Six weeks have handed since Change Healthcare found it was hit by a cyberattack.
The Nashville-based firm, a part of UnitedHealth Group’s Optum division, is the nation’s largest claims and prescription processor, managing 15 billion transactions per 12 months and touching one in each three affected person information. The fallout of the cyberattack stays messy — 1000’s of suppliers throughout the nation nonetheless face fee delays and claims submission disruptions.
Healthcare trade leaders consider that there’s a lot to be taught from a cybersecurity incident of this dimension, and so they hope the sector can use these classes to stop a hack like this from ever taking place once more. This text explores cybersecurity consultants’ principal takeaways from the occasion and its aftermath.
It’s not an under-investment drawback
Greater than 133 million affected person information had been breached final 12 months, marking a 156% improve in related breaches from 2022. This begs the query: Why is the healthcare sector so vulnerable to cyberattacks — do healthcare organizations not make investments sufficient in cybersecurity?
Specialists don’t consider that is the case.
“It isn’t a scarcity of funding in cybersecurity that’s the problem,” stated Robert Turner, managing director and follow chief for treasury and capital markets at Kaufman Corridor. “It’s the attractiveness to cybercriminals of the knowledge that healthcare organizations should preserve that makes the sector weak to assault.”
Healthcare knowledge is especially interesting to cybercriminals due to its complete nature and enduring worth. In contrast to banking knowledge — which may shortly change into out of date by means of account freezes or password modifications — healthcare knowledge encompasses a wealth of private data, together with private medical histories, social safety numbers and insurance coverage particulars. This data may be exploited for varied nefarious actions, equivalent to insurance coverage fraud or identification theft.
Healthcare organizations “have lengthy been accountable” for shielding affected person data — and, since HIPAA was enacted within the late Nineteen Nineties, they’ve confronted vital fines in the event that they fail to take action, he identified. So defending affected person data is constructed into the DNA of the healthcare ecosystem.
David Kellerman, area chief expertise officer at cybersecurity firm Cymulate, agreed that cybersecurity underinvestment isn’t the issue relating to the healthcare trade’ susceptibility to knowledge breaches.
In his view, most healthcare organizations take cybersecurity critically — however oftentimes, they nonetheless get damage due to how badly cybercriminals wish to go after the sector. Like Turner, he emphasised that healthcare is an extremely enticing goal for hackers due to its large-scale, interdependent methods, heavy reliance on expertise and the vital nature of the information it handles.
Hackers are additionally enticed by the potential for disruptions in affected person care and security, Kellerman famous. The extent of chaos and disruption related to finishing a profitable cyberattack is an thrilling feat that many cybercriminals are after, he stated.
“Which means attackers will work further laborious to achieve success and safety groups have to be extra aggressive than most relating to difficult their very own setups with offensive testing. Conventional safety management investments — regardless of costing tens of millions in controls, methods and staffing — usually go away gaps within the type of misconfigurations and inadequate protocols,” Kellerman defined.
Moreover, healthcare safety groups are sometimes overwhelmed with enormous lists of potential points, to allow them to’t simply establish the sensible dangers in a “pile of theoretical vulnerabilities,” he identified.
Each healthcare group faces a big selection of potential weaknesses and safety flaws that will exist inside their methods and networks — equivalent to weak medical gadgets, unencrypted knowledge transmission or outdated software program. They usually establish these vulnerabilities by means of cybersecurity instruments like safety assessments or penetration testing. Nevertheless, as a result of sheer quantity of those potential vulnerabilities, it may be tough for healthcare cybersecurity groups to prioritize which weaknesses pose probably the most sensible and speedy danger to the group’s safety posture, in keeping with Kellerman.
Previously, healthcare organizations not often spent greater than 6% of their IT budgets on cybersecurity, in keeping with analysis from HIMSS. Nevertheless, investments in cybersecurity have been rising since 2018 — and as of 2021, 26% of healthcare organizations reported allotted 7% or extra of their IT budgets to cybersecurity.
Healthcare organizations know they should make sturdy investments in cybersecurity and are prepared to take action, however they’re having a tough time maintaining as hackers’ methods get increasingly more refined, Kellerman remarked.
Healthcare’s reliance on third get together distributors comes with a bevy of cybersecurity dangers
The truth that the Change Healthcare assault has wreaked havoc on 1000’s of healthcare organizations shines a lightweight on the hazards of consolidation within the healthcare trade, in keeping with one other healthcare chief — Lee Bienstock, CEO of DocGo, which offers cellular well being companies.
He stated that healthcare’s “speedy consolidation and a flurry of mergers” has led to elevated danger for hospitals and different suppliers.
“This consolidation may cause extra vulnerabilities throughout operations, and in flip, locations much more sufferers, pharmacies, suppliers and docs in danger for knowledge loss and delays in care,” Bienstock declared.
Along with highlighting the perils of consolidation, the Change Healthcare assault has additionally drawn consideration to the cybersecurity dangers related to healthcare suppliers’ reliance on third-party distributors. In an interview final summer season, John Houston, vice chairman of data safety and privateness at UPMC, informed MedCity Information that the primary precedence for a hospital chief in his position must be to handle third get together danger.
The Change Healthcare assault “as soon as once more clearly demonstrates” that a lot of the cyber danger publicity that suppliers face originates from vulnerabilities in third get together expertise and repair suppliers, stated John Riggi, the AHA’s nationwide advisory for cybersecurity and danger.
“But, the best way HIPAA is at the moment written, it is rather tough for a hospital or well being system to carry these third events accountable for gaps of their cybersecurity. On this case, Change Healthcare — which is owned by one in every of our nation’s largest firms, UnitedHealth Group — is so giant in scope and in scale that they’ve change into, by design or default, virtually a well being care ‘utility’ because it pertains to mission-critical companies for healthcare,” he defined.
