The country must act now to shore up health care cybersecurity.
American health care is under constant attack online. Cyberattacks against health systems have almost doubled in the past year. More than 134 million individuals had their legally protected health information exposed or stolen in 2023 alone, up from 55 million the previous year, according to data from the U.S. Department of Health and Human Services, which several of us led. The average cost of these breaches exceeds $10 million per incident, according to IBM’s most recent Cost of a Data Breach Report.
The severity and scope of these alarming attacks cause serious concerns for patients, providers, and payers alike. The cyberattacks on Change Healthcare and Ascension Health earlier this year show that even the largest companies and health systems are not immune on this battlefront and can face billions of dollars in losses.
Bad actors perpetrating these attacks may be motivated by financial rewards from ransom payments or the sale of personal data on the dark web – or, worse yet, as ways to steal intellectual property, use personal data for blackmail purposes or simply to create chaos and harm Americans.
Regardless of intent, patient care and health systems across the country are increasingly at risk of being brought to a standstill, threatening the viability of critical medical services. In the past four years alone, ransomware incidents affecting health care organizations have increased 278%, leaving the U.S. health care industry as the largest single sector facing these attacks.
Despite significant efforts made and expenses incurred to prevent these attacks, cybercriminals – many of whom are nefarious foreign state actors – currently appear to be winning. Basic workarounds are hugely time-consuming and often ineffective. We need a new defense system now – something like a cyber dome to protect our health care against internet attackers. Such a dome would provide an invisible layer of advanced protection technology to prevent cyberattacks rather than physical assaults. It could be implemented by all entities that collect, store, and use patient care data.
As nine former secretaries of the U.S. Departments of Health and Human Services and Veterans Affairs, we understand how critical it is to ensure the safety and security of healthcare data. When care operations like ambulance dispatches to loved ones or clinicians accessing medical records to treat injured veterans are disrupted, delays in care put patients in harm’s way.
Fortunately, there are models and case studies to consult for guidance in building such a protective system for health care.
By leveraging the lessons and accomplishments of Operation Warp Speed, along with the principles outlined in President Joe Biden’s National Cybersecurity Strategy, the HHS Healthcare Sector Cybersecurity Report and the National Institute of Standards and Technology 2.0 Cybersecurity Framework, a forward-looking cyber dome project can provide a meaningful path toward enhanced protections before new and worse damage is done. While these documents provide commendable frameworks for governmental approaches to cyber protection, they lack clarity and specificity on the private sector’s critical role in driving the technological innovation required for such an effort’s ultimate success.
First, we should consider many diverse approaches to exploring concepts and methods for healthcare cyber defense solutions. For example, artificial intelligence can help detect anomalous and malicious activity, while sophisticated data encryption methods can protect sensitive patient data and/or render it useless if stolen by attackers. We should develop autonomous cybersecurity systems that automatically and constantly configure themselves in response to the evolving threat landscape, along with continuous verification systems to prevent unauthorized access to health data.
Automated threat detection and response systems can identify and mitigate threats in real-time and minimize damage from attackers by actively blocking malware before breaches occur. Cloud encryption technologies can help identify and prevent unauthorized attempts to exfiltrate data, and secure access service edge protocols can let providers and patients access data securely.
Operation Warp Speed also pre-funded competing ideas for vaccines, rather than requiring step-by-step funding authorization from idea to commercialization. This allowed pharmaceutical companies, various government agencies, and researchers the opportunity to begin work immediately, invest in efforts with a set timeline, and continually test ideas for efficacy and impact.
For cybersecurity, we recommend that at least eight advanced technology approaches to healthcare cyberdefense be pre-funded for one year. While we recognize that not all investments in “high-stakes, high-reward” scenarios will succeed, this kind of funding mechanism will help provide agility and speed for turning advanced concepts and innovation into action.
The Advanced Research Projects Agency for Health recently took an important step in this direction with a $50 million technology initiative to address cybersecurity, and along with the Cybersecurity and Infrastructure Security Agency and Defense Advanced Research Projects Agency, are structured well to coordinate government efforts and partner with private companies. The right time is now.
Creating the infrastructure to protect American health care on the cybersecurity front is an ambitious project, and it will require the participation of diverse stakeholders across the public and private sectors to ultimately succeed. But when Americans focus on a big challenge and put our best and brightest to work, there are no limits to what we can achieve together.
As we write, the American healthcare system continues to battle ongoing organized efforts to penetrate our databases and access sensitive personal and medical data. Applying advanced technologies already in use by other industries, such as the financial sector, along with proactively implementing defensive measures for health and medical data must become a national priority.
We believe in the vital necessity of creating a cyber dome to stop healthcare system hackers before any further damage is done. Collectively, we can build the solutions and deploy them at a nationwide scale. No less than our health, safety, and prosperity depend on it.
This letter was co-authored by David Shulkin, M.D., Secretary of the U.S. Department of Veterans Affairs from 2017 to 2018; Anthony Principi, Secretary of the U.S. Department of Veterans Affairs from 2001 to 2005; Jim Nicholson, Secretary of the U.S. Department of Veterans Affairs from 2005 to 2007; Louis Sullivan, M.D., Secretary of the U.S. Department of Health and Human Services from 1989 to 1993; Donna Shalala, Secretary of the U.S. Department of Health and Human Services from 1993 to 2001; Michael O. Leavitt, Secretary of the U.S. Department of Health and Human Services from 2005 to 2009; Kathleen Sebelius, Secretary of the U.S. Department of Health and Human Services from 2009 until 2014; Tom Price, M.D., Secretary of the U.S. Department of Health and Human Services in 2017; and Alex Azar, Secretary of the U.S. Department of Health and Human Services from 2018 to 2021.
Leave a Reply