[ad_1]
Six weeks have handed since Change Healthcare found it was hit by a cyberattack.
The Nashville-based firm, a part of UnitedHealth Group’s Optum division, is the nation’s largest claims and prescription processor, managing 15 billion transactions per 12 months and touching one in each three affected person information. The fallout of the cyberattack stays messy — 1000’s of suppliers throughout the nation nonetheless face cost delays and claims submission disruptions.
Healthcare trade leaders consider that there’s a lot to be taught from a cybersecurity incident of this measurement, and so they hope the sector can use these classes to stop a hack like this from ever occurring once more. This text explores cybersecurity consultants’ fundamental takeaways from the occasion and its aftermath.
It’s not an under-investment drawback
Greater than 133 million affected person information have been breached final 12 months, marking a 156% improve in related breaches from 2022. This begs the query: Why is the healthcare sector so vulnerable to cyberattacks — do healthcare organizations not make investments sufficient in cybersecurity?
Specialists don’t consider that is the case.
“It isn’t a scarcity of funding in cybersecurity that’s the subject,” stated Robert Turner, managing director and observe chief for treasury and capital markets at Kaufman Corridor. “It’s the attractiveness to cybercriminals of the knowledge that healthcare organizations should preserve that makes the sector weak to assault.”
Healthcare information is especially interesting to cybercriminals due to its complete nature and enduring worth. Not like banking information — which may shortly turn out to be out of date by way of account freezes or password modifications — healthcare information encompasses a wealth of private data, together with private medical histories, social safety numbers and insurance coverage particulars. This data could be exploited for numerous nefarious actions, reminiscent of insurance coverage fraud or identification theft.
Healthcare organizations “have lengthy been accountable” for shielding affected person data — and, since HIPAA was enacted within the late Nineteen Nineties, they’ve confronted important fines in the event that they fail to take action, he identified. So defending affected person data is constructed into the DNA of the healthcare ecosystem.
David Kellerman, area chief expertise officer at cybersecurity firm Cymulate, agreed that cybersecurity underinvestment isn’t the issue on the subject of the healthcare trade’ susceptibility to information breaches.
In his view, most healthcare organizations take cybersecurity critically — however oftentimes, they nonetheless get harm due to how badly cybercriminals need to go after the sector. Like Turner, he emphasised that healthcare is an extremely engaging goal for hackers due to its large-scale, interdependent techniques, heavy reliance on expertise and the crucial nature of the info it handles.
Hackers are additionally enticed by the potential for disruptions in affected person care and security, Kellerman famous. The extent of chaos and disruption related to finishing a profitable cyberattack is an thrilling feat that many cybercriminals are after, he stated.
“Because of this attackers will work additional exhausting to achieve success and safety groups should be extra aggressive than most on the subject of difficult their very own setups with offensive testing. Conventional safety management investments — regardless of costing thousands and thousands in controls, techniques and staffing — usually depart gaps within the type of misconfigurations and inadequate protocols,” Kellerman defined.
Moreover, healthcare safety groups are usually overwhelmed with big lists of potential points, to allow them to’t simply determine the sensible dangers in a “pile of theoretical vulnerabilities,” he identified.
Each healthcare group faces a wide selection of potential weaknesses and safety flaws that will exist inside their techniques and networks — reminiscent of weak medical units, unencrypted information transmission or outdated software program. They usually determine these vulnerabilities by way of cybersecurity instruments like safety assessments or penetration testing. Nonetheless, as a result of sheer quantity of those doable vulnerabilities, it may be tough for healthcare cybersecurity groups to prioritize which weaknesses pose probably the most sensible and speedy danger to the group’s safety posture, in response to Kellerman.
Prior to now, healthcare organizations hardly ever spent greater than 6% of their IT budgets on cybersecurity, in response to analysis from HIMSS. Nonetheless, investments in cybersecurity have been growing since 2018 — and as of 2021, 26% of healthcare organizations reported allotted 7% or extra of their IT budgets to cybersecurity.
Healthcare organizations know they should make sturdy investments in cybersecurity and are keen to take action, however they’re having a tough time maintaining as hackers’ methods get increasingly more subtle, Kellerman remarked.
Healthcare’s reliance on third celebration distributors comes with a bevy of cybersecurity dangers
The truth that the Change Healthcare assault has wreaked havoc on 1000’s of healthcare organizations shines a lightweight on the hazards of consolidation within the healthcare trade, in response to one other healthcare chief — Lee Bienstock, CEO of DocGo, which supplies cell well being providers.
He stated that healthcare’s “speedy consolidation and a flurry of mergers” has led to elevated danger for hospitals and different suppliers.
“This consolidation could cause extra vulnerabilities throughout operations, and in flip, locations way more sufferers, pharmacies, suppliers and docs in danger for information loss and delays in care,” Bienstock declared.
Along with highlighting the perils of consolidation, the Change Healthcare assault has additionally drawn consideration to the cybersecurity dangers related to healthcare suppliers’ reliance on third-party distributors. In an interview final summer season, John Houston, vp of data safety and privateness at UPMC, informed MedCity Information that the primary precedence for a hospital chief in his position must be to handle third celebration danger.
The Change Healthcare assault “as soon as once more clearly demonstrates” that many of the cyber danger publicity that suppliers face originates from vulnerabilities in third celebration expertise and repair suppliers, stated John Riggi, the AHA’s nationwide advisory for cybersecurity and danger.
“But, the way in which HIPAA is presently written, it is vitally tough for a hospital or well being system to carry these third events accountable for gaps of their cybersecurity. On this case, Change Healthcare — which is owned by considered one of our nation’s largest companies, UnitedHealth Group — is so massive in scope and in scale that they’ve turn out to be, by design or default, nearly a well being care ‘utility’ because it pertains to mission-critical providers for healthcare,” he defined.