In his view, a focus of mission-critical companies equals a focus of danger that the whole healthcare sector is uncovered to.
When these companies instantly go offline, “each hospital within the nation” turns into impacted in a technique or one other, Riggi declared.
“We have to shift the main focus from particular person cybersecurity applications to nationwide methods,” he remarked.” If one of many 5 largest firms with almost limitless sources to spend on extremely educated workers and state-of-the-art cybersecurity methods can’t forestall a cyberattack equivalent to this, then there isn’t any method a hospital, of any dimension, must be anticipated to stop an assault like this.”
Healthcare group nonetheless don’t have dependable plans for post-attack restoration
Given the large scale of the Change Healthcare assault, it goes with out saying that the aftermath has been chaotic. Suppliers and pharmacies had been compelled to expend time and sources on handbook claims processing, and lots of proceed to face fee delays which can be hurting their money stream.
Change Healthcare’s mother or father firm, insurance coverage large UnitedHealth Group, has confronted widespread criticism for its dealing with of the assault. The American Hospital Affiliation has been one of many greatest voices on this regard. Within the group’s March 13 letter to the Senate Finance Committee, the AHA wrote that UnitedHealth has accomplished nothing to materially tackle “the continual money stream implications and uncertainty that our nation’s hospitals and physicians are experiencing” because of the assault.
The lengthy restoration time signifies a probably poor enterprise continuity plan (BCP), Kellerman famous. In his eyes, each healthcare group wants a BCP in case of a possible cybersecurity occasion.
“[The plan] ought to tackle enterprise continuity in case of disaster or catastrophe, together with backups and the power to revive them in a well timed method. It not solely means implementing a technical backup, but additionally various fee and assortment routes,” he stated.
Restoration has been strenuous due to the sheer variety of organizations implicated in Change Healthcare’s assault. When the Division of Justice Division filed a lawsuit in 2022 to dam UnitedHealth Group’s acquisition of Change Healthcare, the grievance identified that Change’s community spanned roughly “900,000 physicians, 118,000 dentists, 3,300 pharmacies, 5,500 hospitals and 600 laboratories.”
The cyberattack’s impression varies relying on every group’s publicity to the varied Change Healthcare options that had been implicated within the hack, Turner of Kaufman Corridor identified.
“These with publicity have been laborious at work constructing new rails to submit held claims and obtain fee and remittance data,” he stated. “As knowledge and funds have begun to stream once more, healthcare organizations are managing by means of will increase in denials and challenges reconciling funds as they work to get again to a standard money stream sample.”
Within the coming months, the aftermath of the assault will seemingly nonetheless trigger challenges for suppliers, Turner famous. Relying on how lengthy the incident lasts, it might result in “vital liquidity challenges” at well being methods, he added.
To protect liquidity, well being methods can take actions like extending accounts payable, slowing capital spending or accessing exterior liquidity, Turner urged.
“Having skilled the impacts of the Change cyberattack, suppliers ought to [plan for] the potential impression of one other related occasion and put aside money reserves of their funding portfolio to guard in opposition to such an incident. They need to develop a plan to handle their counterparty focus danger,” he said.
The trade wants extra transparency and collaboration
Sooner or later, there must be extra collaboration between the non-public sector and authorities our bodies to stop large cyberattacks like Change Healthcare’s from taking place, argued Ricardo Villadiego, CEO of cybersecurity agency Lumu.
“By sharing intelligence, sources, and experience, this collaboration will improve general cyber resilience for healthcare organizations,” he stated. “This collaboration and cross-functional assist are essential to making sure healthcare organizations keep resilient in opposition to pervasive cyberattacks.”
Non-public-public cybersecurity collaboration ought to middle on sharing real-time menace data, conducting joint workouts and coaching applications, harmonizing rules, coordinating incident response efforts and fostering world cooperation, Villadiego defined. Such a collaboration would enhance the healthcare trade’s readiness and response capabilities, in addition to probably result in the event of progressive options, he famous.
Throughout an interview final month at HIMSS24 in Orlando, Erik Decker, Intermountain Well being’s chief data safety officer expressed related sentiments.
“Nobody system operates unbiased of everyone else — we’re all related in some side or one other. And there are issues that we have to do higher as an trade,” Decker declared.
Transparency is without doubt one of the issues that the trade wants to enhance. This received’t be simple, although, as there are a lot of dangers to think about, he famous.
Healthcare suppliers face challenges relating to sharing data after a cybersecurity incident — there are legal guidelines that enable impacted healthcare organizations to share intel with the federal authorities or different sure teams, however it’s very tough for these organizations to share data publicly. They’re nervous that divulging data may result in authorized issues, a tainted status or worsened cybersecurity vulnerability, Decker defined.
Within the subsequent few months, he hopes Change Healthcare will share the teachings it has realized throughout this course of with the trade. When MedCity Information requested Change Healthcare about classes realized from the ransomware assault, a spokesperson didn’t reply with any key takeaways from this tough occasion.
As a substitute, he shared an inventory of sources for affected clients and highlighted the truth that it usually communicated with impacted events after the cybersecurity occasion.
Against this, College of Vermont Well being Community is an instance of a company that has accomplished a great job on this respect, in keeping with Decker.
“They’d suffered a ransomware assault a number of years in the past, and so they did a full tell-all and really performed a research associated to the scientific impression the occasion had. That’s actually good transparency,” he defined. “They had been a sufferer of an assault, and so they made the corrections that they wanted to make. They actually led with, ‘Right here’s what occurred. Let’s train everyone else.’ And so many individuals have benefited from that.”
Picture: Traitov, Getty Photos