By ZACHARY AMOS
The well being care sector isn’t any stranger to cyberattacks. Still, giant incidents like the February 2024 ransomware assault on Change Healthcare are sufficient to shake up the {industry}. In the wake of such a large breach, medical organizations of every kind and sizes ought to take the alternative to evaluate their safety postures.
What Happened in the Change Healthcare Cyberattack
On February 21, Change Healthcare — the largest medical clearinghouse in the U.S. — suffered a ransomware assault, forcing it to take over 100 methods offline. Many of its digital providers remained down for weeks, with full restoration taking till early April.
Every week after the assault, the notorious ransomware-as-a-service gang BlackCat claimed accountability. BlackCat was additionally liable for 2021’s Colonial Pipeline shutdown and several other assaults on well being care organizations all through 2023. This newest act in opposition to Change Healthcare, nevertheless, stands as certainly one of its most disruptive but.
Because Change and its dad or mum firm — UnitedHealth Group (UHG) — are such central {industry} gamers, the hack had industry-wide ripple results. A staggering 94% of U.S. hospitals suffered monetary penalties from the incident and 74% skilled a direct influence on affected person care. Change’s providers have an effect on one in each three affected person data, so the huge outage created a snowball impact of disruptions, delays and losses.
Most of Change’s pharmacy and digital cost providers got here again on-line by March 15. As of early April, practically all the things is working once more, however the monetary fallout continues for a lot of enterprises reliant on UHG, due to substantial backlogs.
What It Means for the Broader Health Care Sector
Considering the Change Healthcare cyberattack affected virtually the complete medical sector, it has important implications. Even the few medical teams untouched by the hack ought to take into account what it means for the way forward for well being care safety.
1. No Organization Is an Island
It’s tough to disregard that an assault on a single entity impacted virtually all hospitals in the U.S. This huge ripple impact highlights how no enterprise on this {industry} is a self-contained unit. Third-party vulnerabilities have an effect on everybody, so due diligence and considerate entry restrictions are important.
While the Change Healthcare hack is an excessive instance, it’s not the first time the medical sector has seen giant third-party breaches. In 2021, the Red Cross skilled a breach of over 515,000 affected person data when attackers focused its knowledge storage associate.
Health care enterprises depend on a number of exterior providers and every of those connections represents one other vulnerability the firm has little management over. In mild of that threat, it have to be extra selective about who it does enterprise with. Even with trusted companions like UHG, manufacturers should limit knowledge entry privileges as a lot as attainable and demand excessive safety requirements.
2. Centralization Makes the Industry Vulnerable
Relatedly, this assault reveals how centralized the {industry} has grow to be. Not solely are third-party dependencies frequent, however many organizations rely upon the identical third events. That centralization makes these vulnerabilities exponentially extra harmful, as one assault can have an effect on the complete sector.
The well being care {industry} should transfer previous these single factors of failure. Some exterior dependencies are inevitable, however medical teams ought to keep away from them wherever attainable. Splitting duties between a number of distributors could also be essential to scale back the influence of a single breach.
Regulatory adjustments could help this shift. During a Congressional listening to on the incident, some lawmakers expressed considerations over consolidation in the well being care {industry} and the cyber dangers it poses. This rising sentiment may result in a sector-wide reorganization, however in the meantime, personal firms ought to take the initiative to maneuver away from giant centralized dependencies the place they will.
3. Health Care Businesses Need Reliable Response Plans
Health care organizations also needs to pay attention to the size and value of UHG’s response timeline. It took weeks to revive the downed methods, even after reportedly paying a $22 million ransom to get well the stolen knowledge. That’s far too lengthy.
As the ransomware menace grows, companies on this {industry} should create emergency response plans. That consists of preserving safe, offline backups of all delicate knowledge and guaranteeing knowledge middle redundancy for mission-critical providers. Detailed communication protocols and a step-by-step information for recovering from an assault are additionally essential.
Without an in depth backup and restoration plan, enterprises will find yourself in a state of affairs like Change Healthcare. Ransomware is just too frequent and disruptive to imagine the worst won’t ever occur. Health care firms want plans A, B and C to attenuate the harm when these assaults happen.
4. Health Care Cybersecurity Must Be More Proactive
The Change Healthcare ransomware assault additionally highlights the want for proactive safety. While the precise explanation for the breach is unclear, BlackCat sometimes targets vulnerabilities in Remote Desktop Protocol or ConnectWise ScreenConnect. Both of those have patches obtainable, so proactive vulnerability administration may cease many assaults.
Vulnerabilities can come up in lots of areas of well being care, so detailed penetration testing and automatic assessments are essential to cowl sufficient floor. Automating updates is equally essential, as attackers transfer rapidly on this sector.
Medical teams should additionally emphasize worker coaching. Errors are a few of the most persistent threats on this {industry}, with 36% of information breaches stemming from misdelivery alone. Automating as a lot as attainable and thorough cybersecurity coaching for all employees will reduce these dangers.
5. No One Is Safe
If the well being care sector doesn’t take anything away from this incident, it ought to study no group is secure. UHG is certainly one of the {industry}’s largest forces and nonetheless fell sufferer to an assault. Similar incidents can actually have an effect on smaller firms with tighter safety budgets if they will trigger a lot harm to UHG.
It’s not essentially a matter of cybersecurity spending. Historically, safety has accounted for simply 6% of medical IT budgets, however greater than half of well being care organizations deliberate to extend their cybersecurity budgets in 2023. This pattern will doubtless proceed into 2024 and past, too. That progress is essential, however the Change breach exhibits cash alone gained’t cease cybercriminals.
Investing in superior safety options is essential. However, manufacturers should not grow to be complacent simply because they’ve comparatively excessive cybersecurity budgets. Constant vigilance and emergency restoration planning are nonetheless essential.
The Change Healthcare Hack Highlights the Need for Change
As well being care digitization rises, hospitals and their associate organizations will grow to be more and more well-liked targets for ransomware gangs. This newest incident ought to function a wake-up name to this subject. Security approaches in the sector should change.
The street forward is lengthy and tough. However, taking up this accountability now can save companies from substantial losses.
Zac Amos covers the roles of cybersecurity and AI in healthcare as the Features Editor at ReHack and a contributor at EnterpriseBeat, The Journal of mHealth, and Healthcare Weekly.