Six weeks have passed since Change Healthcare discovered it was hit by a cyberattack.
The Nashville-based company, part of UnitedHealth Group’s Optum division, is the nation’s largest claims and prescription processor, managing 15 billion transactions per year and touching one in every three patient records. The fallout of the cyberattack remains messy — thousands of providers across the country still face payment delays and claims submission disruptions.
Healthcare industry leaders believe that there is much to learn from a cybersecurity incident of this size, and they hope the sector can use these lessons to prevent a hack like this from ever happening again. This article explores cybersecurity experts’ main takeaways from the event and its aftermath.
It’s not an under-investment problem
More than 133 million patient records were breached last year, marking a 156% increase in similar breaches from 2022. This begs the question: Why is the healthcare sector so susceptible to cyberattacks — do healthcare organizations not invest enough in cybersecurity?
Experts don’t believe this is the case.
“It isn’t a lack of investment in cybersecurity that is the issue,” said Robert Turner, managing director and practice leader for treasury and capital markets at Kaufman Hall. “It is the attractiveness to cybercriminals of the information that healthcare organizations must maintain that makes the sector vulnerable to attack.”
Healthcare data is particularly appealing to cybercriminals because of its comprehensive nature and enduring value. Unlike banking data — which could quickly become obsolete through account freezes or password changes — healthcare data encompasses a wealth of personal information, including personal medical histories, social security numbers and insurance details. This information can be exploited for various nefarious activities, such as insurance fraud or identity theft.
Healthcare organizations “have long been responsible” for protecting patient information — and, since HIPAA was enacted in the late 1990s, they have faced significant fines if they fail to do so, he pointed out. So protecting patient information is built into the DNA of the healthcare ecosystem.
David Kellerman, field chief technology officer at cybersecurity company Cymulate, agreed that cybersecurity underinvestment isn’t the problem when it comes to the healthcare industry’ susceptibility to data breaches.
In his view, most healthcare organizations take cybersecurity seriously — but oftentimes, they still get hurt because of how badly cybercriminals want to go after the sector. Like Turner, he emphasized that healthcare is an incredibly attractive target for hackers because of its large-scale, interdependent systems, heavy reliance on technology and the critical nature of the data it handles.
Hackers are also enticed by the potential for disruptions in patient care and safety, Kellerman noted. The level of chaos and disruption associated with completing a successful cyberattack is an exciting feat that many cybercriminals are after, he said.
“This means that attackers will work extra hard to be successful and security teams must be more aggressive than most when it comes to challenging their own setups with offensive testing. Traditional security control investments — despite costing millions in controls, systems and staffing — often leave gaps in the form of misconfigurations and insufficient protocols,” Kellerman explained.
Additionally, healthcare security teams are typically overwhelmed with huge lists of potential issues, so they can’t easily identify the practical risks in a “pile of theoretical vulnerabilities,” he pointed out.
Every healthcare organization faces a wide array of potential weaknesses and security flaws that may exist within their systems and networks — such as vulnerable medical devices, unencrypted data transmission or outdated software. They often identify these vulnerabilities through cybersecurity tools like security assessments or penetration testing. However, due to the sheer volume of these possible vulnerabilities, it can be difficult for healthcare cybersecurity teams to prioritize which weaknesses pose the most practical and immediate risk to the organization’s security posture, according to Kellerman.
In the past, healthcare organizations rarely spent more than 6% of their IT budgets on cybersecurity, according to research from HIMSS. However, investments in cybersecurity have been increasing since 2018 — and as of 2021, 26% of healthcare organizations reported allocated 7% or more of their IT budgets to cybersecurity.
Healthcare organizations know they need to make robust investments in cybersecurity and are willing to do so, but they’re having a hard time keeping up as hackers’ strategies get more and more sophisticated, Kellerman remarked.
Healthcare’s reliance on third party vendors comes with a bevy of cybersecurity risks
The fact that the Change Healthcare attack has wreaked havoc on thousands of healthcare organizations shines a light on the dangers of consolidation in the healthcare industry, according to another healthcare leader — Lee Bienstock, CEO of DocGo, which provides mobile health services.
He said that healthcare’s “rapid consolidation and a flurry of mergers” has led to increased risk for hospitals and other providers.
“This consolidation can cause more vulnerabilities across operations, and in turn, places far more patients, pharmacies, providers and doctors at risk for data loss and delays in care,” Bienstock declared.
In addition to highlighting the perils of consolidation, the Change Healthcare attack has also drawn attention to the cybersecurity risks associated with healthcare providers’ reliance on third-party vendors. In an interview last summer, John Houston, vice president of information security and privacy at UPMC, told MedCity News that the number one priority for a hospital leader in his role should be to manage third party risk.
The Change Healthcare attack “once again clearly demonstrates” that most of the cyber risk exposure that providers face originates from vulnerabilities in third party technology and service providers, said John Riggi, the AHA’s national advisory for cybersecurity and risk.
“Yet, the way HIPAA is currently written, it is very difficult for a hospital or health system to hold these third parties accountable for gaps in their cybersecurity. In this case, Change Healthcare — which is owned by one of our nation’s largest corporations, UnitedHealth Group — is so large in scope and in scale that they have become, by design or default, almost a health care ‘utility’ as it relates to mission-critical services for healthcare,” he explained.
