Are US Hospitals At Risk of Russian Cyberattacks?

The alarm is sounding for cybersecurity attacks.  In late February, the Cybersecurity and Infrastructure Security Agency (CISA) issued a rare warning that the Russian government could launch cyberattacks against the US economy – including the health care sector.  One month later, President Joe Biden publicly warned that Russian cyberattacks are “coming.”  Given these warnings, how worried should hospitals be?

The threat explained: Russia is no stranger to deploying cyberattacks.  In the days leading up to  Russia’s invasion of Ukraine on February 24, 2022, a series of Russian cyberattacks temporarily shut down websites for some Ukrainian banks and deleted data at multiple Ukrainian government agencies.  Since then, US government officials have expressed concern that Russia is preparing to launch cyberattacks against the US in retaliation for heavy sanctions levied against the Kremlin in response to the invasion of Ukraine.  However, the federal government has yet to offer any evidence of an anticipated specific cyberattack.   

Cyberattacks aren’t new to the health care industry.  In 2017, Russian-backed hackers launched a destructive malware called “NotPetya” initially targeted at Ukrainian interests that went on to infect several US-based health care stakeholders like Merck Pharmaceuticals and Heritage Valley Health System.  During the COVID-19 pandemic, the number of cyberattacks against US hospitals surged, with an estimated 50 million people in the US  had their sensitive health data breached in 2021.  According to a survey of information technology professionals, in 2020 more than a third of health care organizations reported that they were  hit by ransomware attacks, which is when hackers use encryption to hold a victim’s information at ransom.

Unfortunately, the health care sector is attractive target for cyberattackers.  Hospitals dealing with ransomware attacks are often pressured to pay hackers because they otherwise wouldn’t be able to operate.  And while some hospitals have invested in security-monitoring capabilities and new software over the past few years, most health care organizations have meager cybersecurity budgets and remain vulnerable to attacks.  Compounding these vulnerabilities is the COVID-19 pandemic, which has overwhelmed hospitals with patients and strained hospitals’ budget, leaving fewer resources available for cybersecurity. 

Congress and the Biden administration has proposed some steps to shore up the nation’s cybersecurity.  The Build Back Better Act (BBBA) included more than $500 million in cybersecurity funding, and President Biden’s Fiscal Year (FY) 2023 budget request calls for $11 billion in new cybersecurity spending.  Most recently, Sens. Jacky Rosen (D-NV) and Bill Cassidy (R-LA) introduced a bill to improve the health care industry’s cyber-defenses by requiring CISA to partner with the Department of Health and Human Services (HHS).  However, next steps for these proposals aren’t exactly promising – the BBBA is stalled in its current format, the president’s budget request is generally considered a wish list, and the cybersecurity bill has yet to add any cosponsors since its introduction on March 23.

Absent action from the federal government, there are steps hospitals can take to boost their defense against cyberattacks, as outlined in an American Hospital Association (AHA) advisory notice on the CISA warning.

  • Increase network monitoring for unusual activity.
  • Flag all inbound and outbound traffic from Ukraine and the surrounding area.
  • Implement four-to-six-week business continuing plans, with an emphasis on all internal and third-party mission-critical clinical and operational services and technology.
  • Check networks for redundancy, resilience, and security and create multiple data back-ups.

There is a chance that Russian hackers will leave the US health care system alone.  While Russia has certainly become more belligerent in cyberspace over the last decade, cyberattacks against Ukraine have been more limited than intelligence and defense experts have anticipated.  In fact, some experts say Russia’s cyber-forces may actually be overhyped and in a state of disarray – similar to Russia’s armed forces. 

But hospitals can’t rely on hope to stay safe from hackers.  If the experience of the last few years says anything, it’s that the health care system isn’t immune to cyberattacks, and that stakeholders would do best to prepare for the worst.

Has Massachusetts Found a Way to Stop Rising Health Care Costs?

The United States has the most expensive health care system in the world, and it’s only gotten more expensive since the COVID-19 pandemic started.  In response to high health care prices, states are looking for new ways to curb spending growth, which includes legislative and regulatory ways.  In Massachusetts, a regulatory body has taken a bold approach to tackling high health care costs that could serve as a model for other states. 

What’s going on in the Bay State? The Massachusetts Health Policy Commission is an independent state agency that’s charged with monitoring health care spending growth in the state and to provide recommendations to make a more equitable and transparent health care system.  The commission also reviews the cost impact of proposed mergers and acquisitions.   Each year, the commission sets a cost growth benchmark and measures payers and providers performance against that benchmark rate.

The Commission Takes Action

As a part of its regular analyses, the Health Policy Commission recently found that Mass General Brigham, the state’s largest hospital network, spent over $293 million more than  the state’s cost growth benchmark that is set at 3.1%  As a result, the commission voted unanimously to take the first-ever step to require the health care system to develop and implement a performance improvement plan that must contain specific cost-containing action steps, process and outcome metrics, savings goals, timetables, and other requirements.

