Six weeks have handed since Change Healthcare found it was hit by a cyberattack.
The Nashville-based firm, a part of UnitedHealth Group’s Optum division, is the nation’s largest claims and prescription processor, managing 15 billion transactions per yr and touching one in each three affected person data. The fallout of the cyberattack stays messy — hundreds of suppliers throughout the nation nonetheless face cost delays and claims submission disruptions.
Healthcare business leaders imagine that there’s a lot to be taught from a cybersecurity incident of this measurement, they usually hope the sector can use these classes to stop a hack like this from ever taking place once more. This text explores cybersecurity specialists’ predominant takeaways from the occasion and its aftermath.
It’s not an under-investment downside
Greater than 133 million affected person data had been breached final yr, marking a 156% enhance in comparable breaches from 2022. This begs the query: Why is the healthcare sector so prone to cyberattacks — do healthcare organizations not make investments sufficient in cybersecurity?
Consultants don’t imagine that is the case.
“It isn’t an absence of funding in cybersecurity that’s the concern,” mentioned Robert Turner, managing director and apply chief for treasury and capital markets at Kaufman Corridor. “It’s the attractiveness to cybercriminals of the knowledge that healthcare organizations should keep that makes the sector susceptible to assault.”
Healthcare knowledge is especially interesting to cybercriminals due to its complete nature and enduring worth. Not like banking knowledge — which might rapidly turn into out of date by way of account freezes or password adjustments — healthcare knowledge encompasses a wealth of non-public info, together with private medical histories, social safety numbers and insurance coverage particulars. This info could be exploited for varied nefarious actions, comparable to insurance coverage fraud or identification theft.
Healthcare organizations “have lengthy been accountable” for safeguarding affected person info — and, since HIPAA was enacted within the late Nineties, they’ve confronted important fines in the event that they fail to take action, he identified. So defending affected person info is constructed into the DNA of the healthcare ecosystem.
David Kellerman, area chief know-how officer at cybersecurity firm Cymulate, agreed that cybersecurity underinvestment isn’t the issue with regards to the healthcare business’ susceptibility to knowledge breaches.
In his view, most healthcare organizations take cybersecurity critically — however oftentimes, they nonetheless get harm due to how badly cybercriminals need to go after the sector. Like Turner, he emphasised that healthcare is an extremely engaging goal for hackers due to its large-scale, interdependent programs, heavy reliance on know-how and the vital nature of the information it handles.
Hackers are additionally enticed by the potential for disruptions in affected person care and security, Kellerman famous. The extent of chaos and disruption related to finishing a profitable cyberattack is an thrilling feat that many cybercriminals are after, he mentioned.
“Which means attackers will work further onerous to achieve success and safety groups should be extra aggressive than most with regards to difficult their very own setups with offensive testing. Conventional safety management investments — regardless of costing hundreds of thousands in controls, programs and staffing — usually depart gaps within the type of misconfigurations and inadequate protocols,” Kellerman defined.
Moreover, healthcare safety groups are usually overwhelmed with large lists of potential points, to allow them to’t simply determine the sensible dangers in a “pile of theoretical vulnerabilities,” he identified.
Each healthcare group faces a wide selection of potential weaknesses and safety flaws that will exist inside their programs and networks — comparable to susceptible medical units, unencrypted knowledge transmission or outdated software program. They usually determine these vulnerabilities by way of cybersecurity instruments like safety assessments or penetration testing. Nonetheless, because of the sheer quantity of those doable vulnerabilities, it may be tough for healthcare cybersecurity groups to prioritize which weaknesses pose essentially the most sensible and instant threat to the group’s safety posture, in response to Kellerman.
Prior to now, healthcare organizations hardly ever spent greater than 6% of their IT budgets on cybersecurity, in response to analysis from HIMSS. Nonetheless, investments in cybersecurity have been rising since 2018 — and as of 2021, 26% of healthcare organizations reported allotted 7% or extra of their IT budgets to cybersecurity.
Healthcare organizations know they should make strong investments in cybersecurity and are prepared to take action, however they’re having a tough time maintaining as hackers’ methods get increasingly refined, Kellerman remarked.
Healthcare’s reliance on third get together distributors comes with a bevy of cybersecurity dangers
The truth that the Change Healthcare assault has wreaked havoc on hundreds of healthcare organizations shines a lightweight on the hazards of consolidation within the healthcare business, in response to one other healthcare chief — Lee Bienstock, CEO of DocGo, which offers cell well being companies.
He mentioned that healthcare’s “speedy consolidation and a flurry of mergers” has led to elevated threat for hospitals and different suppliers.
“This consolidation may cause extra vulnerabilities throughout operations, and in flip, locations much more sufferers, pharmacies, suppliers and docs in danger for knowledge loss and delays in care,” Bienstock declared.
Along with highlighting the perils of consolidation, the Change Healthcare assault has additionally drawn consideration to the cybersecurity dangers related to healthcare suppliers’ reliance on third-party distributors. In an interview final summer time, John Houston, vp of data safety and privateness at UPMC, instructed MedCity Information that the primary precedence for a hospital chief in his function must be to handle third get together threat.
The Change Healthcare assault “as soon as once more clearly demonstrates” that many of the cyber threat publicity that suppliers face originates from vulnerabilities in third get together know-how and repair suppliers, mentioned John Riggi, the AHA’s nationwide advisory for cybersecurity and threat.
“But, the way in which HIPAA is at present written, it is rather tough for a hospital or well being system to carry these third events accountable for gaps of their cybersecurity. On this case, Change Healthcare — which is owned by one among our nation’s largest companies, UnitedHealth Group — is so massive in scope and in scale that they’ve turn into, by design or default, virtually a well being care ‘utility’ because it pertains to mission-critical companies for healthcare,” he defined.
