The stark contrast between expectations placed on healthcare providers and the reality of our cybersecurity challenges has come into sharp focus since the attack on Change Healthcare.
Current rhetoric calls for holding healthcare CEOs and organizations directly accountable for breaches, which oversimplifies and misrepresents the issue, while blaming the victims rather than the cybercriminals attacking them. Yes, healthcare providers should be accountable for meeting cybersecurity requirements, but we also need support in defending against sophisticated international cybercriminals.
The federal government has an important role to play in providing specific requirements for healthcare cybersecurity. This includes creating accountability for meeting those requirements and shielding compliant organizations from liability. The requirements outlined in the HIPAA security rule could be updated to meet this need.
In political conversation actual healthcare providers — hospitals and clinics — are considered the same as insurers, device manufacturers and pharmaceutical companies. But that is not the case. The other entities do not provide direct patient care, nor do they face the same operational realities as healthcare providers. Their profit margins often allow for more substantial investments in cybersecurity defenses. Many healthcare providers, particularly not-for-profit, safety net and rural hospitals operating on razor-thin margins, are not afforded that choice.
And the potential consequences of cyberattacks against healthcare providers are much more serious than those against other healthcare organizations. Hospitals and clinics do feel the enormous strain of not getting paid for treating patients, as is the case with the Change breach. But more importantly, when healthcare providers are attacked, patients' lives are literally at risk. Attackers know healthcare providers will do anything to protect patients, making them good targets for these criminal organizations to whom human life is cheap compared to the potential payoff.
At Scripps Health, we were the victim of a 2021 cyberattack that starkly illustrated the relentless and unpredictable nature of these threats. We had prepared and had invested in security measures. Despite that, we were still breached. We suffered significant operational disruptions and were hit with $112.7 million in lost revenue and incremental expense. The hard truth we and others have learned is that while in the realm of cybersecurity, complacency is the enemy, and even the most diligent cannot always withstand the evolving tactics of cyber adversaries.
A recalibration of responsibilities and expectations is needed going forward. The federal government should partner with healthcare providers and create updated requirements that address the current threat environment. The federal government also must assume its role in investing in the cyber protection for healthcare infrastructure on a national level.
In addition, funding must be allocated to allow healthcare providers to fortify their defenses adequately on the front lines. It's unreasonable and unfair to expect hospitals to shoulder the financial burden of national security threats.
Finally, healthcare organizations that comply with requirements must be shielded from punitive actions and opportunistic litigation. Such protections are crucial to ensuring hospitals' ability to focus on their primary mission—patient care—without the constant threat of financial ruin due to circumstances beyond their control.
It's time for a frank reassessment of our expectations and support structures. Cybersecurity in healthcare is a complex, multifaceted challenge that demands a nuanced, collaborative approach. We must make a concerted effort to ensure the security and resilience of our health care infrastructure. Patients' lives are at stake.
Chris Van Gorder is President and CEO at Scripps Health in San Diego, Calif.