High costs, high consequences.  The vote comes at a time when Mass General Brigham is planning a $2.3 billion dollar expansion that includes the creation of three new ambulatory care sites.  The commission’s analysis found that these expansions would boost health care spending by $46 million to a total of $90 million and lead to higher health insurance premiums.  The Health Policy Commission also found that other providers would lose between $150 million and $260 million in revenue each year by losing patients to Mass General Brigham.

What happened?  According to the Health Policy Commission, the system increased its coding severity to bill more, even though patients weren’t getting sicker. 

Next steps for Mass General Brigham:  Within 45 days, the hospital network must provide a performance plan, submit a waiver, or request an extension.  The system also faces up to a $500,000 fine if it fails to take any action.  In a statement opposing the commission’s decision, Mass General Brigham said the commissioners failed to take into account “patient acuity” and the role of its academic medical centers in treating Massachusetts’ sickest patients. 

Other states are paying attention as the Health Policy Commission’s unprecedented decision could be seen as a model for other states to lower health care costs.  And states are starting to take proactive steps  as health care regulators, which means other hospitals and health care systems could soon feel the heat.   In New England, Rhode Island has established inflation caps and diagnosis-based payments for private plans, which has already resulted in decreased spending growth, while a New Hampshire initiative to make hospitals publicly post their prices has led to a slight decrease in list prices.  Additionally, Pennsylvania is using a global budget system to help reduce cost growth among payers.

One reason why states may be taking the charge on addressing high health care costs is a lack of action to curb rising prices on the federal level, where many health care reform proposals have stalled or failed to gain traction.  However, it’s not uncommon for policies to successfully begin on the state level to gain the attention of federal lawmakers. Thus, some of the actions taken by the states could inspire the introduction of similar health care cost containment measures on a national scale. 

The “Dark Money” Pushing for Price Transparency

If you were one of the nearly 10 million people who tuned in to watch the 93rd Academy Awards on April 25, one television ad may have jumped out.  An organization called Power for Patients aired a 30-second spot featuring actresses Susan Sarandon and Cynthia Ervio that urged hospitals to follow through on a “law” requiring them to disclose their prices.  The law in question undoubtedly stems from a final rule issued in November 2019 that obligates hospitals, beginning January 1, 2021, to post comprehensive lists of various charges for all items and services.   This raises two questions: who is behind the ad, and why?

Dark Money and Health Care Advocacy

As of this writing, Power for Patients has yet to disclose which organizations covered the cost of its $2 million ad.  This suggests Power for Patients is a “dark money” entity, meaning the group receives funding from undisclosed donors to influence public opinion. 

Dark money isn’t new to health care advocacy.  In 2019, a group known as Doctor Patient Unity spent $28.6 million on ads aimed at thwarting legislation on surprise medical bills.  The ads, which aired during August recess, were targeted at legislation that would resolve out-of-network medical bills through benchmark rates set by the federal government.  Eventually, Doctor Patient Unity confirmed reports from the New York Times that physician staffing firms Envision Healthcare and TeamHealth were among the groups sponsoring the ads. 

Who’s Funding Power for Patients?

No one really knows yet who is funding Power for Patients, but recent activity in in DC may provide a clue.   On March 23, Marni Jameson Carey, Executive Director of the Association of Independent Doctors (AID), testified before a House Energy and Commerce Health Subcommittee hearing on legislation to expand health care coverage.  During the hearing, Carey said the price transparency rule has not been enforced as it stands, and that hospitals need to be held accountable.  Carey also spoke out against facility fees, which are often charged at clinics that are owned by hospitals to cover the costs of maintaining the facility.  It is also worth noting that Carey retweeted the Power for Patients ad on April 25.

Based in Florida, AID lists the elimination of facility fees and increased price transparency as its chief policy goals, both of which were discussed in Carey’s appearance before the Health Subcommittee.  Facility fees are required to be disclosed under the price transparency rule, and perhaps AID and independent physicians hope greater enforcement of the rule could shine a light on facility fees, raising questions from patients and potentially drumming up support for the total elimination of the fees.  AID’s website also lists several sponsors whose businesses center on providing services to independent physicians.  These sponsors include AdvancedMD, a billing solutions platform for independent practices, ISMIE Mutual Insurance Company, a medical liability insurer, and SVN Senior Commercial Real Estate, which specializes in medical real estate for independent physicians.  Given Carey’s testimony and IAD’s policy goals, it’s certainly plausible independent doctors and organizations with mutual interests could be donors to Power to Patients.

Lax Enforcement?