In his view, a focus of mission-critical companies equals a focus of threat that the complete healthcare sector is uncovered to.
When these companies out of the blue go offline, “each hospital within the nation” turns into impacted in a technique or one other, Riggi declared.
“We have to shift the main target from particular person cybersecurity packages to nationwide methods,” he remarked.” If one of many 5 largest companies with almost limitless assets to spend on extremely skilled employees and state-of-the-art cybersecurity programs can’t stop a cyberattack comparable to this, then there isn’t any approach a hospital, of any measurement, must be anticipated to stop an assault like this.”
Healthcare group nonetheless don’t have dependable plans for post-attack restoration
Given the large scale of the Change Healthcare assault, it goes with out saying that the aftermath has been chaotic. Suppliers and pharmacies had been compelled to expend time and assets on guide claims processing, and plenty of proceed to face cost delays which might be hurting their money movement.
Change Healthcare’s mum or dad firm, insurance coverage big UnitedHealth Group, has confronted widespread criticism for its dealing with of the assault. The American Hospital Affiliation has been one of many largest voices on this regard. Within the group’s March 13 letter to the Senate Finance Committee, the AHA wrote that UnitedHealth has finished nothing to materially tackle “the power money movement implications and uncertainty that our nation’s hospitals and physicians are experiencing” on account of the assault.
The lengthy restoration time signifies a doubtlessly poor enterprise continuity plan (BCP), Kellerman famous. In his eyes, each healthcare group wants a BCP in case of a possible cybersecurity occasion.
“[The plan] ought to tackle enterprise continuity in case of disaster or catastrophe, together with backups and the flexibility to revive them in a well timed method. It not solely means implementing a technical backup, but in addition various cost and assortment routes,” he mentioned.
Restoration has been strenuous due to the sheer variety of organizations implicated in Change Healthcare’s assault. When the Division of Justice Division filed a lawsuit in 2022 to dam UnitedHealth Group’s acquisition of Change Healthcare, the criticism identified that Change’s community spanned roughly “900,000 physicians, 118,000 dentists, 3,300 pharmacies, 5,500 hospitals and 600 laboratories.”
The cyberattack’s affect varies relying on every group’s publicity to the assorted Change Healthcare options that had been implicated within the hack, Turner of Kaufman Corridor identified.
“These with publicity have been onerous at work constructing new rails to submit held claims and obtain cost and remittance info,” he mentioned. “As knowledge and funds have begun to movement once more, healthcare organizations are managing by way of will increase in denials and challenges reconciling funds as they work to get again to a traditional money movement sample.”
Within the coming months, the aftermath of the assault will probably nonetheless trigger challenges for suppliers, Turner famous. Relying on how lengthy the incident lasts, it could result in “important liquidity challenges” at well being programs, he added.
To protect liquidity, well being programs can take actions like extending accounts payable, slowing capital spending or accessing exterior liquidity, Turner urged.
“Having skilled the impacts of the Change cyberattack, suppliers ought to [plan for] the potential affect of one other comparable occasion and put aside money reserves of their funding portfolio to guard towards such an incident. They need to develop a plan to deal with their counterparty focus threat,” he said.
The business wants extra transparency and collaboration
Sooner or later, there must be extra collaboration between the personal sector and authorities our bodies to stop large cyberattacks like Change Healthcare’s from taking place, argued Ricardo Villadiego, CEO of cybersecurity agency Lumu.
“By sharing intelligence, assets, and experience, this collaboration will improve total cyber resilience for healthcare organizations,” he mentioned. “This collaboration and cross-functional assist are essential to making sure healthcare organizations keep resilient towards pervasive cyberattacks.”
Personal-public cybersecurity collaboration ought to middle on sharing real-time risk info, conducting joint workout routines and coaching packages, harmonizing rules, coordinating incident response efforts and fostering international cooperation, Villadiego defined. This kind of collaboration would enhance the healthcare business’s readiness and response capabilities, in addition to doubtlessly result in the event of revolutionary options, he famous.
Throughout an interview final month at HIMSS24 in Orlando, Erik Decker, Intermountain Well being’s chief info safety officer expressed comparable sentiments.
“Nobody system operates impartial of all people else — we’re all linked in some aspect or one other. And there are issues that we have to do higher as an business,” Decker declared.
Transparency is likely one of the issues that the business wants to enhance. This received’t be straightforward, although, as there are various dangers to think about, he famous.
Healthcare suppliers face challenges with regards to sharing info after a cybersecurity incident — there are legal guidelines that enable impacted healthcare organizations to share intel with the federal authorities or different sure teams, nevertheless it’s very tough for these organizations to share info publicly. They’re fearful that divulging info would possibly result in authorized considerations, a tainted fame or worsened cybersecurity vulnerability, Decker defined.
Within the subsequent few months, he hopes Change Healthcare will share the teachings it has discovered throughout this course of with the business. When MedCity Information requested Change Healthcare about classes discovered from the ransomware assault, a spokesperson didn’t reply with any key takeaways from this tough occasion.
As an alternative, he shared an inventory of assets for affected clients and highlighted the truth that it recurrently communicated with impacted events after the cybersecurity occasion.
Against this, College of Vermont Well being Community is an instance of a corporation that has finished an excellent job on this respect, in response to Decker.
“That they had suffered a ransomware assault a number of years in the past, they usually did a full tell-all and truly performed a research associated to the scientific affect the occasion had. That’s actually good transparency,” he defined. “They had been a sufferer of an assault, they usually made the corrections that they wanted to make. They actually led with, ‘Right here’s what occurred. Let’s educate all people else.’ And so many individuals have benefited from that.”
Photograph: Traitov, Getty Pictures