Health systems rely on their third-party partners. Any given hospital in this country likely has contracts with hundreds of companies providing the services they need to maintain daily operations — from telehealth platforms to revenue cycle software to laundry workers.
This heavy reliance on third-party vendors makes health systems incredibly susceptible to cybersecurity incidents. The recent attack on Change Healthcare — a software company that processes patient payments for hospitals and pharmacies — is a prime example of a third party cyberattack that has had disastrous effects on healthcare providers all across the country.
When a large healthcare software vendor suffers a cyberattack, there is a “whole ecosystem” that has to deal with the consequences, pointed out Erik Decker, Intermountain Health’s chief information security officer, in an interview last week at HIMSS in Orlando.
“No one system operates independent of everybody else — we’re all connected in some facet or another. And there are things that we need to do better as an industry,” he declared.
Transparency is one of the things that the industry needs to improve. But healthcare providers face challenges when it comes to sharing information after a cybersecurity incident, Decker noted.
There are laws that allow impacted healthcare organizations to share intel with the federal government or other certain groups, but it’s very difficult for these organizations to share information publicly. They are worried that divulging information might lead to legal concerns, a tainted reputation or worsened cybersecurity vulnerability.
“You walk a tight line when you’re in the middle of one of these incidents, trying to be as transparent as you possibly can be, while also making sure that you’re not too transparent. If it’s early on in the incident, you might not know a lot of what’s happening. There’s a lot of speculation,” Decker explained.
In the days immediately following a cyberattack, it sometimes appears that the affected organization is withholding information from the public, he added. That’s usually not the case — rather, it’s that providers don’t want to spread information that they’re not sure about and “send the whole industry into a direction that’s unnecessary,” he said.
Decker added that it takes “a good 36-72 hours” to really get a grip on what’s happening after being hit by a cyberattack.
Once an impacted organization can piece together what’s going on, it should share what it knows with groups like the FBI or Health-ISAC, he noted.
“There are ways that we can share what we call ‘indicators of compromise’ through the federal government,” Decker stated. “This allows everybody else to go looking inside their environments to make sure that those bad actors are not there as well — because they always change, and their tactics always shift.”
In the few days following the attack on Change Healthcare, healthcare providers across the country became aware of those indicators. Decker said they have been examining their systems for risks and working to inoculate vulnerabilities so they won’t be affected by the same actor.
He hopes Change Healthcare will share the lessons it has learned during this process with the industry. Decker highlighted University of Vermont Health Network as an example of an organization that has done a good job in this respect.
“They had suffered a ransomware attack several years ago, and they did a full tell-all and actually conducted a study related to the clinical impact the event had. That is really good transparency,” he explained. “They were a victim of an attack, and they made the corrections that they needed to make. They really led with, ‘Here’s what happened. Let’s teach everybody else.’ And so many people have benefited from that.”
Photo: traffic_analyzer, Getty Images