It’s been six weeks since Change Healthcare found it had suffered a cyberattack.
Healthcare business leaders consider there’s a lot to be taught from a cybersecurity incident of this scale and hope the healthcare business will leverage these classes to stop hacks like this from occurring once more. I’m right here. In this text, cybersecurity consultants discover the primary takeaways from this occasion and its aftermath.
It’s not a matter of lack of funding
More than 133 million affected person information have been compromised final 12 months, a 156% improve in related breaches from 2022. This raises questions equivalent to: Why is the healthcare sector so inclined to cyber-attacks, and are healthcare organizations not investing sufficient in cybersecurity?
Experts don’t consider this to be the case.
“The drawback just isn’t an absence of funding in cybersecurity,” stated Robert Turner, managing director and apply chief for finance and capital markets at Kaufman Hall. “The info that healthcare organizations should preserve is engaging to cybercriminals, making this sector weak to assault.”
Medical information is especially engaging to cybercriminals on account of its complete nature and enduring worth. Unlike banking information, which might shortly develop into outdated on account of account freezes and password modifications, medical information incorporates a wealth of private info equivalent to an individual’s medical historical past, Social Security quantity, and insurance coverage particulars. This info can be utilized to commit quite a lot of fraudulent actions, together with insurance coverage fraud and id theft.
Healthcare suppliers have “lengthy had a accountability” to guard affected person info, he stated, however since HIPAA was enacted within the late Nineteen Nineties, they’ve confronted hefty fines for failing to take action. did. Therefore, defending affected person info is within the DNA of the healthcare ecosystem.
David Kellerman, area chief know-how officer at cybersecurity agency Cymulate, agreed that lack of funding in cybersecurity just isn’t the issue in terms of the healthcare business’s susceptibility to information breaches.
In his view, most healthcare organizations take cybersecurity severely, however they’re nonetheless typically victimized by cybercriminals’ intense focusing on of the sector. Like Turner, he stated healthcare is a really engaging goal for hackers due to its massive, interdependent methods, heavy reliance on know-how, and the delicate nature of the information it handles. additionally emphasised.
Kellerman famous that hackers are additionally tempted by the potential of disrupting affected person care and security. He stated the extent of chaos and disruption that accompanies a profitable cyberattack is an thrilling feat that many cybercriminals pursue.
“This means attackers will work additional arduous to succeed, and safety groups should be extra aggressive than different groups when difficult their very own configurations with offensive checks. Investments in conventional safety controls typically value tens of millions of {dollars} in administration, methods, and staffing, but depart gaps within the type of misconfigurations and insufficient protocols.” Kellerman defined.
Additionally, healthcare safety groups are usually overwhelmed with an enormous checklist of potential issues, to allow them to’t simply establish actual dangers among the many “mountain of theoretical vulnerabilities,” he stated. It identified.
All healthcare organizations face quite a lot of potential weaknesses and safety flaws that will exist inside their methods and networks, together with weak medical gadgets, unencrypted information transmission, and outdated software program. . These vulnerabilities are sometimes recognized by way of cybersecurity instruments equivalent to safety assessments and penetration checks. However, the sheer variety of these potential vulnerabilities requires healthcare cybersecurity groups to prioritize which weaknesses pose probably the most actual and instant threat to a corporation’s safety posture, based on Kellerman. It may be tough to connect.
Historically, healthcare organizations have not often spent greater than 6% of their IT price range on cybersecurity, based on HIMSS analysis. However, investments in cybersecurity have elevated since 2018, with 26% of healthcare organizations reportedly allocating greater than 7% of their IT budgets to cybersecurity as of 2021.
Healthcare organizations know they should make stable investments in cybersecurity, they usually’re doing so aggressively, however as hackers’ methods develop into more and more refined, they’re struggling to take care of it. It’s been a battle, Kellerman stated.
Healthcare organizations’ reliance on third-party distributors comes with many cybersecurity dangers
Another healthcare chief, Lee Bienstock, CEO of cell healthcare supplier DocGo, stated the truth that the Change Healthcare assault wreaked havoc on 1000’s of healthcare organizations highlights the hazards of consolidation within the healthcare business. It is claimed that it highlights the
He stated the healthcare business’s “speedy consolidation and spate of mergers” is resulting in elevated dangers for hospitals and different healthcare suppliers.
“This consolidation has the potential to create much more vulnerabilities throughout operations, placing way more sufferers, pharmacies, suppliers, and physicians vulnerable to information loss and delays in care. ” Bianstock declared.
The assault on Change Healthcare not solely highlighted the hazards of integration, but in addition drew consideration to the cybersecurity dangers related to a healthcare supplier’s reliance on third-party distributors. John Huston, UPMC’s vice chairman of knowledge safety and privateness, stated in an interview final summer season that hospital leaders’ high precedence of their roles must be managing third-party threat. he informed MedCity News.
John Riggi, the AHA’s nationwide advisor on cybersecurity and threat, stated the Change Healthcare assault “reinforces the clear message that a lot of the cyber dangers going through suppliers stem from vulnerabilities in third-party know-how and repair suppliers.” “It is proven within the desk under.”
“However, the way in which HIPAA is presently written makes it very tough for hospitals and well being methods to carry third events accountable for cybersecurity deficiencies. In this case, UnitedHealth, one in every of our nation’s largest firms, Change Healthcare, owned by the group, is so massive in scope and dimension that it’s virtually a healthcare “public utility” by design or default. It’s a mission-critical service in healthcare,” he defined.