In his view, a focus of mission-critical providers equals a focus of danger that your entire healthcare sector is uncovered to.
When these providers immediately go offline, “each hospital within the nation” turns into impacted in a technique or one other, Riggi declared.
“We have to shift the main focus from particular person cybersecurity packages to nationwide methods,” he remarked.” If one of many 5 largest companies with almost limitless assets to spend on extremely educated employees and state-of-the-art cybersecurity techniques can’t stop a cyberattack reminiscent of this, then there is no such thing as a means a hospital, of any measurement, must be anticipated to stop an assault like this.”
Healthcare group nonetheless don’t have dependable plans for post-attack restoration
Given the large scale of the Change Healthcare assault, it goes with out saying that the aftermath has been chaotic. Suppliers and pharmacies have been compelled to expend time and assets on handbook claims processing, and lots of proceed to face cost delays which are hurting their money move.
Change Healthcare’s mum or dad firm, insurance coverage big UnitedHealth Group, has confronted widespread criticism for its dealing with of the assault. The American Hospital Affiliation has been one of many largest voices on this regard. Within the group’s March 13 letter to the Senate Finance Committee, the AHA wrote that UnitedHealth has finished nothing to materially handle “the power money move implications and uncertainty that our nation’s hospitals and physicians are experiencing” on account of the assault.
The lengthy restoration time signifies a doubtlessly poor enterprise continuity plan (BCP), Kellerman famous. In his eyes, each healthcare group wants a BCP in case of a possible cybersecurity occasion.
“[The plan] ought to handle enterprise continuity in case of disaster or catastrophe, together with backups and the flexibility to revive them in a well timed method. It not solely means implementing a technical backup, but in addition different cost and assortment routes,” he stated.
Restoration has been strenuous due to the sheer variety of organizations implicated in Change Healthcare’s assault. When the Division of Justice Division filed a lawsuit in 2022 to dam UnitedHealth Group’s acquisition of Change Healthcare, the criticism identified that Change’s community spanned roughly “900,000 physicians, 118,000 dentists, 3,300 pharmacies, 5,500 hospitals and 600 laboratories.”
The cyberattack’s impression varies relying on every group’s publicity to the varied Change Healthcare options that have been implicated within the hack, Turner of Kaufman Corridor identified.
“These with publicity have been exhausting at work constructing new rails to submit held claims and obtain cost and remittance data,” he stated. “As information and funds have begun to move once more, healthcare organizations are managing by way of will increase in denials and challenges reconciling funds as they work to get again to a standard money move sample.”
Within the coming months, the aftermath of the assault will possible nonetheless trigger challenges for suppliers, Turner famous. Relying on how lengthy the incident lasts, it could result in “important liquidity challenges” at well being techniques, he added.
To protect liquidity, well being techniques can take actions like extending accounts payable, slowing capital spending or accessing exterior liquidity, Turner instructed.
“Having skilled the impacts of the Change cyberattack, suppliers ought to [plan for] the potential impression of one other related occasion and put aside money reserves of their funding portfolio to guard in opposition to such an incident. They need to develop a plan to deal with their counterparty focus danger,” he acknowledged.
The trade wants extra transparency and collaboration
Sooner or later, there must be extra collaboration between the personal sector and authorities our bodies to stop huge cyberattacks like Change Healthcare’s from occurring, argued Ricardo Villadiego, CEO of cybersecurity agency Lumu.
“By sharing intelligence, assets, and experience, this collaboration will improve general cyber resilience for healthcare organizations,” he stated. “This collaboration and cross-functional assist are essential to making sure healthcare organizations keep resilient in opposition to pervasive cyberattacks.”
Non-public-public cybersecurity collaboration ought to middle on sharing real-time menace data, conducting joint workouts and coaching packages, harmonizing laws, coordinating incident response efforts and fostering world cooperation, Villadiego defined. Such a collaboration would enhance the healthcare trade’s readiness and response capabilities, in addition to doubtlessly result in the event of revolutionary options, he famous.
Throughout an interview final month at HIMSS24 in Orlando, Erik Decker, Intermountain Well being’s chief data safety officer expressed related sentiments.
“Nobody system operates unbiased of all people else — we’re all linked in some side or one other. And there are issues that we have to do higher as an trade,” Decker declared.
Transparency is likely one of the issues that the trade wants to enhance. This received’t be simple, although, as there are numerous dangers to think about, he famous.
Healthcare suppliers face challenges on the subject of sharing data after a cybersecurity incident — there are legal guidelines that permit impacted healthcare organizations to share intel with the federal authorities or different sure teams, nevertheless it’s very tough for these organizations to share data publicly. They’re fearful that divulging data may result in authorized issues, a tainted status or worsened cybersecurity vulnerability, Decker defined.
Within the subsequent few months, he hopes Change Healthcare will share the teachings it has discovered throughout this course of with the trade. When MedCity Information requested Change Healthcare about classes discovered from the ransomware assault, a spokesperson didn’t reply with any key takeaways from this tough occasion.
As an alternative, he shared a listing of assets for affected clients and highlighted the truth that it repeatedly communicated with impacted events after the cybersecurity occasion.
In contrast, College of Vermont Well being Community is an instance of a company that has finished a great job on this respect, in response to Decker.
“That they had suffered a ransomware assault a number of years in the past, and so they did a full tell-all and truly performed a research associated to the medical impression the occasion had. That’s actually good transparency,” he defined. “They have been a sufferer of an assault, and so they made the corrections that they wanted to make. They actually led with, ‘Right here’s what occurred. Let’s educate all people else.’ And so many individuals have benefited from that.”
Picture: Traitov, Getty Pictures
[ad_2]
Source link
