Cyberattacks have yet to hurt health care’s bottom line

Although health care is hurting from cyberattackers — with at least 12 distinct ransomware attacks on American providers and hospital chains this year — the industry’s pocketbooks appear no lighter as a result.

Even the most notorious intrusions haven’t hurt company stocks, analysts say. And if health care businesses don’t perceive business risks from having less-than-impregnable digital defenses, they may not invest as much as necessary to prevent them.

Regulations alone aren’t enough to guarantee tough defenses. Policymakers told POLITICO earlier this summer that health care “has to help itself,” in the words of Rep. Will Hurd (R-Texas), leader of the House Oversight’s cybersecurity subcommittee.

No one doubts that hackers seeking to interfere with health care operations’ digital machinery are creative and bold. The typical breach costs more than $1 million to remediate, says Beth Israel Deaconess CIO John Halamka.

“Increasingly, boards of directors are aware of the monetary penalties for breaches and the reputational damage they create,” Halamka says in an upcoming chapter of a book on cybersecurity. “Health care organizations work hard to gain the trust of the patients. A single major security event can destroy years of good will.”

Repercussions from a hacking might also dent a public company’s standing in the stock market, warns Jacob Olcott, an executive with cybersecurity firm BitSight Technologies. While serving as a legislative staffer with former Sen. Jay Rockefeller (D-W.Va.), Olcott worked with the SEC to investigate company disclosures of cybersecurity-related incidents.

The research led SEC to create guidance to prod companies into disclosing material information related to hacking incidents. Long-term institutional investors worry about the consequences of hacking, says Olcott: “They are concerned about breaches. They read the paper too.”

Yet while companies like Sony Pictures Entertainment shut down for weeks during their hacks (Sony even fired its CEO, Amy Pascal), health care organizations don’t seem to be suffering the reputational or financial damage Olcott and Halamka warn of — at least not yet.

Public markets let many deeds go unpunished

POLITICO examined the consequences of the breach of 78.8 million Anthem patients’ data in March 2015 and the attack on Community Health Services, which lost 4.5 million patients’ data in August 2014.

In each case, the financial market’s wrath has been restrained. After the March 13, 2015 report of the Anthem break, its stock opened at 146.83. After a weekend to digest the news, traders sent Anthem’s stock to 153.25. While the insurer’s stock has dipped since then — it’s now trading at 127.48 — it doesn’t seem to be as a result of cybersecurity-related worries. The company is trying to merge with competitor Cigna and weather the turbulence of the exchanges.

It’s a similar story with Community Health Systems, whose breach was reported Aug. 20, 2015. The stock closed that day at 56.56; the next day, it closed at 55.67. Business has suffered since then, with the stock dipping to 11.11, and the company is trying to unload several low-performing hospitals.

But in neither case do financial analysts appear to be concerned with the hacks. In earnings calls conducted since, analysts asked executives not a single question about the breaches or the potential consequences the companies might suffer.

Breaches are viewed as a normal business risk for Anthem, said one investment bank analyst.

Olcott acknowledged that the market’s reaction to breaches is often muted, but thinks this might be attributed to the form in which disclosures are handled by regulators, which demand specific information such as the fact that a given number of records were potentially breached.

“An investor has no idea how to interpret that,” Olcott said. “What does that mean? Is this a $5 million thing? … Or is it a bigger deal?”

If financiers aren’t pushing health care organizations that find themselves in the news because of cybersecurity concerns, what about customers?

Customers and data breaches

Customers aren’t sending signals through the marketplace that they care much about breaches.

After Hollywood Presbyterian suffered a high-profile shutdown during a ransomware attack in February, its quarterly revenue didn’t seem to suffer — indicating that patients weren’t shunning the hospital.

Hollywood Presbyterian took in nearly $67.5 million during the first quarter of 2016 — a slight rise from the equivalent period in 2015, according to data from California’s Office of Statewide Health Planning and Development.

While Hollywood Presbyterian’s Yelp ratings are poor — averaging 2 stars out of 5 — none of the reviews on the site mention ransomware or the shutdown.

Halamka says he’s heard that hospital expenses for investigations and regulatory compliance run about $350 per patient per breach. To help defray those possible costs, some hospitals have taken out cyberinsurance policies, in addition to security preparations to try to prevent attacks.

But investments in cybersecurity across the health care industry are quite small, to date. A letter last week from CHIME regarding NIST’s cybersecurity framework noted that such investments are a subset of a provider’s overall health IT budget — itself a small subset of the overall budget.

Halamka estimates cybersecurity is 2 percent of the average hospital’s health IT budget, which in turn is 5 percent of the overall budget. The costs of investing in cybersecurity are high, CHIME notes — prohibitive for some smaller hospitals.

HHS cybersecurity initiative paralyzed by ethics, contracting investigation

A fledgling HHS initiative to protect the nation’s health care system from cyberattack has been paralyzed by the removal of its two top officials amid allegations of favors and ethical improprieties.

The executive running the Health Cybersecurity and Communications Integration Center was put on administrative leave in September, while his deputy left the government. An HHS official says the agency is investigating irregularities and possible fraud in contracts they signed.

The two executives, Leo Scanlon and Maggie Amato, allege they were targeted by disgruntled government employees and private-sector companies worried the cyber center would take away some of their business.

