‘There’s so many parts of this issue that are not resolved’
Hospitals, state senator seeking cybersecurity in wake of ransomware attacks, data breaches
HARTFORD — As a rise in cyber and ransomware attacks on health care facilities leaves hospitals vulnerable, legislators and health care providers are hoping to work together to improve cybersecurity measures.
According to Connecticut Attorney General’s office data, the health care sector reports more data breaches than any other industry. Experts previously told CT Insider that health care systems are typically targeted because the digital system is full of sensitive data, like medical files and billing information,
One of the most recent ransomware attacks occurred in August after Prospect Medical Holdings, a California-based medical system, was attacked, affecting two of its Connecticut networks, Eastern Connecticut Health Network and Waterbury Health. The attack resulted in close to 110,000 residents’ confidential information being compromised and weeks of facility disruption.
Health providers have also previously expressed worries about Connecticut’s Health Information Exchange (CONNIE), citing issues with the type of information shared, the need for more safeguards, and a history of privacy concerns.
“It’s not a matter of ‘if,’ it’s a matter of ‘when’ more systems would be impacted,” said state Sen. Saud Anwar, D-South Windsor, at a press conference hosted in support of Senate Bill 1, which would enact protective and preventive cybersecurity provisions for health care facilities. “More health care systems will be attacked by cyber criminals and that’s the reality.”
If passed, SB 1 hopes to address safety concerns relating to health care, such as home care protections and requiring a prescription drug shortage study.
Anwar said at the press conference that although the bill has a lot of different parts, it also has provisions that would help the state and hospitals be better prepared for a cyberattack.
Regarding cybersecurity, SB 1 would require the state Department of Public Health to develop an initiative for health care facilities’ readiness in case of a cybersecurity event in collaboration with the state’s Chief Information Security Officer. The initiative would be implemented as part of the state’s public health emergency response plan and establish other communication means in case of a cyber breach, such as radios between units, medical devices that aren’t connected to the internet and management systems to divert emergency patients to other nearby hospitals.
SB 1 would also allocate $25,000, annually through 2028, to the state Department of Emergency Services and Public Protection for an annual meeting focused on preventing, identifying and managing cybersecurity events. Their work would include creating a cybersecurity event command scenario and training hospital staff who handle medications, lab samples and imaging studies to ensure they can work
and report without technology.
Anwar said the bill also creates a working group of stakeholders to discuss the various concerns regarding the health information exchange.
“There’s so many parts of this issue that are not resolved. At the end of that conversation, we hope there’s going to be some legislative thoughts that will come forward that we would actually codify in a manner that is going to be more protective,” Anwar said. “At the center of this, while we want all the data, it’s important that the patient health information is protected and we can feel assured that everything has been done to make sure you’re taking care of that.”
Although a legislative priority for the Senate, the SB 1 bill is being reconsidered and its language edited. Anwar said that several financial aspects relating to state agencies’ involvement played a role in the changes to the bill. He explained that the goal of universal preparedness remains the same; however, the new bill language would place more responsibility on the hospitals to establish plans with DPH and submit reports.
Many of the speakers at the press conference said that partnerships between health care facilities and the state are necessary to prepare for a cyberattack and address concerns about health information exchange.
Amanda Gunthel, president
of the Connecticut Association of Ambulatory Surgery Centers, said that health information’s interconnectivity often offers insight into how best to serve patients. However, navigating the world of online data security must be done cautiously to ensure that patients’ or providers’ information is protected from potential breaches.
Gunthel said she was hopeful the working group could find solutions together and create protections that would improve the information exchange network.
Similarly, Senior Vice President of Policy at Connecticut Hospital Association Paul Kidwell said the recent attacks on Connecticut hospitals and health networks highlight system
vulnerabilities. To remedy it, he said there needs to be ongoing open communication between the state and medical providers and a universal approach to addressing cyberattacks.
Kidwell added that patients should also be better informed about what information is being shared in the exchange network and how hospitals are protecting their data.
“We need to be talking to each other about what we’re doing as hospitals to make sure that the system is safe ... also, building expertise at the state level,” Kidwell said. “Making sure that when something occurs, we have a partnership or someone to talk to you about what we need, as a hospital system, to support getting back online.”