Six weeks have handed since Change Healthcare found it was hit by a cyberattack.
The Nashville-based firm, a part of UnitedHealth Group’s Optum division, is the nation’s largest claims and prescription processor, managing 15 billion transactions per yr and touching one in each three affected person information. The fallout of the cyberattack stays messy — 1000’s of suppliers throughout the nation nonetheless face cost delays and claims submission disruptions.
Healthcare trade leaders imagine that there’s a lot to be taught from a cybersecurity incident of this dimension, and so they hope the sector can use these classes to stop a hack like this from ever taking place once more. This text explores cybersecurity specialists’ foremost takeaways from the occasion and its aftermath.
It’s not an under-investment drawback
Greater than 133 million affected person information had been breached final yr, marking a 156% improve in comparable breaches from 2022. This begs the query: Why is the healthcare sector so vulnerable to cyberattacks — do healthcare organizations not make investments sufficient in cybersecurity?
Consultants don’t imagine that is the case.
“It isn’t an absence of funding in cybersecurity that’s the difficulty,” stated Robert Turner, managing director and follow chief for treasury and capital markets at Kaufman Corridor. “It’s the attractiveness to cybercriminals of the data that healthcare organizations should keep that makes the sector weak to assault.”
Healthcare information is especially interesting to cybercriminals due to its complete nature and enduring worth. Not like banking information — which may rapidly grow to be out of date by way of account freezes or password adjustments — healthcare information encompasses a wealth of non-public info, together with private medical histories, social safety numbers and insurance coverage particulars. This info could be exploited for numerous nefarious actions, similar to insurance coverage fraud or identification theft.
Healthcare organizations “have lengthy been accountable” for safeguarding affected person info — and, since HIPAA was enacted within the late Nineties, they’ve confronted important fines in the event that they fail to take action, he identified. So defending affected person info is constructed into the DNA of the healthcare ecosystem.
David Kellerman, discipline chief expertise officer at cybersecurity firm Cymulate, agreed that cybersecurity underinvestment isn’t the issue in terms of the healthcare trade’ susceptibility to information breaches.
In his view, most healthcare organizations take cybersecurity severely — however oftentimes, they nonetheless get harm due to how badly cybercriminals need to go after the sector. Like Turner, he emphasised that healthcare is an extremely engaging goal for hackers due to its large-scale, interdependent methods, heavy reliance on expertise and the vital nature of the info it handles.
Hackers are additionally enticed by the potential for disruptions in affected person care and security, Kellerman famous. The extent of chaos and disruption related to finishing a profitable cyberattack is an thrilling feat that many cybercriminals are after, he stated.
“Which means attackers will work further laborious to achieve success and safety groups have to be extra aggressive than most in terms of difficult their very own setups with offensive testing. Conventional safety management investments — regardless of costing tens of millions in controls, methods and staffing — typically go away gaps within the type of misconfigurations and inadequate protocols,” Kellerman defined.
Moreover, healthcare safety groups are usually overwhelmed with big lists of potential points, to allow them to’t simply establish the sensible dangers in a “pile of theoretical vulnerabilities,” he identified.
Each healthcare group faces a wide selection of potential weaknesses and safety flaws that will exist inside their methods and networks — similar to weak medical units, unencrypted information transmission or outdated software program. They typically establish these vulnerabilities by way of cybersecurity instruments like safety assessments or penetration testing. Nonetheless, because of the sheer quantity of those potential vulnerabilities, it may be tough for healthcare cybersecurity groups to prioritize which weaknesses pose essentially the most sensible and fast threat to the group’s safety posture, in keeping with Kellerman.
Prior to now, healthcare organizations not often spent greater than 6% of their IT budgets on cybersecurity, in keeping with analysis from HIMSS. Nonetheless, investments in cybersecurity have been growing since 2018 — and as of 2021, 26% of healthcare organizations reported allotted 7% or extra of their IT budgets to cybersecurity.
Healthcare organizations know they should make strong investments in cybersecurity and are keen to take action, however they’re having a tough time maintaining as hackers’ methods get increasingly subtle, Kellerman remarked.
Healthcare’s reliance on third get together distributors comes with a bevy of cybersecurity dangers
The truth that the Change Healthcare assault has wreaked havoc on 1000’s of healthcare organizations shines a light-weight on the hazards of consolidation within the healthcare trade, in keeping with one other healthcare chief — Lee Bienstock, CEO of DocGo, which gives cell well being providers.
He stated that healthcare’s “speedy consolidation and a flurry of mergers” has led to elevated threat for hospitals and different suppliers.
“This consolidation could cause extra vulnerabilities throughout operations, and in flip, locations way more sufferers, pharmacies, suppliers and docs in danger for information loss and delays in care,” Bienstock declared.
Along with highlighting the perils of consolidation, the Change Healthcare assault has additionally drawn consideration to the cybersecurity dangers related to healthcare suppliers’ reliance on third-party distributors. In an interview final summer time, John Houston, vice chairman of data safety and privateness at UPMC, informed MedCity Information that the primary precedence for a hospital chief in his position must be to handle third get together threat.
The Change Healthcare assault “as soon as once more clearly demonstrates” that many of the cyber threat publicity that suppliers face originates from vulnerabilities in third get together expertise and repair suppliers, stated John Riggi, the AHA’s nationwide advisory for cybersecurity and threat.
“But, the best way HIPAA is at the moment written, it is extremely tough for a hospital or well being system to carry these third events accountable for gaps of their cybersecurity. On this case, Change Healthcare — which is owned by one among our nation’s largest firms, UnitedHealth Group — is so giant in scope and in scale that they’ve grow to be, by design or default, virtually a well being care ‘utility’ because it pertains to mission-critical providers for healthcare,” he defined.
