Are US Hospitals At Risk of Russian Cyberattacks?

The alarm is sounding for cybersecurity attacks.  In late February, the Cybersecurity and Infrastructure Security Agency (CISA) issued a rare warning that the Russian government could launch cyberattacks against the US economy – including the health care sector.  One month later, President Joe Biden publicly warned that Russian cyberattacks are “coming.”  Given these warnings, how worried should hospitals be?

The threat explained: Russia is no stranger to deploying cyberattacks.  In the days leading up to  Russia’s invasion of Ukraine on February 24, 2022, a series of Russian cyberattacks temporarily shut down websites for some Ukrainian banks and deleted data at multiple Ukrainian government agencies.  Since then, US government officials have expressed concern that Russia is preparing to launch cyberattacks against the US in retaliation for heavy sanctions levied against the Kremlin in response to the invasion of Ukraine.  However, the federal government has yet to offer any evidence of an anticipated specific cyberattack.   

Cyberattacks aren’t new to the health care industry.  In 2017, Russian-backed hackers launched a destructive malware called “NotPetya” initially targeted at Ukrainian interests that went on to infect several US-based health care stakeholders like Merck Pharmaceuticals and Heritage Valley Health System.  During the COVID-19 pandemic, the number of cyberattacks against US hospitals surged, with an estimated 50 million people in the US  had their sensitive health data breached in 2021.  According to a survey of information technology professionals, in 2020 more than a third of health care organizations reported that they were  hit by ransomware attacks, which is when hackers use encryption to hold a victim’s information at ransom.

Unfortunately, the health care sector is attractive target for cyberattackers.  Hospitals dealing with ransomware attacks are often pressured to pay hackers because they otherwise wouldn’t be able to operate.  And while some hospitals have invested in security-monitoring capabilities and new software over the past few years, most health care organizations have meager cybersecurity budgets and remain vulnerable to attacks.  Compounding these vulnerabilities is the COVID-19 pandemic, which has overwhelmed hospitals with patients and strained hospitals’ budget, leaving fewer resources available for cybersecurity. 

Congress and the Biden administration has proposed some steps to shore up the nation’s cybersecurity.  The Build Back Better Act (BBBA) included more than $500 million in cybersecurity funding, and President Biden’s Fiscal Year (FY) 2023 budget request calls for $11 billion in new cybersecurity spending.  Most recently, Sens. Jacky Rosen (D-NV) and Bill Cassidy (R-LA) introduced a bill to improve the health care industry’s cyber-defenses by requiring CISA to partner with the Department of Health and Human Services (HHS).  However, next steps for these proposals aren’t exactly promising – the BBBA is stalled in its current format, the president’s budget request is generally considered a wish list, and the cybersecurity bill has yet to add any cosponsors since its introduction on March 23.

Absent action from the federal government, there are steps hospitals can take to boost their defense against cyberattacks, as outlined in an American Hospital Association (AHA) advisory notice on the CISA warning.

  • Increase network monitoring for unusual activity.
  • Flag all inbound and outbound traffic from Ukraine and the surrounding area.
  • Implement four-to-six-week business continuing plans, with an emphasis on all internal and third-party mission-critical clinical and operational services and technology.
  • Check networks for redundancy, resilience, and security and create multiple data back-ups.

There is a chance that Russian hackers will leave the US health care system alone.  While Russia has certainly become more belligerent in cyberspace over the last decade, cyberattacks against Ukraine have been more limited than intelligence and defense experts have anticipated.  In fact, some experts say Russia’s cyber-forces may actually be overhyped and in a state of disarray – similar to Russia’s armed forces. 

But hospitals can’t rely on hope to stay safe from hackers.  If the experience of the last few years says anything, it’s that the health care system isn’t immune to cyberattacks, and that stakeholders would do best to prepare for the worst.

Hospitals Face Looming Deadline on Advance Medicare Payments

Hospitals face a fast-approaching deadline to pay back loans from the Medicare Accelerated and Advance Payment (AAP) programs towards the end of March. However, lawmakers who provided little assistance for hospitals in the way of additional relief funding in the most recent COVID-19 relief bill seem just as unlikely to adjust the loan repayment date.

The Medicare AAP programs, which predates the COVID-19 public health emergency, were designed to help hospitals and other providers withstand cash flow disruptions during emergencies.   The programs provide loans paid out of the Medicare Hospital Insurance (Part A) and the Supplementary Medical Insurance (Part B) trust funds and include timelines and terms for repayment.  Enacted on March 27, 2020, the CARES Act (P.L. 116-136) greatly expanded the Medicare AAP programs to include a broader swath of health care providers.  Of the $100 billion in Medicare advance payments loaned to providers in 2020, nearly 80% went to hospitals, while the remainder went to skilled nursing facilities, critical access hospitals, home health providers, and other types of providers and suppliers. 

While repayment for the AAP loans was originally set to begin in August 2020, Congress delayed the repayment start date to March 27, 2021 under the Continuing Appropriations Act, 2021 (P.L. 116-159).  Signed into law on October 1, 2020, the Continuing Appropriations Act also revised the repayment terms for AAP loans to allow Medicare to begin automatically recouping 25% of Medicare payments to the outstanding loan balance in the first 11 months following the March 27, 2021 repayment deadline and 50% of Medicare payments in the subsequent six-month period.

Hospitals are again requesting a delay in the repayment schedule and other changes to AAP programs due to concerns over continued revenue losses associated with the pandemic.  According to an analysis commissioned by the American Hospital Association (AHA), hospitals could stand to lose between $53-122 billion in revenue in 2021 due to costs related to COVID-19 vaccine distribution and the potential for future surges in case numbers to cause elective procedures to drop.  As such, America’s Essential Hospitals has urged congressional leadership to delay the AAP loan deadline and lower interest rates in a February 17 letter.  The AHA has gone a step further in asking the federal government to outright forgive the loans per a November 2020 fact sheet.

However, Congress has yet to deliver further.  In the American Rescue Plan Act of 2021, the latest COVID-19 relief bill that could be signed into law within days, lawmakers did not make any changes to the AAP program.  Congress also notably came up short on hospitals’ request to provide $35 billion in additional funding for the Provider Relief Fund.  Instead of more fully replenishing relief funds, the American Rescue Act only provides $8.5 billion in assistance, and specifically designates the monies for rural hospitals.

One reason lawmakers may be hesitant to make significant changes to AAP loans is the implications for the Medicare trust funds.  The Congressional Budget Office projects the Part A trust fund and Part B trust fund will become insolvent by 2026 and 2024 respectively.  Further changes to AAP programs that would protract repayment or forgive the loans outright would ramp up the timeline for the trust funds to run dry.

At the moment, Congress is carefully monitoring whether to legislate any additional financial help for hospitals, whether it be in the form of a delayed loan repayment date or grants from the Provider Relief Fund, taking a pass for now in the American Rescue Plan.