READ PART 1
In early May 2024, the nonprofit health care operator Ascension announced that it was the victim of a cybersecurity incident. Later revealed to be a ransomware attack, the incident disrupted clinical operations across Ascension's network, which includes 140 hospitals and 40 senior living providers. Facilities lost access to patient records, diverted ambulances, and delayed tests. While hospitals thankfully were able to continue providing care, the impact was significant: on June 4, 2024, Ascension predicted that its systems would not be fully restored for another 10 days.
Following closely on the heels of the Change Healthcare ransomware incident in February 2024, the Ascension outage underscores the health care system's increasing vulnerability to cybersecurity attacks—a vulnerability that risks the data privacy of hundreds of millions of patients and their very ability to obtain care. As policymakers and advocacy organizations discuss what the industry should learn from these incidents, and how providers can stay resilient in the face of rising threats, a few key themes have emerged.
When Health Care Systems Become Too Big To Fail
In the wake of the Change Healthcare attack, numerous commentators pointed to it as an example of the risks of consolidation in health care. They echoed concerns raised during UnitedHealth Group's acquisition of Change in 2022, when the Department of Justice tried and failed to block the deal on antitrust grounds. Now, lawmakers argued that UnitedHealth's sheer size—it reportedly employs or is affiliated with 10 percent of U.S. physicians, with Change processing 15 billion claims annually—effectively creates a single point of failure in the health care system.
“The attack shows how UnitedHealth's anticompetitive practices present a national security risk because its operations now extend through every point of our health care system," said Representative Anna Eshoo (D-CA) during an April hearing held by the House Committee on Energy and Commerce Health Subcommittee. “The cyberattack laid bare the vulnerability of our nation's health care infrastructure."
In testimony before the Committee, physician Adam Bruggeman argued that consolidation and vertical integration don't just pose cybersecurity risks; they can also drive up the costs of care for patients while reducing their options in the market.
“The consolidation of practices and their integration with hospital systems has the potential to drive up prices for common orthopedic procedures, while simultaneously stifling competition and limiting opportunities for independent practices within the same market," Bruggeman pointed out. “The costs for knee replacement and lumbar spine fusion procedures were found to be approximately 30 percent higher in concentrated markets compared to those in competitive markets. Expanding the scope further, a comprehensive analysis conducted by the New York Times in 2018 revealed that average hospital prices soar dramatically in the aftermath of mergers."
In late February 2024, the Department of Justice initiated an antitrust investigation into UnitedHealth Group, reportedly focusing on how its acquisitions affect both competitors and consumers.
An Underinvestment in Small Providers
Concerns about consolidation extend beyond providers and insurers. As Representative Frank Pallone (D-NJ) suggested in the April 2024 hearing, consolidation in health care technology may also pose “unreasonable risk" to broader health care systems. The question is especially pertinent for long-term care (LTC) and post-acute care (PAC) providers, who may lack the investment necessary to use the sophisticated EHR platforms employed by hospitals and other larger institutions. As a result, they have to operate independently from integrated health systems, even when they share patients.
Sadly, it's far from a new problem. The Health Information Technology for Economic and Clinical Health (HITECH) Act, passed in 2009, invested billions in the adoption of robust, interoperable EHR systems across the health care sector—with the exception of LTC and PAC providers. The result is an immense hole in the national health care IT strategy, leaving skilled nursing facilities (SNFs) on a completely different footing when it comes to cybersecurity threats. This means that even if massive companies like UnitedHealth Group perfectly shore up their defenses, potentially devastating vulnerabilities will remain; after all, a system is only as strong as its weakest link.
In the case of the Change attack, of course, that weak link wasn't a small provider but one of the world's largest payment processing companies. Even without multimillion-dollar reserves to lean on, SNFs worked quickly to restore their systems and avoid impacts to the delivery of care, regardless of reimbursement. The inequity this incident revealed is simple but severe: under current investment and reimbursement paradigms, SNFs are left wanting for revenue to invest in the technological innovations that would strengthen their ability to prepare for cybersecurity incidents rather than simply to respond to them.
“It would be really nice to get some investment on par with the level of regulation," said Grant Beebe, AHCA's Director of Medicaid Policy. “So many of our providers want to be able to do the right thing. They want to be able to be forward-thinking, they want to be proactive. But it's hard when you're running on a shoestring budget and may not have a chief information officer."
As Bruggeman argued before Congress, underinvestment in cybersecurity may also hobble the broader shift to value-based care, potentially leading to even more consolidation. “I am concerned the cost of cybersecurity protection required to accommodate this growth in patient data sharing may serve as yet another barrier for smaller and rural physician groups looking to participate in the movement towards alternative payment models," he said. “If these practices are left behind as the rest of medicine moves towards value-based care, they will face even greater pressure to consolidate with larger health systems."
For providers with limited resources to devote to burgeoning IT risks, one line of defense may lie in the use of a Managed Security Service Provider (MSSP): essentially, a third-party cybersecurity manager. “The focus should be increasing speed and efficiency in dealing with threats," argued Robert Sheldon, Senior Director for Public Policy & Strategy at CrowdStrike, during the House subcommittee hearing in April 2024. “At best, this type of partnership enables MSSPs to focus on security and health care providers focus on health care."
The Need for Comprehensive National Cybersecurity Strategy
Still, the difficult truth is that no single organization can fully protect itself against systemic vulnerabilities. That's why many advocates are pushing for a national cybersecurity strategy that encompasses the entire sector, including LTC and PAC, rather than focusing on hospitals.
Daniel Ciolek, AHCA/NCAL's Associate Vice President for Therapy Advocacy, argued that the problem is not suited to a one-size-fits-all solution. Rather, what's needed is a federal strategy with local interventions—perhaps through the CMS's Quality Improvement Organization (QIO) program, which recently removed funding for IT support. A hybrid approach, he suggested, might regulate data exchange companies at the national level while using QIOs to provide IT support to smaller providers and ensure systemwide interoperability at the regional level.
“You can start capturing a lot of the other local types of providers that have been ignored under HITECH and do not have the capacity or expertise," Ciolek said.
To be sure, regulators are already crafting a national strategy. Earlier this year, HHS issued a set of voluntary cybersecurity performance goals for health care organizations. In April 2024, the Department of Homeland Security released its own proposed cybersecurity rule for industry feedback. As these policies take shape, LTC advocates hope that their authors bear in mind the importance—and unique needs—of nursing homes and other SNFs, which may not be hospitals but are no less a vital part of the health care ecosystem.
“The majority of hospital patients are not our population," Ciolek concluded. “The priorities of the national health care system are still leaning towards the younger, healthier population, the one that has short-term acute medical needs. They don't want to think about people that are old, poor, or disabled."
For organizations still dealing with the impacts of the Change Healthcare attack, HHS maintains a webpage with an FAQ and other resources, as well as a helpdesk for providers.
Steve Manning is a journalist based in New York City.