Beyond ending facility fees, Carey’s testimony on March 23 also included pleas to step up enforcement of the hospital price transparency rule, which carries a $300 a day penalty for noncompliance.  Indeed, multiple reports have found compliance among hospitals to be mixed.  A report conducted by consulting firm ADVI Health in January 2021 found less than half of 20 of the nation’s largest health systems were fully compliant with the price transparency law.  Additionally, a study from Health Affairs published in March 2021 found 65 of the nation’s 100 largest hospitals to be largely noncompliant. 

In cases where hospitals are compliant with the rule, pricing information can be difficult for consumers to find.  An analysis from consulting firm Milliman released in April 2021 found that while 37 of 55 major health systems were in compliance with the law, the pricing data itself were presented in a variety of ways, often without any supplemental documentation or in “very complex hierarchical structures.”  Similarly, the Wall Street Journal reported in March 2021 that some hospitals were using special coding on their website to keep pricing data hidden from search result.

Lawmakers and regulators are paying attention.  On April 13, bipartisan leaders of the House Energy and Commerce Committee sent a letter to Health and Human Services (HHS) Secretary Xavier Becerra urging HHS to conduct “vigorous oversight” and enforce “full compliance” of the final rule.  Additionally, a Center for Medicare and Medicaid Services spokesperson told Fierce Healthcare in March 2021 that the agency plans to enforce the rule.  However, in the absence of more widespread compliance, Power for Patients and its supporters may be using the ad campaign to generate public awareness that could pressure the federal government to step up enforcement. 

More Dark Money Ahead?

That said, the purpose of the price transparency rule was to make the health care system more consumer-friendly and give patients the option to compare prices.  However, by pushing for greater compliance and enforcement, stakeholders such as independent doctors may be using the rule to push patients toward non-hospital-based physician practices.   Isn’t it a little ironic that a group who is pushing for transparency not be transparent about their own organizational structure and donor base?

The Most Important Health Care Bill You’ve Probably Forgotten

The Medicare and Medicaid Act.  The Affordable Care Act.  These are the landmark laws that have irrevocably shaped America’s health care system.  However, there’s another law that’s made just as much of an impact on health care but hasn’t garnered attention in the last 20 years.  It’s called the Hill-Burton Act, and it’s poised to be potentially revitalized.

House Dems Revive Hill-Burton in Infrastructure Bill

On March 11, all 32 Democrats on the House Energy and Commerce Committee proposed the Leading Infrastructure for Tomorrow’s America Act, or the LIFT America Act.  The proposal calls for investing $312 billion in clean energy, energy efficiency, drinking water, broadband, and infrastructure.  Nestled within the proposal is a provision to reestablish the Hill-Burton Act by providing $10 billion in funding for the construction and modernization of health care facilities.  According to the LIFT America Act, projects that improve public health preparedness or cybersecurity would be prioritized. 

What Is the Hill-Burton Act?

President Harry Truman signed the Hill-Burton Act into law on August 13, 1946.   Known formally as the Hospital Survey and Construction Act, it provided construction grants and loans to communities to help build health care facilities.  To receive funding, communities had to demonstrate they had enough population and per capita income to sustain a hospital.  All in all, the Hill-Burton Act’s impact on the nation’s health care infrastructure was nothing short of monumental.  In total, the law financed the construction of nearly 6,800 hospitals, nursing homes, and mental health facilities in over 4,000 communities.  The Hill-Burton Act was also responsible for the construction of one-third of all US hospitals in the three decades following the law’s enactment. 

What Happened to the Hill-Burton Act?

Community-based health care construction under the Hill-Burton Act came to a close in 1997, when Congress last included funding for the program in its Fiscal Year 1997 appropriations bills.  Lawmakers’ decision to no longer fund the program is likely related to an overall trend towards cuts in federal spending throughout the 1990s, including passing the landmark Balanced Budget Act of 1997. 

It should be noted that the Hill-Burton Act was long in decline before funding finally dried up in 1997.  The federal government had already been drawing down funds for the Hill-Burton Act in accordance with then-President Richard Nixon’s Economic Stabilization Program (ESP).  Established in 1971, the ESP’s calls to cut health care spending catalyzed a trend among politicians from both parties that saw a shift away from funding inpatient care and toward supporting outpatient care. 

Reasons for the Hill-Burton Act’s Revival

The House bill, H.R. 1848, calls for funding to “increase capacity and update hospitals and other medical facilities in order to better serve communities in need,’’ with priority given to “projects that will include public health emergency preparedness or cybersecurity.”  Although public health officials have been provided billions of dollars in funding to help fight against COVID-19, there is concern that this money could dry up at the end of the pandemic, leaving the nation unprepared for a future public health emergency.  By prioritizing public health preparedness, the LIFT America Act help provide the infrastructure necessary to address the next public health crisis.   

Additionally, the impact of the COVID-19 pandemic on health equity cannot be overlooked.  Research from the Journal of the American Medical Association and Health Affairs has pointed to the pandemic’s impact on health disparities, particularly among communities of color and low-income Americans, and a plan to reinvest in health care infrastructure could be seen as a way to address these disparities. 

