By ZACHARY AMOS
The healthcare sector is no stranger to cyber attacks. However, a major incident like the February 2024 ransomware attack on Change Healthcare is enough to shake the industry. In the wake of such a major breach, medical organizations of all types and sizes should take the opportunity to review their security posture.
What’s Happening in a Healthcare Cyber ​​Attack is Changing
On February 21, Change Healthcare – the largest medical clearinghouse in the US – suffered a ransomware attack, forcing it to take more than 100 systems offline. Many electronic services remained down for several weeks, with full recovery until early April.
A week after the attack, ransomware-as-a-service gang BlackCat claimed responsibility. BlackCat is also responsible for the 2021 Colonial Pipeline shutdown and several attacks on healthcare organizations throughout 2023. However, this latest action against Change Healthcare, is one of the most disturbing.
Because Change and its parent company — UnitedHealth Group (UHG) — are central industry players, the hack had a ripple effect throughout the industry. A staggering 94% of US hospitals experienced financial consequences from these incidents and 74% experienced a direct impact on patient care. Service changes affect one in three patient records, so major outages cause disruption, delays and losses.
Most of the pharmacies and electronic payment services Change back online on March 15. In early April, almost everything is running again, but the financial fallout continues for many companies that depend on UHG, due to the large backlogs.
What It Means for the Broader Healthcare Sector
Considering the Change Healthcare cyber attack affected almost the entire medical sector, it has significant implications. Even some medical groups that have not been hacked should consider what this means for the future of health care security.
1. No Organization Is an Island
It is difficult to ignore that an attack on one entity impacts almost all hospitals in the US. This massive ripple effect highlights how no business in this industry is a self-contained unit. Third-party vulnerabilities affect everyone, so care should be taken and access restrictions considered.
While the Change Healthcare hack is an extreme example, it’s not the first time the medical sector has seen a major third-party breach. In 2021, the Red Cross experienced a breach of more than 515,000 patient records when attackers targeted data storage partners.
Healthcare companies depend on a variety of external services and each of these connections presents another vulnerability that the company cannot control. In light of that risk, it should be more selective about who does business with. Even with trusted partners like UHG, brands must limit data access privileges as much as possible and demand high security standards.
2. Centralization Makes Industry Vulnerable
Relatedly, these attacks show how centralized the industry has become. Not only is third party dependency common, but many organizations depend on the same third party. This centralization makes these vulnerabilities exponentially more dangerous, as one attack can affect the entire sector.
The health care industry needs to move past these points of failure. Some external dependencies are unavoidable, but medical groups should avoid them whenever possible. Separation of duties among multiple vendors may be necessary to reduce the impact of a single breach.
Regulatory changes can support this change. During a Congressional hearing on the incident, several lawmakers expressed concern about consolidation in the health care industry and the cyber risks it poses. This growing sentiment may lead to sector-wide reorganization, but in the meantime, private companies must take the initiative to move away from the large centralized dependencies that they can.
3. Healthcare Businesses Need a Trusted Response Plan
Health care organizations must also account for the length and cost of UHG response timelines. It took weeks to restore the downed system, despite reportedly paying a $22 million ransom to recover the stolen data. That’s too far.
As the threat of ransomware increases, businesses in this industry need to create emergency response plans. That includes keeping it safe, backing up all sensitive data offline and ensuring data center redundancy for mission-critical services. Detailed communication protocols and step-by-step instructions for recovering from an attack are also important.
Without an extensive backup and recovery plan, companies will find themselves in situations like the Healthcare Change. Ransomware is too common and annoying to assume the worst will never happen. Healthcare companies need plans A, B and C to mitigate the damage when an attack occurs.
4. Healthcare Cybersecurity Must Be More Proactive
The Change Healthcare ransomware attack also highlights the need for proactive security. While the cause of the breach is unclear, BlackCat typically targets vulnerabilities in Remote Desktop Protocol or ConnectWise ScreenConnect. Both have patches available, so proactive vulnerability management can stop most attacks.
Vulnerabilities can arise in many areas of healthcare, so detailed penetration testing and automated assessments are needed to cover enough ground. Automatic updates are also important, as attackers move quickly in this sector.
Medical groups should also emphasize employee training. Mistakes are some of the most persistent threats in this industry, with 36% of data breaches due to mistransmission alone. Automating as much as possible and thorough cybersecurity training for all staff will minimize these risks.
5. No One Is Safe
If the health care sector does not take any action from this incident, no organization will be safe. UHG is one of the biggest forces in the industry and is still under attack. A similar incident could certainly affect smaller companies with tighter security budgets if they could cause UHG damage.
Not always a cybersecurity spending issue. Historically, security accounted for only 6% of medical IT budgets, but more than half of healthcare organizations plan to increase their cybersecurity budgets in 2023. This trend is also expected to continue through 2024 and beyond. The growth is significant, but the Change breach shows money alone won’t stop cybercriminals.
Investing in advanced security solutions is essential. However, brands should not be satisfied just because they have relatively high cyber security budgets. Constant vigilance and emergency recovery planning are still required.
The Change Healthcare Hack Highlights the need for change
As the digitalization of healthcare increases, hospitals and partner organizations will become popular targets for ransomware gangs. This latest incident should be a wake-up call to this issue. The approach to security in the sector needs to change.
The road ahead is long and difficult. However, taking this responsibility now can save your business from huge losses.
Zac Amos covers the role of cybersecurity and AI in healthcare as a Features Editor at ReHack and a contributor to VentureBeat, The Journal of mHealth, and Healthcare Weekly.