CSC 2.0 Reports

June 4, 2024

By Mike Sugden, Annie Fixler

The safe and efficient provision of health services is a matter of both personal safety and national security.

Executive Summary

In May 2021, San Diego-based hospital system Scripps Health suffered a massive ransomware attack lasting almost four weeks. The attack compromised the personal data of roughly 150,000 patients, and all five hospitals operated by Scripps Health faced significant limitations on their ability to provide care. With their data-sharing systems offline, hospital staff had to use paper records. Patients requiring emergency care had to be diverted to other hospitals. Not only did the attack cost Scripps Health a record $112 million in remediation costs and lost revenue, but the diversion of patients to other facilities resulted in overcrowding and degraded care. A case study of the incident found that nearby emergency departments saw patient volumes spike along with “significant increases in … waiting room times, patients left without being seen, [and] total patient length of stay.” In short, the attack caused a “regional disaster.”

Local healthcare providers are not the only ones threatened by cyberattacks. In February 2024, a ransomware attack on healthcare payment processor Change Healthcare disrupted payments to providers across the country for weeks. The disruption affected patient care at almost three-quarters of all hospitals, and more than half reported a significant or serious financial impact. An impact of this magnitude can threaten national security.

The frequency of cyberattacks against the healthcare and public health sector has increased rapidly since the onset of the COVID-19 pandemic. Ransomware in particular has become the biggest threat. Ransomware attacks can block access to electronic patient records, databases, and equipment, creating a higher incidence of patient mortality and morbidity in otherwise treatable circumstances. Rural hospitals face a particularly high risk. Such facilities face more financial constraints, leaving them with insufficient funding to invest in cybersecurity. Patients relying on these hospitals are at greater risk of complication if a cyberattack occurs, as alternative hospitals tend to be farther away than their urban or suburban counterparts.

The safe and efficient provision of health services is a matter of both personal safety and national security. This is why the federal government designated the healthcare and public health sector as a critical infrastructure sector. The U.S. government must collaborate with stakeholders in this sector to increase providers’ resiliency against cyberattacks.

This report provides 13 recommendations directed at the executive branch, Congress, and the healthcare sector to guide the sector into a safer, more resilient future. Industry must invest more in cybersecurity, including by properly resourcing security teams, implementing organization-wide cyber hygiene training, and developing contingency response plans for destructive cyberattacks. The executive branch must update its strategy for the sector, provide roadmaps to secure key lifesaving services, incorporate stakeholder feedback on cybersecurity goals, and address the rural cybersecurity workforce gap. Finally, Congress should fund relevant executive agencies and programs so they can better support the sector. These recommendations are not exhaustive but serve as a starting point to address the pervasive cybersecurity issues facing the sector. The health and welfare of the American people depend on it.

Recommendations

For the Executive Branch

1. Develop New, Long-Term Sector-Specific Cybersecurity Objectives

2. Work With Industry to Identify, Prioritize, and Secure Life-Saving Services

3. Iteratively Update HHS’s CPGs

4. Accelerate the CPG Compliance Incentivization Program’s Timeline

5. Create a Rural Hospital Cybersecurity Workforce Development Strategy

Executive Summary

Recommendations

For the Executive Branch

For Congress

For Industry