In his view, a concentration of mission-critical services equals a concentration of risk that the entire healthcare sector is exposed to.
When those services suddenly go offline, “every hospital in the country” becomes impacted in one way or another, Riggi declared.
“We need to shift the focus from individual cybersecurity programs to national strategies,” he remarked.” If one of the five largest corporations with nearly unlimited resources to spend on highly trained staff and state-of-the-art cybersecurity systems can’t prevent a cyberattack such as this, then there is no way a hospital, of any size, should be expected to prevent an attack like this.”
Healthcare organization still don’t have reliable plans for post-attack recovery
Given the massive scale of the Change Healthcare attack, it goes without saying that the aftermath has been chaotic. Providers and pharmacies were forced to expend time and resources on manual claims processing, and many continue to face payment delays that are hurting their cash flow.
Change Healthcare’s parent company, insurance giant UnitedHealth Group, has faced widespread criticism for its handling of the attack. The American Hospital Association has been one of the biggest voices in this regard. In the organization’s March 13 letter to the Senate Finance Committee, the AHA wrote that UnitedHealth has done nothing to materially address “the chronic cash flow implications and uncertainty that our nation’s hospitals and physicians are experiencing” as a result of the attack.
The long recovery time indicates a potentially poor business continuity plan (BCP), Kellerman noted. In his eyes, every healthcare organization needs a BCP in case of a potential cybersecurity event.
“[The plan] should address business continuity in case of crisis or disaster, including backups and the ability to restore them in a timely manner. It not only means implementing a technical backup, but also alternative payment and collection routes,” he said.
Recovery has been strenuous because of the sheer number of organizations implicated in Change Healthcare’s attack. When the Department of Justice Department filed a lawsuit in 2022 to block UnitedHealth Group’s acquisition of Change Healthcare, the complaint pointed out that Change’s network spanned approximately “900,000 physicians, 118,000 dentists, 3,300 pharmacies, 5,500 hospitals and 600 laboratories.”
The cyberattack’s impact varies depending on each organization’s exposure to the various Change Healthcare solutions that were implicated in the hack, Turner of Kaufman Hall pointed out.
“Those with exposure have been hard at work building new rails to submit held claims and receive payment and remittance information,” he said. “As data and payments have begun to flow again, healthcare organizations are managing through increases in denials and challenges reconciling payments as they work to get back to a normal cash flow pattern.”
In the coming months, the aftermath of the attack will likely still cause challenges for providers, Turner noted. Depending on how long the incident lasts, it may lead to “significant liquidity challenges” at health systems, he added.
To preserve liquidity, health systems can take actions like extending accounts payable, slowing capital spending or accessing external liquidity, Turner suggested.
“Having experienced the impacts of the Change cyberattack, providers should [plan for] the potential impact of another similar event and set aside cash reserves in their investment portfolio to protect against such an incident. They should develop a plan to address their counterparty concentration risk,” he stated.
The industry needs more transparency and collaboration
In the future, there needs to be more collaboration between the private sector and government bodies to prevent massive cyberattacks like Change Healthcare’s from happening, argued Ricardo Villadiego, CEO of cybersecurity firm Lumu.
“By sharing intelligence, resources, and expertise, this collaboration will enhance overall cyber resilience for healthcare organizations,” he said. “This collaboration and cross-functional support are crucial to ensuring healthcare organizations stay resilient against pervasive cyberattacks.”
Private-public cybersecurity collaboration should center on sharing real-time threat information, conducting joint exercises and training programs, harmonizing regulations, coordinating incident response efforts and fostering global cooperation, Villadiego explained. This type of collaboration would improve the healthcare industry’s readiness and response capabilities, as well as potentially lead to the development of innovative solutions, he noted.
During an interview last month at HIMSS24 in Orlando, Erik Decker, Intermountain Health’s chief information security officer expressed similar sentiments.
“No one system operates independent of everybody else — we’re all connected in some facet or another. And there are things that we need to do better as an industry,” Decker declared.
Transparency is one of the things that the industry needs to improve. This won’t be easy, though, as there are many risks to consider, he noted.
Healthcare providers face challenges when it comes to sharing information after a cybersecurity incident — there are laws that allow impacted healthcare organizations to share intel with the federal government or other certain groups, but it’s very difficult for these organizations to share information publicly. They are worried that divulging information might lead to legal concerns, a tainted reputation or worsened cybersecurity vulnerability, Decker explained.
In the next few months, he hopes Change Healthcare will share the lessons it has learned during this process with the industry. When MedCity News asked Change Healthcare about lessons learned from the ransomware attack, a spokesperson didn’t respond with any key takeaways from this difficult event.
Instead, he shared a list of resources for affected customers and highlighted the fact that it regularly communicated with impacted parties after the cybersecurity event.
By contrast, University of Vermont Health Network is an example of an organization that has done a good job in this respect, according to Decker.
“They had suffered a ransomware attack several years ago, and they did a full tell-all and actually conducted a study related to the clinical impact the event had. That is really good transparency,” he explained. “They were a victim of an attack, and they made the corrections that they needed to make. They really led with, ‘Here’s what happened. Let’s teach everybody else.’ And so many people have benefited from that.”
Photo: Traitov, Getty Images