The pandemic has also exacerbated concerns over cybersecurity.  Recently, the FBI reported nearly 4,000 cyberattack complaints in one day, marking a 400% increase from pre-pandemic levels.  This increase can be attributed to a rise in remote workers and an expansion in telehealth.  Improvements in cybersecurity infrastructure can help mitigate the impact of future cyberattacks and protect patient and provider data. 

Is $10 Billion Enough?

The LIFT America Act specifically provides $10 billion for fiscal years 2022-2026 for hospital modernization and improvement.  The nation’s hospitals are certainly in need of modernization – of the 6,210 hospitals in the United States, a 2019 survey by the American Society for Health Care Engineering found 23% percent of operators are planning to renovate or build acute care hospitals.  With the average cost of a hospital modernization project ranging from $250 to $300 per square foot, the funds provided in the LIFT America Act are likely to come up short.  However, future appropriations bills could provide for the opportunity to increase Hill-Burton funding or extend funding beyond 2026, creating the potential for greater funding levels in the future.

Moving Forward

The Congressional debate on infrastructure is just heating up.  Along with the LIFT Act, Senate Republicans proposed $568 billion in infrastructure spending last week, an offer which was roundly criticized by Democrats as being insufficient.  President Biden is set to reveal his second infrastructure plan in recent weeks, dubbed the American Family Plan.  Along with the American Jobs Plan, the Administration and Congress will spend the rest of the spring and summer negotiating a legislative package to address all manner of infrastructure, including perhaps taking old ideas like Hill-Burton, and making them new again.

Hospitals Face Looming Deadline on Advance Medicare Payments

Hospitals face a fast-approaching deadline to pay back loans from the Medicare Accelerated and Advance Payment (AAP) programs towards the end of March. However, lawmakers who provided little assistance for hospitals in the way of additional relief funding in the most recent COVID-19 relief bill seem just as unlikely to adjust the loan repayment date.

The Medicare AAP programs, which predates the COVID-19 public health emergency, were designed to help hospitals and other providers withstand cash flow disruptions during emergencies.   The programs provide loans paid out of the Medicare Hospital Insurance (Part A) and the Supplementary Medical Insurance (Part B) trust funds and include timelines and terms for repayment.  Enacted on March 27, 2020, the CARES Act (P.L. 116-136) greatly expanded the Medicare AAP programs to include a broader swath of health care providers.  Of the $100 billion in Medicare advance payments loaned to providers in 2020, nearly 80% went to hospitals, while the remainder went to skilled nursing facilities, critical access hospitals, home health providers, and other types of providers and suppliers. 

While repayment for the AAP loans was originally set to begin in August 2020, Congress delayed the repayment start date to March 27, 2021 under the Continuing Appropriations Act, 2021 (P.L. 116-159).  Signed into law on October 1, 2020, the Continuing Appropriations Act also revised the repayment terms for AAP loans to allow Medicare to begin automatically recouping 25% of Medicare payments to the outstanding loan balance in the first 11 months following the March 27, 2021 repayment deadline and 50% of Medicare payments in the subsequent six-month period.

Hospitals are again requesting a delay in the repayment schedule and other changes to AAP programs due to concerns over continued revenue losses associated with the pandemic.  According to an analysis commissioned by the American Hospital Association (AHA), hospitals could stand to lose between $53-122 billion in revenue in 2021 due to costs related to COVID-19 vaccine distribution and the potential for future surges in case numbers to cause elective procedures to drop.  As such, America’s Essential Hospitals has urged congressional leadership to delay the AAP loan deadline and lower interest rates in a February 17 letter.  The AHA has gone a step further in asking the federal government to outright forgive the loans per a November 2020 fact sheet.

However, Congress has yet to deliver further.  In the American Rescue Plan Act of 2021, the latest COVID-19 relief bill that could be signed into law within days, lawmakers did not make any changes to the AAP program.  Congress also notably came up short on hospitals’ request to provide $35 billion in additional funding for the Provider Relief Fund.  Instead of more fully replenishing relief funds, the American Rescue Act only provides $8.5 billion in assistance, and specifically designates the monies for rural hospitals.

One reason lawmakers may be hesitant to make significant changes to AAP loans is the implications for the Medicare trust funds.  The Congressional Budget Office projects the Part A trust fund and Part B trust fund will become insolvent by 2026 and 2024 respectively.  Further changes to AAP programs that would protract repayment or forgive the loans outright would ramp up the timeline for the trust funds to run dry.

At the moment, Congress is carefully monitoring whether to legislate any additional financial help for hospitals, whether it be in the form of a delayed loan repayment date or grants from the Provider Relief Fund, taking a pass for now in the American Rescue Plan.