In his view, a focus of mission-critical providers equals a focus of threat that your complete healthcare sector is uncovered to.
When these providers immediately go offline, “each hospital within the nation” turns into impacted in a technique or one other, Riggi declared.
“We have to shift the main target from particular person cybersecurity applications to nationwide methods,” he remarked.” If one of many 5 largest firms with practically limitless sources to spend on extremely educated employees and state-of-the-art cybersecurity methods can’t stop a cyberattack similar to this, then there isn’t a method a hospital, of any dimension, must be anticipated to stop an assault like this.”
Healthcare group nonetheless don’t have dependable plans for post-attack restoration
Given the large scale of the Change Healthcare assault, it goes with out saying that the aftermath has been chaotic. Suppliers and pharmacies had been compelled to expend time and sources on guide claims processing, and lots of proceed to face cost delays which can be hurting their money circulate.
Change Healthcare’s mother or father firm, insurance coverage big UnitedHealth Group, has confronted widespread criticism for its dealing with of the assault. The American Hospital Affiliation has been one of many largest voices on this regard. Within the group’s March 13 letter to the Senate Finance Committee, the AHA wrote that UnitedHealth has accomplished nothing to materially deal with “the persistent money circulate implications and uncertainty that our nation’s hospitals and physicians are experiencing” because of the assault.
The lengthy restoration time signifies a doubtlessly poor enterprise continuity plan (BCP), Kellerman famous. In his eyes, each healthcare group wants a BCP in case of a possible cybersecurity occasion.
“[The plan] ought to deal with enterprise continuity in case of disaster or catastrophe, together with backups and the flexibility to revive them in a well timed method. It not solely means implementing a technical backup, but additionally different cost and assortment routes,” he stated.
Restoration has been strenuous due to the sheer variety of organizations implicated in Change Healthcare’s assault. When the Division of Justice Division filed a lawsuit in 2022 to dam UnitedHealth Group’s acquisition of Change Healthcare, the grievance identified that Change’s community spanned roughly “900,000 physicians, 118,000 dentists, 3,300 pharmacies, 5,500 hospitals and 600 laboratories.”
The cyberattack’s impression varies relying on every group’s publicity to the assorted Change Healthcare options that had been implicated within the hack, Turner of Kaufman Corridor identified.
“These with publicity have been laborious at work constructing new rails to submit held claims and obtain cost and remittance info,” he stated. “As information and funds have begun to circulate once more, healthcare organizations are managing by way of will increase in denials and challenges reconciling funds as they work to get again to a traditional money circulate sample.”
Within the coming months, the aftermath of the assault will possible nonetheless trigger challenges for suppliers, Turner famous. Relying on how lengthy the incident lasts, it could result in “important liquidity challenges” at well being methods, he added.
To protect liquidity, well being methods can take actions like extending accounts payable, slowing capital spending or accessing exterior liquidity, Turner recommended.
“Having skilled the impacts of the Change cyberattack, suppliers ought to [plan for] the potential impression of one other comparable occasion and put aside money reserves of their funding portfolio to guard towards such an incident. They need to develop a plan to deal with their counterparty focus threat,” he said.
The trade wants extra transparency and collaboration
Sooner or later, there must be extra collaboration between the non-public sector and authorities our bodies to stop large cyberattacks like Change Healthcare’s from taking place, argued Ricardo Villadiego, CEO of cybersecurity agency Lumu.
“By sharing intelligence, sources, and experience, this collaboration will improve total cyber resilience for healthcare organizations,” he stated. “This collaboration and cross-functional assist are essential to making sure healthcare organizations keep resilient towards pervasive cyberattacks.”
Personal-public cybersecurity collaboration ought to middle on sharing real-time risk info, conducting joint workouts and coaching applications, harmonizing rules, coordinating incident response efforts and fostering international cooperation, Villadiego defined. The sort of collaboration would enhance the healthcare trade’s readiness and response capabilities, in addition to doubtlessly result in the event of revolutionary options, he famous.
Throughout an interview final month at HIMSS24 in Orlando, Erik Decker, Intermountain Well being’s chief info safety officer expressed comparable sentiments.
“Nobody system operates impartial of all people else — we’re all linked in some aspect or one other. And there are issues that we have to do higher as an trade,” Decker declared.
Transparency is without doubt one of the issues that the trade wants to enhance. This received’t be straightforward, although, as there are numerous dangers to think about, he famous.
Healthcare suppliers face challenges in terms of sharing info after a cybersecurity incident — there are legal guidelines that permit impacted healthcare organizations to share intel with the federal authorities or different sure teams, nevertheless it’s very tough for these organizations to share info publicly. They’re fearful that divulging info may result in authorized considerations, a tainted repute or worsened cybersecurity vulnerability, Decker defined.
Within the subsequent few months, he hopes Change Healthcare will share the teachings it has discovered throughout this course of with the trade. When MedCity Information requested Change Healthcare about classes discovered from the ransomware assault, a spokesperson didn’t reply with any key takeaways from this tough occasion.
As an alternative, he shared a listing of sources for affected prospects and highlighted the truth that it repeatedly communicated with impacted events after the cybersecurity occasion.
Against this, College of Vermont Well being Community is an instance of a corporation that has accomplished a superb job on this respect, in keeping with Decker.
“That they had suffered a ransomware assault a number of years in the past, and so they did a full tell-all and really carried out a examine associated to the medical impression the occasion had. That’s actually good transparency,” he defined. “They had been a sufferer of an assault, and so they made the corrections that they wanted to make. They actually led with, ‘Right here’s what occurred. Let’s train all people else.’ And so many individuals have benefited from that.”
Photograph: Traitov, Getty Photos
