Cyberattacks pose an escalating threat to the healthcare sector, garnering the attention of healthcare leaders worldwide. Chief Healthcare Executive's revelation that over 88 million individuals were impacted by substantial breaches of personal health information in the U.S. during 2023 is proof of the gravity of this situation. And notably, such breaches trigger mandatory reporting to the U.S. Department of Health and Human Services.

The agency's disclosure of a 239% increase in data breaches over the past four years (coupled with a 60% surge in 2023 alone) rings alarm bells across the industry. What's particularly concerning is that 77% of these breaches originated from cyberattacks, indicating a shift toward more sophisticated and targeted digital threats.

The implications of these statistics extend far beyond mere numbers; they signify a pervasive vulnerability within healthcare systems, potentially compromising patient privacy, safety and trust. Cybersecurity breaches not only jeopardize sensitive personal health information but also disrupt healthcare operations, which leads to potential service interruptions and financial repercussions for healthcare organizations.

This is prompting some state governments across the U.S. to act. For example, New York Gov. Kathy Hochul made the protection of health information a priority and proposed cybersecurity regulations and included $500 million in her 2024 budget for health care facilities to upgrade their technology systems and comply with the new rules.

“Our interconnected world demands an interconnected defense against cyber-attacks, leveraging every resource available, especially at hospitals,” said Hochul, at the time of the proposal. “These new proposed regulations set forth a nation-leading blueprint to ensure New York State stands ready and resilient in the face of cyber threats.”

Well, the state has yet to act on this proposal, and a ransomware attack on Change Healthcare, a healthcare data company owned by UnitedHealth, has since disrupted operations at hospitals and pharmacies in New York. The February 21 attack potentially exposed the healthcare data of millions and hindered providers from submitting claims to insurers and caused cash flow problems for providers. BlackCat, the alleged attacker, claims to have stolen 6 terabytes of patient data.

New York hospitals and pharmacies reliant on Change Healthcare for claims submissions face delays in reimbursement due to the ransomware attack. This could cripple small, independent pharmacies in particular. The New York Health Plan Association says insurers are using manual workarounds for prior authorization and utilization review.

The Greater New York Hospital Association has requested the state to waive prior authorization requirements and direct health insurers to issue advance payments to providers. The FBI, CISA, and HHS released a joint advisory warning of BlackCat's targeting of healthcare organizations. 

UnitedHealth owns Change Healthcare and Optum, a healthcare provider. Through Optum, Change Healthcare serves millions of patients and pharmacies. Change Healthcare says the attack appears isolated to its systems and not to have affected Optum, UnitedHealthcare or UnitedHealth Group.

Though, I don’t believe it to be an isolated situation for Change Healthcare (or even in just New York) only. My editorial team recently discussed this attack only because one of us got affected through his coverage with UHC. A fellow TMC editor was unable to have coverage for his medications and had to pay out of pocket. Granted it wasn’t priced astronomically, so he was on the luckier side, if you want to call it that (compared to someone who likely had to fork over hundreds of dollars).

But again, this incident highlights the need for stricter cybersecurity regulations, as recently proposed by the New York governor. The proposed rules, outlined in section 405.46 of Title 10 (Health), mandate written procedures for securing in-house applications and evaluating the security of third-party applications. Additionally, MFA will be required for remote access to internal networks.

The regulations align with HIPAA security best practices but add new requirements. Notably, hospitals must report cyber incidents to the state within two hours, which could strain initial response efforts. This is a decrease from HIPAA's reporting timeframe.

New York hospitals should update their information security and incident response plans to comply with these proposed amendments, if enacted.