with 900,000 doctors, 33,000 pharmacies, 5,500 hospitals, and about 600 laboratories. It handles about 50% of medical claims in the U.S. and will be acquired by UNH, a large U.S. insurance company, in 2021. ·Merged.
UNH said it plans to restore its medical billing system on March 18 and has so far paid more than $2 billion in advance payments to medical institutions that suffered financial damage from the hack.
In response, UNH explained, “We have taken all preventive and safety measures to restore complete trust in the platform and have established multiple security protocols (intercomputer communication protocols) internally and with third-party partners.”