By ZACHARY AMOS
The well being care sector isn’t any stranger to cyberattacks. Nonetheless, massive incidents just like the February 2024 ransomware assault on Change Healthcare are sufficient to shake up the {industry}. Within the wake of such a large breach, medical organizations of all sorts and sizes ought to take the chance to assessment their safety postures.
What Occurred within the Change Healthcare Cyberattack
On February 21, Change Healthcare — the largest medical clearinghouse within the U.S. — suffered a ransomware assault, forcing it to take over 100 programs offline. A lot of its digital providers remained down for weeks, with full restoration taking till early April.
Every week after the assault, the notorious ransomware-as-a-service gang BlackCat claimed accountability. BlackCat was additionally chargeable for 2021’s Colonial Pipeline shutdown and a number of other assaults on well being care organizations all through 2023. This newest act in opposition to Change Healthcare, nonetheless, stands as one in every of its most disruptive but.
As a result of Change and its mother or father firm — UnitedHealth Group (UHG) — are such central {industry} gamers, the hack had industry-wide ripple results. A staggering 94% of U.S. hospitals suffered monetary penalties from the incident and 74% skilled a direct impression on affected person care. Change’s providers have an effect on one in each three affected person data, so the huge outage created a snowball impact of disruptions, delays and losses.
Most of Change’s pharmacy and digital cost providers got here again on-line by March 15. As of early April, almost all the things is operating once more, however the monetary fallout continues for a lot of enterprises reliant on UHG, because of substantial backlogs.
What It Means for the Broader Well being Care Sector
Contemplating the Change Healthcare cyberattack affected nearly the complete medical sector, it has vital implications. Even the few medical teams untouched by the hack ought to contemplate what it means for the way forward for well being care safety.
1. No Group Is an Island
It’s troublesome to disregard that an assault on a single entity impacted nearly all hospitals within the U.S. This large ripple impact highlights how no enterprise on this {industry} is a self-contained unit. Third-party vulnerabilities have an effect on everybody, so due diligence and considerate entry restrictions are important.
Whereas the Change Healthcare hack is an excessive instance, it’s not the primary time the medical sector has seen massive third-party breaches. In 2021, the Purple Cross skilled a breach of over 515,000 patient records when attackers focused its knowledge storage accomplice.
Well being care enterprises depend on a number of exterior providers and every of those connections represents one other vulnerability the corporate has little management over. In mild of that threat, it have to be extra selective about who it does enterprise with. Even with trusted companions like UHG, manufacturers should limit knowledge entry privileges as a lot as potential and demand excessive safety requirements.
2. Centralization Makes the Business Susceptible
Relatedly, this assault reveals how centralized the {industry} has change into. Not solely are third-party dependencies frequent, however many organizations rely upon the identical third events. That centralization makes these vulnerabilities exponentially extra harmful, as one assault can have an effect on the entire sector.
The well being care {industry} should transfer previous these single factors of failure. Some exterior dependencies are inevitable, however medical teams ought to keep away from them wherever potential. Splitting duties between a number of distributors could also be mandatory to scale back the impression of a single breach.
Regulatory adjustments could assist this shift. Throughout a Congressional listening to on the incident, some lawmakers expressed concerns over consolidation within the well being care {industry} and the cyber dangers it poses. This rising sentiment might result in a sector-wide reorganization, however within the meantime, non-public corporations ought to take the initiative to maneuver away from massive centralized dependencies the place they’ll.
3. Well being Care Companies Want Dependable Response Plans
Well being care organizations also needs to be aware of the size and value of UHG’s response timeline. It took weeks to revive the downed programs, even after reportedly paying a $22 million ransom to recuperate the stolen knowledge. That’s far too lengthy.
Because the ransomware menace grows, companies on this {industry} should create emergency response plans. That features preserving safe, offline backups of all delicate knowledge and guaranteeing knowledge middle redundancy for mission-critical providers. Detailed communication protocols and a step-by-step information for recovering from an assault are additionally essential.
With out an in depth backup and restoration plan, enterprises will find yourself in a state of affairs like Change Healthcare. Ransomware is just too frequent and disruptive to imagine the worst won’t ever occur. Well being care corporations want plans A, B and C to reduce the injury when these assaults happen.
4. Well being Care Cybersecurity Should Be Extra Proactive
The Change Healthcare ransomware assault additionally highlights the necessity for proactive safety. Whereas the precise reason for the breach is unclear, BlackCat usually targets vulnerabilities in Distant Desktop Protocol or ConnectWise ScreenConnect. Each of those have patches obtainable, so proactive vulnerability administration might cease many assaults.
Vulnerabilities can come up in lots of areas of well being care, so detailed penetration testing and automatic assessments are essential to cowl sufficient floor. Automating updates is equally necessary, as attackers transfer shortly on this sector.
Medical teams should additionally emphasize worker coaching. Errors are a few of the most persistent threats on this {industry}, with 36% of data breaches stemming from misdelivery alone. Automating as a lot as potential and thorough cybersecurity coaching for all employees will decrease these dangers.
5. No One Is Protected
If the well being care sector doesn’t take anything away from this incident, it ought to be taught no group is protected. UHG is among the {industry}’s largest forces and nonetheless fell sufferer to an assault. Related incidents can definitely have an effect on smaller corporations with tighter safety budgets if they’ll trigger a lot injury to UHG.
It’s not essentially a matter of cybersecurity spending. Traditionally, safety has accounted for simply 6% of medical IT budgets, however greater than half of well being care organizations deliberate to extend their cybersecurity budgets in 2023. This development will possible proceed into 2024 and past, too. That development is necessary, however the Change breach reveals cash alone received’t cease cybercriminals.
Investing in superior safety options is essential. Nonetheless, manufacturers should not change into complacent simply because they’ve comparatively excessive cybersecurity budgets. Fixed vigilance and emergency restoration planning are nonetheless mandatory.
The Change Healthcare Hack Highlights the Want for Change
As well being care digitization rises, hospitals and their accomplice organizations will change into more and more widespread targets for ransomware gangs. This newest incident ought to function a wake-up name to this difficulty. Safety approaches within the sector should change.
The street forward is lengthy and troublesome. Nonetheless, taking up this accountability now can save companies from substantial losses.
Zac Amos covers the roles of cybersecurity and AI in healthcare because the Options Editor at ReHack and a contributor at VentureBeat, The Journal of mHealth, and Healthcare Weekly.
