Fraud Management & Cybercrime
,
Healthcare
,
Industry Specific
Centers for Underserved Patients, Resource-Poor Communities Fight for Cyber Funds
Michigan’s largest federally qualified health center, which treats homeless and underserved patients, is notifying more than 184,000 individuals of a December ransomware attack that compromised their data. The incident reflects the many challenges that under-resourced healthcare groups face.
See Also: OnDemand | Leveraging Automation to Reduce Third Party and Supply Chain Risk in Healthcare
Grand Rapids, Michigan-based Cherry Street Services, which operates as Cherry Health Services, provides primary and behavioral care to underserved patients at 20 locations in six counties. A network disruption on Dec. 21 affected the center’s ability to access certain systems, and an investigation found that attackers accessed the patient data, according to a breach report filed Tuesday to Maine’s attorney general.
Information at risk includes patient name, addresses, phone numbers, birthdates, health insurance information, health insurance ID number, patient ID number, provider name, service date, diagnosis/treatment information, prescription information, financial account information, and Social Security numbers.
Cherry Health is providing affected individuals with 12 months of complimentary identity and credit monitoring. In the wake of the incident, it said, it has implemented “additional technical safeguards to further enhance the security of data we maintain and to prevent something similar from happening in the future.”
Cherry Health in a statement to Information Security Media Group said the organization is not aware of any evidence to suggest that any information has been misused as a result of the incident. Cherry Health did not immediately respond to ISMG’s other questions, including whether the organization faces challenges in funding its cybersecurity efforts.
Community Health Funding Challenges
The Cherry Health breach, like many similar incidents, underscores the security challenges that many other healthcare entities – including small clinics, specialty medical practices, rural hospitals and providers that aid underserved communities – often face, some experts say.
“Community health centers receive the majority of their funding through federal support. These front-line health clinics typically serve medically underserved communities including proportionately low-income populations,” said attorney David Holtzman of consulting firm HITprivacy. “Community health centers often cannot afford significant investment in technology or services to protect and defend against sophisticated cyberthreats,” he said.
“Their budgets are stretched thin to provide direct treatment services and preventive healthcare.”
Leaders of security and technology programs at other types of healthcare organizations that don’t have enough resources agree.
“It takes money for security technology like endpoint detection, monitoring, backups and security personnel. The threats keep coming, but the payment process and reimbursements for healthcare services does not account for that,” said Mike Ward, senior vice president, CIO and chief health information officer at Covenant Health, which operates several hospitals, clinics and doctor practices serving rural communities in Tennessee.
Also, many healthcare entities in rural communities are not eligible for government grants to assist with technology and related efforts due to the way “rural” is defined by federal agencies, Ward said. For instance, no entities in Knoxville County, Tennessee – which Covenant services – are eligible for rural health grants, according to the Department of Health and Human Services’ Health Resources and Services Administration.
And Knoxville is “at the bottom 2%” of the national reimbursement index for healthcare services, Ward said.
“All healthcare entities should implement standard, best practices for cybersecurity, but even that’s not simple for some organizations, due to the cost,” he said.
Vulnerable Targets for Hackers
Cherry Health is not the only federally qualified health center providing care in underserved communities that has faced ransomware or other hacking incidents that have led to major breaches. Last spring, Petaluma Health Center, a FQHC in Petaluma, California, reported to state and federal regulators a data exfiltration hack that compromised the personal and health information of nearly 125,000 individuals.
Last year, a FQHC in Spring Valley, New York – Refuah Health Center – was fined by state regulators with a minimum penalty of $350,000 in the wake of a ransomware 2021 attack. The health center also agreed to spend $1.2 million between fiscal 2024 and 2028 to develop and maintain an improved information security program. In the 2021 attack, cybercriminal group Lorenz stole files pertaining to between approximately 195,000 and 234,000 Refuah patients (see: NYS Clinic Must Pay $450K Fine, Spend $1.2M on Security).
Regulators’ investigation into the Refuah incident found multiple violations of the HIPAA privacy, security and breach notification rules. The lapses included a failure to decommission inactive user accounts, a lack of multifactor authentication and a lack of logging for reviewing user activity. The last time the center had conducted a risk assessment was in March 2017, and several of the issues identified at that time were still unresolved on the day of the ransomware attack.
Limited Federal Cyber Aid Proposed
The plight of under-resourced healthcare entities trying to invest in and maintain even the most basic cybersecurity programs came into focus on Tuesday during a congressional hearing into the Change Healthcare attack, which affected legions of healthcare providers across the country.
Many healthcare entities simply don’t have the resources to fund cybersecurity programs – or the staff to implement them, testified Scott MacLean, CIO of MedStar Health and chair of the College of Healthcare Information Management Executives (see: Congress Asks What Went Wrong in Change Healthcare Attack).
MacLean said industry groups such as CHIME and others are advocating for federal funding and assistance programs to help eligible healthcare delivery organizations adopt recognized cybersecurity practices.
“With the healthcare sector only as strong as its weakest link, it is imperative that the federal government prioritize programs designated to aid small and under-resourced healthcare delivery organizations to protect themselves against, detect, respond to or recover from cybersecurity threats,” he said.
The Biden administration’s proposed budget for 2025 establishes a $1.3 billion Medicare incentive program to encourage hospitals to adopt essential and enhanced cybersecurity practices. But that funding won’t likely help many of the healthcare organizations most in need, Holtzman said.
“Community health centers would not be eligible to receive incentives for investment in basic cybersecurity practices proposed in the administration’s FY 2025 federal budget,” he said.
“The incentives would be doled out by the Center for Medicare and Medicaid Services to hospitals. There are no specific proposals for funding community health centers investment in enhancing their cybersecurity defenses or readiness.”