Legislators have introduced a proposal aimed at ensuring that hospitals and other health care facilities are prepared for cyberattacks, a measure prompted by the devastating data breach across three Connecticut hospitals owned by Prospect Medical Holdings last year.
Under the bill, the state would have to provide resources to health care facilities in the event of a cyberattack to help reduce operational disruptions, including a radio communication system, an intranet system for secure communication within a building, cardiac monitors, and fax machines, printers and laptops that work with an intranet system.
The state would also have to create an emergency management system that is intranet-based “to document routine and emergency events,” a diversion management system so hospital emergency departments could communicate with first responders about where to divert patients, and a process for state agencies to work with health carriers so hospitals could continue billing Medicaid and private insurers “to reduce the risk of a sudden reduction in cash flow.”
The state Department of Public Health’s Office of Public Preparedness and Response would oversee the efforts with Connecticut’s chief information officer and other agencies. The resources would be part of the state’s public health emergency response plan.
The measure also requires the Department of Emergency Services and Public Protection to convene an annual meeting with members of the National Guard, representatives from the state’s Division of Emergency Management and Homeland Security and health officials to discuss and prepare for cyber threats.
The proposal, part of an omnibus bill with numerous health care reforms, is being considered by the Public Health Committee.
Sen. Saud Anwar, a co-chair of the committee, said the idea for the measure came after state officials and legislators met with hospital executives last fall to learn what the state could do better in the event of another cyberattack.
The heads of Eastern Connecticut Health Network, which includes Manchester Memorial and Rockville General hospitals, and Waterbury Hospital attended. Those three hospitals, along with Prospect Medical facilities in other states, were rocked by a data breach in August that caused billing delays and disruptions in patient care.
Last year, The Connecticut Mirror revealed that the cyberattack was far more debilitating than hospital officials publicly acknowledged. The hospitals were unable to bill Medicaid for payment, forcing the state Department of Social Services to advance them about $7.5 million. The facilities had to cancel nearly half of their elective procedures and at times over a nearly six-week period couldn’t process X-rays or CT scans that are vital for treating potential stroke or heart attack victims.
[Inside the cyberattack at Prospect Medical Holdings’ CT hospitals]
For 17 days, Manchester Memorial Hospital was so crippled by the attack that officials notified emergency services in eastern Connecticut they could not take patients, forcing crews to divert people to hospitals as far away as Massachusetts.
And at one point in mid-August, state officials were so concerned about staffing issues at Waterbury Hospital they considered activating the volunteer Medical Reserve Corps, which had previously been done only during the height of COVID.
“They should have a plan of action, and this is a starting point,” Anwar, who is also a physician under contract at Manchester Memorial, said of the bill. “To me, if we don’t learn from a disaster, then shame on us. This is the time for us to prepare and plan.”
The bill does not include a cost estimate for the preparation efforts. Anwar said the state already has some of the resources but would need to acquire others.
Senate President Pro Tem Martin Looney, a co-sponsor the measure, said the data breach across Prospect Medical’s facilities highlights the need for better preparedness.
“What happened at the three Prospect hospitals really does point out the necessity for this,” said Looney, D-New Haven. “There seems to be a growing vulnerability to cyberattacks at health care institutions. And as we saw with the Prospect case, it has sidetracked the sale of those institutions because it’s unclear how much their fundamental value has been damaged by what happened.”
Yale New Haven Health made a bid to purchase the three hospitals in 2022. But after the cyberattack, YNHH asked Prospect to adjust the original purchase price of $435 million and sought as much as $80 million in state funding to help with recovery efforts, to update computer systems and to address “deteriorating” conditions across the hospitals. The deal is pending.
Additionally, more than 100,000 residents had their personal data compromised during the attack.
Representatives of Southern New England Healthcare, a network of 550 doctors from independent physician practices, praised the bill but encouraged legislators to go further in preparing for data breaches.
“The inclusion of cybersecurity readiness [in the measure] is essential for Connecticut in terms of emergency preparedness, and there are excellent ‘brick and mortar’ components to help get us there,” said Renee Broadbent, chief information officer for the organization. “While this is all critically important for when a cyberattack occurs, we still need a plan for providers and practices who may be directly impacted. As a network of small businesses, for us these include timely compensation for services rendered, interruption in receiving prior authorizations, scheduling patient visits, disruptions in practice, operations being jeopardized and even having practices closing due to the lack of access to necessary operational and financial data.
“Beyond responding to a cybersecurity breach, legislation needs to address the role of payor responsibility and accountability in order to prevent such events from happening.”
Paul Kidwell, senior vice president of policy for the Connecticut Hospital Association, called the bill “well intentioned” but said some of the recommendations are “redundant” and “impractical.”
“Every day, hospitals are building and advancing their resiliency, including by making significant investments in defenses against cyberattacks and setting up systems that best protect patients in any emergency,” he said. “CHA will be asking the committee to consider changes to promote collaboration between the state and hospitals … with a focus on the functions that are required for cyberattack readiness and response, rather than specify the precise type of technology, which changes rapidly.”
Rep. Lezlye Zupkus, a Republican whose district includes Waterbury and who is a member of the Public Health Committee, said legislators will listen to input from the medical community and state officials as they consider how to shape the bill going forward.
“This is extremely important,” she said. “We’ve got to protect people’s information, and we’ve got to take care of the patients coming to the hospitals. God forbid if this should happen again. There needs to be a plan in place.”