What We Can Learn From the Change Healthcare Hack – The Health Care Blog

On February 21, Change Healthcare — the largest medical clearinghouse in the U.S. — suffered a ransomware attack, forcing it to take over 100 systems offline. Many of its electronic services remained down for weeks, with full restoration taking until early April.

A week after the attack, the infamous ransomware-as-a-service gang BlackCat claimed responsibility. BlackCat was also responsible for 2021’s Colonial Pipeline shutdown and several attacks on health care organizations throughout 2023. This latest act against Change Healthcare, however, stands as one of its most disruptive yet.

Because Change and its parent company — UnitedHealth Group (UHG) — are such central industry players, the hack had industry-wide ripple effects. A staggering 94% of U.S. hospitals suffered financial consequences from the incident and 74% experienced a direct impact on patient care. Change’s services affect one in every three patient records, so the massive outage created a snowball effect of disruptions, delays and losses.

Most of Change’s pharmacy and electronic payment services came back online by March 15. As of early April, nearly everything is running again, but the financial fallout continues for many enterprises reliant on UHG, thanks to substantial backlogs.

Considering the Change Healthcare cyberattack affected almost the entire medical sector, it has significant implications. Even the few medical groups untouched by the hack should consider what it means for the future of health care security.

It’s difficult to ignore that an attack on a single entity impacted almost all hospitals in the U.S. This massive ripple effect highlights how no business in this industry is a self-contained unit. Third-party vulnerabilities affect everyone, so due diligence and thoughtful access restrictions are essential.

While the Change Healthcare hack is an extreme example, it’s not the first time the medical sector has seen large third-party breaches. In 2021, the Red Cross experienced a breach of over 515,000 patient records when attackers targeted its data storage partner.

Health care enterprises rely on multiple external services and each of these connections represents another vulnerability the company has little control over. In light of that risk, it must be more selective about who it does business with. Even with trusted partners like UHG, brands must restrict data access privileges as much as possible and demand high security standards.

Relatedly, this attack reveals how centralized the industry has become. Not only are third-party dependencies common, but many organizations depend on the same third parties. That centralization makes these vulnerabilities exponentially more dangerous, as one attack can affect the whole sector.

The health care industry must move past these single points of failure. Some external dependencies are inevitable, but medical groups should avoid them wherever possible. Splitting tasks between multiple vendors may be necessary to reduce the impact of a single breach.

Regulatory changes may support this shift. During a Congressional hearing on the incident, some lawmakers expressed concerns over consolidation in the health care industry and the cyber risks it poses. This growing sentiment could lead to a sector-wide reorganization, but in the meantime, private companies should take the initiative to move away from large centralized dependencies where they can.

Health care organizations should also take note of the length and cost of UHG’s response timeline. It took weeks to restore the downed systems, even after reportedly paying a $22 million ransom to recover the stolen data. That’s far too long.

As the ransomware threat grows, businesses in this industry must create emergency response plans. That includes preserving secure, offline backups of all sensitive data and ensuring data center redundancy for mission-critical services. Detailed communication protocols and a step-by-step guide for recovering from an attack are also crucial.

Without an extensive backup and recovery plan, enterprises will end up in a situation like Change Healthcare. Ransomware is too common and disruptive to assume the worst will never happen. Health care companies need plans A, B and C to minimize the damage when these attacks occur.

The Change Healthcare ransomware attack also highlights the need for proactive security. While the exact cause of the breach is unclear, BlackCat typically targets vulnerabilities in Remote Desktop Protocol or ConnectWise ScreenConnect. Both of these have patches available, so proactive vulnerability management could stop many attacks.

Vulnerabilities can arise in many areas of health care, so detailed penetration testing and automated assessments are necessary to cover enough ground. Automating updates is similarly important, as attackers move quickly in this sector.

Medical groups must also emphasize employee training. Errors are some of the most persistent threats in this industry, with 36% of data breaches stemming from misdelivery alone. Automating as much as possible and thorough cybersecurity training for all staff will minimize these risks.

If the health care sector doesn’t take anything else away from this incident, it should learn no organization is safe. UHG is one of the industry’s largest forces and still fell victim to an attack. Similar incidents can certainly affect smaller companies with tighter security budgets if they can cause so much damage to UHG.

It’s not necessarily a matter of cybersecurity spending. Historically, security has accounted for just 6% of medical IT budgets, but more than half of health care organizations planned to increase their cybersecurity budgets in 2023. This trend will likely continue into 2024 and beyond, too. That growth is important, but the Change breach shows money alone won’t stop cybercriminals.

Investing in advanced security solutions is crucial. However, brands must not become complacent just because they have relatively high cybersecurity budgets. Constant vigilance and emergency recovery planning are still necessary.

As health care digitization rises, hospitals and their partner organizations will become increasingly popular targets for ransomware gangs. This latest incident should serve as a wake-up call to this issue. Security approaches in the sector must change.

The road ahead is long and difficult. However, taking on this responsibility now can save businesses from substantial losses.

Zac Amos covers the roles of cybersecurity and AI in healthcare as the Features Editor at ReHack and a contributor at VentureBeat, The Journal of mHealth, and Healthcare Weekly.