In his view, the focus of mission-critical companies equates to the focus of dangers to which the whole healthcare sector is uncovered.
If these companies out of the blue go offline, Rigi declared, “each hospital within the nation” might be affected indirectly.
“We have to shift our focus from particular person cybersecurity applications to nationwide technique,” he stated. If one of many high 5 firms with extremely educated employees and practically limitless assets to spend on state-of-the-art cybersecurity methods cannot forestall these cyberattacks, then hospitals of all sizes cannot. There’s no approach it may be prevented. It is predicted to stop such assaults. ”
Medical establishments nonetheless would not have a dependable plan for restoration after an assault
Given the dimensions of the Change Healthcare assault, it goes with out saying that the aftermath is complicated. Healthcare suppliers and pharmacies are compelled to spend time and assets on handbook claims processing, and lots of nonetheless face fee delays, negatively impacting money movement.
Change Healthcare’s dad or mum firm, insurance coverage big UnitedHealth Group, has confronted widespread criticism for its response to the assault. The American Hospital Association is among the organizations that has been the loudest on this level. In a March 13 letter to the Senate Finance Committee, the AHA stated UnitedHealth has suffered “power money movement impacts and uncertainties that our nation’s hospitals and physicians are experiencing” on account of the assaults. I wrote that just about nothing was being completed to deal with it.
Kellerman famous that longer restoration occasions point out that enterprise continuity plans (BCPs) could also be insufficient. In his eyes, each healthcare group wants his BCP to organize for potential cybersecurity occasions.
“[The plan] Business continuity within the occasion of a disaster or catastrophe should be addressed, together with backups and the flexibility to revive them in a well timed method. That means not solely placing technical backups in place, but in addition putting in various fee and assortment routes,” he stated.
The sheer variety of organizations concerned within the Change Healthcare assault makes restoration tough. When the Justice Department filed a lawsuit to dam UnitedHealth Group’s acquisition of Change Healthcare in 2022, the grievance alleges that Change’s community contains roughly “900,000 physicians, 118,000 dentists, 3,300 pharmacies, and hospitals. 5,500 households and 600 analysis institutes.”
Kaufman Hall’s Turner famous that the impression of a cyberattack varies relying on every group’s publicity to the varied change healthcare options concerned within the hack.
“People who’ve been uncovered have labored arduous to create new rails for them to submit pending claims and obtain fee and remittance info,” he stated. “As information and funds start to movement once more, healthcare suppliers are coping with a rise in fee denials and adjustment requests whereas working to return to regular money movement patterns.”
Turner famous that the fallout from the assault is prone to proceed to pose challenges for suppliers within the coming months. Depending on how lengthy the outbreak lasts, it may create “vital liquidity challenges” for the well being system, he added.
To preserve liquidity, Turner advised well being methods may take steps equivalent to extending accounts payable, slowing capital spending and accessing exterior liquidity.
“Change Having skilled the impression of cyber-attacks, suppliers should: [plan for] Consider the potential impression of one other related occasion and preserve money reserves in your funding portfolio to guard in opposition to such occasions. “Plans should be developed to deal with counterparty focus threat,” he stated.
Industry wants extra transparency and collaboration
In the longer term, collaboration between the personal sector and authorities businesses will should be even stronger to stop large-scale cyberattacks like Change Healthcare from occurring, stated CEO Lumu, a cybersecurity firm. CEO) Ricardo Villadiego insists.
Public-private cybersecurity cooperation ought to give attention to sharing real-time risk info, conducting joint workout routines and coaching applications, harmonizing laws, coordinating incident response efforts, and fostering world cooperation, Villadiego stated. defined. He famous that one of these cooperation may result in the event of modern options, in addition to enhance the readiness and response capabilities of the healthcare business.
Eric Decker, chief info safety officer at Intermountain Health, echoed related sentiments in an interview at HIMSS24 in Orlando final month.
“No system operates independently of all different methods. We are all related indirectly. And there are issues we have to do higher as an business,” Decker declared.
Transparency is among the issues the business wants to enhance. However, he famous that this isn’t straightforward as there are a lot of dangers to contemplate.
Healthcare suppliers face challenges in terms of sharing info after a cybersecurity incident. Although there are legal guidelines that permit affected healthcare organizations to share info with the federal authorities and sure different teams, it is rather tough for these organizations to share info publicly. They’re involved that leaking info may result in authorized issues, reputational harm and exacerbating cybersecurity vulnerabilities, Decker defined.
He expects Change Healthcare to share the teachings discovered on this course of with the business within the coming months. When MedCity News requested Change Healthcare in regards to the classes discovered from the ransomware assault, a spokesperson didn’t present any key takeaways from this tough occasion.
Instead, he shared a listing of assets for affected prospects and highlighted the truth that he was in common contact with affected events following the cybersecurity occasion.
“They had a ransomware assault a number of years in the past they usually made a full disclosure and really performed a examine on the scientific impression that that occasion had. It’s actually nice transparency,” he defined. . “They have been victims of an assault, however they made the mandatory corrections. They actually stated, ‘This occurred.’ Let’s inform everybody else. ‘ And so many individuals are benefiting from it. ”
Photo: Treitov, Getty Images