August 12, 2021
How much larger a percentage of U.S. gross domestic product (GDP) can healthcare command?
This isn’t a rhetorical question, even if it may be difficult to come up with a direct answer. After all, between 1960 and 2018, healthcare increased as a percentage of GDP from a modest 5 percent to more than triple that at almost 18 percent. Over that time period, healthcare economists noticed the rise in healthcare costs and regularly rang the alarm bells with increasing levels of concern. That, we can be sure, had as much impact on healthcare costs as screaming at the tides to recede.
The rise in healthcare’s share of GDP would be less of a concern if it were accompanied by similar growth in productivity, i.e., caring for more people so that per capita healthcare costs grew at a much slower pace, if at all. Alas, between 1980 and 2018, per capita healthcare spending increased by 290 percent, and no, this explosion can’t be explained away by the aging of the boomer generation.
While the growth of healthcare spending has fluctuated somewhat over the last few decades, these fluctuations have never been dramatic and combine to create an inexorable rise in healthcare costs that appears to have no natural apex.
It’s also important to note that public spending on healthcare in the United States is roughly the same as in the UK and Canada, but only 34 percent of Americans are covered by public spending versus virtual blanket coverage in the great white north and across the pond. Also, about a third of healthcare spending in the U.S. goes to hospitals, which is more than any other segment.
I guess we could break down further where the increases in costs are coming from but suffice it to say that they are numerous and unrelenting. What healthcare needs is not an additional financial burden that is both unpredictable and completely lacking benefit, which is the reality hackers are unleashing on healthcare (hospitals, specifically) in the U.S.
While healthcare organizations don’t always publicize the details of hacks or ransomware incidents (the former has to be made known when numerous patient records are lost) because they’re terrible public relations, we do know that these and similar incidents are happening with increasing frequency and devastating financial impact.
In 2020, for example, 92 separate ransomware attacks impacted more than 600 separate healthcare organizations and more than 18 million patient records at an estimated cost of almost $21 billion. The Ryuk group of cyber assailants in particular has targeted 235 hospitals since 2018 to the tune of at least $100 million in ransoms paid in 2020 alone. Of the 203 million total ransomware attacks in the United States during all of last year, Ryuk conducted roughly one third.
“Ransomware attacks are striking every eight minutes, crippling hospitals and American mainstays like gas, meat, television, police departments, NBA basketball and minor league baseball teams, even ferries to Martha’s Vineyard,” says a New York Times profile of former Defense Secretary and CIA Director Leon Panetta, who warned of a “Cyber Pearl Harbor” in a 2012 address.
And these are just the incidents we know about.
The implications for ordinary Americans are more dramatic than many may assume. While many hackers skip hospitals entirely to avoid the moral dilemma, Ryuk is notorious for brief, two-sentence communications and an imperviousness to the “We’re a hospital. People will die.” argument. The Colonial Pipeline hack from May sent many East Coast residents scrambling for gasoline when supplies were suddenly halted.
While it may seem fortuitous that many cybercriminal elements leave hospitals alone, there is certainly reason to believe that scenario will not endure. Criminals aren’t known for their iron morals, after all, and healthcare as an industry is a tantalizing target.
For starters, more than 75 percent of devices in use today are on operating systems that have stopped receiving patches.
“Unfortunately, a lack of cybersecurity expertise paired with a proliferation of medical IoT devices and vulnerable legacy systems have placed hospital administrators in dangerous waters,” says Corey Bodzin, CTO of technology security firm Deepwatch. “Issues such as non-updatable embedded systems, lack of effective patching and the very nature of 24/7 healthcare operations lead to the inability to remediate vulnerable systems. This makes ransomware a perfect tool for criminals targeting healthcare facilities.”
To say nothing of the fact that many hospitals and clinics operate on the financial margins and simply can’t afford expensive security consultants and systems.
Exactly how ransomware incidents cost healthcare systems money is illustrated by the experience of San Diego’s Scripps Healthcare. Before hijacking Scripps’ systems and demanding payment, the hackers took 147,000 patient records to use as both leverage with Scripps and as saleable information on the Dark Web. On top of that, plaintiff’s attorneys are now bringing class action suits against Scripps on behalf of those patients who had their records stolen.
Will hacking and ransomware costs lead to an even greater percentage of GDP for this one industry? Perhaps. Without question they create far more economic turmoil with nary a shred of benefit. In some instances, ransoms may be covered by insurance, and they can be written off as expenses that then create losses covered by American taxpayers.
The more relevant question is what can be done about it.
While some have suggested making ransom payment illegal, thoughtful analysis suggests that would have little effect, in part because government would be dictating to private businesses how they handle internal crises.
Instead, analysis by the Brookings Institution suggests success would most likely be the product of a multi-pronged defense. First, find some way to put pressure on the Russian government to crack down on hacking rings, given that most originate on Russian soil.
Next, create commercial incentives for software development companies to develop better security in their products. Currently, software developers don’t shoulder any of the burden when hackers successfully collect a ransom.
It might also be worth considering not making the payment of ransoms a tax-deductible expense.
Ultimately, an effective and equitable plan will align the incentives and penalties for all injured parties. At this point, we’re mostly leaving hospitals out on an island to make the tough decisions themselves even while the actual damage seeps into society more broadly. What hospitals need is support and the expertise provided by an entity as large and well resourced as the federal government. The national infrastructure isn’t yet in place to deal with the cybercriminality pandemic, but it needs to be in short order.
In the meantime, American hospitals and healthcare system are mostly fending for themselves and hoping not to be the next target. They can’t all be so fortunate, especially when word leaks out about the last hospital that felt the only viable option was to pay the ransom.