What is not in dispute is that their departures have put the center’s work on hold and left many health care officials worried about its fate at a time when cyberattacks on hospitals and other health care institutions have become increasingly prevalent. A ransomware attack last summer cost pharmaceutical giant Merck nearly $300 million in lost revenues and other costs in the third quarter of 2017 alone. More than a dozen U.S. hospitals have been hit by ransomware attacks since 2016, forcing them to delay surgeries or use paper records while their computers are on the fritz.

The paralysis of the cyber center is “a step backwards,” said James Routh, the chair of NH-ISAC, a private-sector group that distributes information about digital attacks to its health care customers. The cyber center, whose activities were designed to complement work done by NH-ISAC, “had solid, strong leadership and now it doesn’t. The industry is hurt by that.”

Scanlon, the deputy HHS chief information security officer, and Amato, the director of the center, began building it late in 2016 so that HHS would have a way of sharing information about digital threats like ransomware with the health care sector.

Scanlon and others argued that the health care industry needed cyber help directly from HHS, which could communicate clearly in the language of the industry while coordinating with the rest of the government.

The center debuted in May and immediately claimed success. While much of the United Kingdom’s National Health Service was ravaged by the “WannaCry” ransomware attack that month, the United States’ health care system emerged relatively unscathed.

Many in industry praised the new center for broadcasting useful information. Scanlon testified in a House Energy and Commerce Committee hearing that the center played an integral role in repelling the attack although it wasn’t fully set up yet.

“While this was the first time HHS had organized itself in this way for a cybersecurity incident, we believe that it has set a standard on how to manage cybersecurity incidents,” he testified.

Yet controversy immediately stalked the center. First, many wondered whether it duplicated existing organizations that share information about bugs and patches. DHS hosts a nationwide information-sharing center, and the health care industry has two prominent cyber threat-sharing groups, NH-ISAC and the HITRUST Alliance.

Some worried that the HHS center would just confuse or burden health care security officials already dealing with cyber threat alerts from Homeland Security and the private-sector groups.

“There’s almost a weariness in the private sector [about information-sharing efforts],” Wiley Rein attorney Megan Brown said over the summer. NH-ISAC warned in July of an “already crowded government information sharing space” that is already “awash in bulletins” when a threat emerges.

How technology could preserve abortion rights

Abortion rights advocates are exploring how technology might preserve or even expand women’s access to abortion if the Supreme Court scales back Roe v. Wade.

A nonprofit group is testing whether it’s safe to let women take abortion pills in their own homes after taking screening tests and consulting with a doctor on their phones or computers. Because the study is part of an FDA clinical trial, the group isn’t bound by current rules requiring the drugs be administered in a doctor’s office or clinic.

The group, called Gynuity Health Projects, is carrying out the trial in five states that already allow virtual doctors to oversee administration of the abortion pill, and may expand to others. If the trial proves that allowing women to take the pill at home is safe — under a virtual doctor’s supervision — the group hopes the FDA could eventually loosen restrictions to allow women to take pills mailed to them after the consult.

If FDA took that step, it could even help women in states with restrictive abortion laws get around them, potentially blurring the strict boundaries between abortion laws in different states if — as is likely — the Senate confirms a high court justice who is open to further limits on Roe.

Telemedicine “will become much more of a flashpoint because medication abortion is a method so many patients [are] looking to use,” said Elizabeth Nash of the Guttmacher Institute, a research group that supports abortion rights.

Right now, even in states that allow a licensed provider to administer the abortion pill by video hookup, the provider must watch, in person or by video, as a woman takes the first medication in a clinic or other health care setting. The drugs abort the fetus without surgery but are safe and effective only in the first 10 weeks of pregnancy. If the group’s study shows it’s safe for women to administer the drug themselves after an online consultation with a health care provider, it will petition the FDA to lift the requirement.

If that were to occur — a big “if” under a Republican administration — states with more permissive abortion laws could expand access to the procedure to clinics served by video hookups, effectively reducing the long distances many women often travel to find a provider.

But it could also potentially boost access for women living in states with more restrictive laws as they might have an easier time obtaining prescriptions by mail, besides having a greater number of telemedicine clinics to go to if they were able and willing to travel across state lines.

“We know even now that some women are accessing these medications online — it may not be strictly legal, but people are doing that,” said Daniel Grossman, a University of California, San Francisco researcher who has studied the safety of telemedicine abortions. “It would be a hard thing to crack down on.”

Grossman notes that women in other countries that prohibit abortion have used the internet to buy abortion pills by mail and get around restrictions.

Not everyone is convinced, however.

“It could open some doors,” Nash said. “Still, people [in restricted states] would have to jump through hoops.”

For example, restrictions on waiting periods and a counseling requirement would apply, and doctors who prescribe the pills would still have to be licensed in the state where the patient resides — though patients don’t usually face penalties for failing to comply with state abortion laws.

“All of the burden falls to the provider,” she said. “But if the state wanted to, there’s potential for women to be charged in some way.”

Anti-abortion lawmakers in Texas wouldn’t speculate on whether they might change state law to impose penalties on patients if the FDA loosened regulations on telemedicine abortion, but they believe existing restrictions in the state’s telemedicine law, which are being challenged in court, would prevent women from obtaining the medicines remotely.

Gynuity, which is currently enrolling patients in Maine, Hawaii, Oregon, New York and Washington state, plans to expand the telehealth-abortion study to women in other states where telemedicine for abortion has not been outlawed.