Health systems stress vigilance over cyberattacks

Stuart Mitchell: CoxHealth has monthly simulated cybersecurity threat exercises.

Jon Moores: Email phishing attempts are a constant threat.

Wayne Dipper: It's a matter of when, not if, for companies to face a cyberattack.

• 
• 
• 

Amid a national rise in medical records impacted by data breaches at health care facilities, local officials say they continue to invest resources – both in manpower and technology – to combat cyberattacks.

While large data breaches, consisting of 500 or more records, dipped slightly year-over-year to 725, according to reports made to the U.S. Department of Health and Human Services Office for Civil Rights, the number of individuals impacted by the breaches rose nearly 10%. The total exceeded 275 million breached records, according to the HIPAA Journal. HIPAA is an acronym for the Health Insurance Portability and Accountability Act, a federal law passed in 1996 that protects patients’ health information.

The total was significantly impacted by the Change Healthcare data breach, which occurred in February 2024. Change Healthcare, a subsidiary and all-in-one health insurance technology provider of UnitedHealth Group Inc. (NYSE: UNH) that manages payments and claims processing among other services, experienced a cyberattack that was the largest data breach ever reported. UnitedHealth Group reported the number of victims impacted was roughly 190 million. The attack disrupted medical services nationwide, such as medical claims processing and pharmacy network services. UnitedHealth Group began notifying impacted individuals in July 2024 and is offering two years of free credit monitoring and identity protection services, according to the company website.

Locally, the impact was minimal, said Stuart Mitchell, director of information security with CoxHealth.

“We adapted pretty quickly, leadership team moved quickly to address any concerns, any operational impacts that we might need to work on,” Mitchell said. “Then of course, from a security standpoint, we began working with peers, Change [Healthcare] directly, and began taking any preemptive action possible to ensure our security.”

Jon Moores, director of information services at Citizens Memorial Hospital, said the biggest impact for the Bolivar-based health care system was a delay in claims processing.

“It did further cement the potential for vendors and supply chain threats,” Mitchell said of the attack by a Russian ransomware group. “That’s been a top-of-mind concern for some time for cybersecurity as a whole, especially in health care. I think that shined a light on how important that really is.”

The health care industry is a large target for cyberattacks because organizations possess so much information of high monetary and intelligence value to criminals, such as credit card and bank account numbers and personally identifying information, including Social Security numbers, according to the American Hospital Association.

At a cost
The high cost of data breaches in health care has been consistent for over a decade. In 2023, the health care industry reported for the 13th year in a row having the most expensive data breaches, at an average cost of $10.93 million, according to the World Economic Forum. That’s almost double the average cost for the financial industry, which was second at $5.9 million.

“Our leadership has made significant investment in our people, our technology,” Mitchell said, declining to disclose specifics. “They support our activities, and I believe they understand the importance of cybersecurity and delivering on CoxHealth’s mission. That’s translated to the general cover to push initiatives, the technology support to get the tools we need, and then the talent we need to operate those tools. So, we’ve had significant evolution in that space over the past few years.”

Michael Calhoun, CEO at CMH, said the Bolivar-based health care system also was investing in cybersecurity well before the Change Healthcare attack.

“We already had quite a focus on just the security of our system, and we have been increasingly over the last several years improving our security around our information,” Calhoun said, declining to estimate the investment cost. “But it did make us really aware of how vulnerable we all are and how we’ve got to step up our game related to cybersecurity.”

Calhoun was among local health system leaders that spoke about cybersecurity during a January CEO Roundtable discussion with Springfield Business Journal.

“People may be surprised the amount of time we spent worrying about this and creating plans to help protect ourselves from attacks, knowing that best we can do, we’re still vulnerable,” he said.

Max Buetow, CoxHealth president and CEO, said during the roundtable that a cyberattack on one local system would impact all of them.

“We need to have collaborative conversations about what happens if one of our health care partners in this community falls victim to a cyberattack,” he said.

Mercy Springfield Communities President John Myers said there are technologies that years ago may have been standalone but are now integrated into health care systems, adding they first need to be vetted.

Mercy officials declined an interview request for this story, citing security concerns.

Increasing challenge
The challenge to keep up with the daily attacks made on health care systems is increasing, Moores said, noting it’s a global problem.

“More and more, it has gotten to the point where you are required honestly to put a plan together on the protection side of things, the mitigation side of things,” he said. “But also, you’ve got to be prudent on the efforts of if something does happen, how do you proceed? How do you continue to operate? Does your organization have a contingency plan in place? That is where we put a lot of our efforts into.”

Calhoun said he has confidence CMH is doing the right things but acknowledges there is concern about the skills of attackers.

“There’s just no end to the vulnerability points that exist in a health care organization, especially as things become more technologically advanced,” Calhoun said. “There’s just more opportunities for bad actors.”

Moores said emailed attempts to trick people into clicking links or taking other actions that might reveal data such as personal information or system login credentials, dubbed phishing, are a constant threat.

“On the phishing side of things, 75% of our email that comes inbound to us is marked as spam,” he said. “Some does eventually make it through, unfortunately. That all falls back to staff education and ensuring you got those practices in place.”

Aside from in-person training, information technology staff sends out training emails to employees, Moores said.

“That testing has been really a key component and that is us sending out phishing emails pretending to be these threats,” he said. “If employees click on those emails, we’re able to then do some more one-on-one training with them to just let them know key things to look out for and quite honestly, what it could do to our organization if they continue this.”

Mitchell said CoxHealth conducts monthly simulated threat exercises and regularly distributes security bulletins to staff. He added as health care has gained more and better tools to combat cybercrime, so too have the attackers.

“The scariest in health care is still ransomware just because it is one of the major attacks that stops operations and in health care providing that critical service,” he said. “The idea of your health care operations being severely hampered or stopped is kind of scary.”

Stay secure
Wayne Dipper, owner and chief operating officer at KPM Technology LLC, said his IT firm has several health care clients but declined to disclose them for security reasons.

“The way I kind of look at it is that it’s not an if, it’s a when you get ransomed or you get compromised. It will happen,” he said.

He said a company can think of the computers that make up their network as dominos.

“Our job as your security company is to put our hand in between the domino that gets hit and the rest of them, so they don’t all fall down. That’s our philosophy. It’s to put the right security stack in place,” he said. “So, we’re protecting the entire infrastructure versus you having to pay an incident response company a $40,000 retainer just to walk in the door.”

Dipper tells clients they need a good email protection solution and a privileged access management tool that ensures that even if users click a link they shouldn’t, it doesn’t allow local administrative access on the computer.

“That’s 99% of the solution,” he said. “In the past, clients thought if they’ve got a good firewall, good antivirus and a good backup solution, that’s enough. But not anymore. The security stack that you need to have in place is pretty profound.”