Change Healthcare Update
On February 21, Change Healthcare realized that it was the victim of a ransomware attack.
Soon after, it became clear that this was the most damaging cyberattack against the healthcare industry on record. That is saying a lot because the FBI ranked healthcare as the industry with the most frequent ransomware attacks in 2023.
Approximately 50% of all healthcare transactions depend on Change Healthcare as the backbone for cross-platform information that facilitates rapid payments. So, when a ransomware attack shut down Change Healthcare’s operations, the cash flow requirements that touch almost every part of the healthcare industry in the USA were disrupted.
Within a month, Federal and state healthcare departments told healthcare plan providers to dramatically relax policies that are the usual safeguards against billing fraud. Instead, the need for free cash flow in the system took overwhelming priority. The military went to handwritten invoices for prescriptions and needed six weeks to return to normal operations. While Rx fulfillment had the most transparent impact, it was just one example of the pain that all types of healthcare services felt when invoices could not be generated.
The Damage Done
On May 1st, the CEO of Change Healthcare’s parent company testified before Congress. The damage described during the hearing was stunning.
- To keep providers solvent, UnitedHealth had already loaned $6.5 billion to healthcare providers, $14.5 billion in requests were being processed and the total scale of uncollected revenues putting hospitals and other providers on the brink of collapse was estimated to be “multiples higher” than these loans covered.
- Change Healthcare maintained private healthcare information for 211 million unique patients, but UnitedHealth is not able to say for sure how much of this data is now in the hands of criminals. We will never know how many people were exposed and may be targeted by criminals who bought this data on the black market.
- UnitedHealth made a $22 million ransomware payment to the known criminal organization BlackCat/AlphV, but the payment was only the beginning of the recovery process. The process of reconnecting with thousands of providers was difficult and, even now, the webpage providing information about the crisis is updated frequently.
More broadly, the damage keeps growing because UnitedHealth’s $22 million ransomware payment inspired a dramatic increase in attacks against the healthcare industry. Adding insult to injury, bureaucratic red tape in the form of “assurance” documentation has become a critical pain point. Long after the pain of paying criminals, the efforts to put the ecosystem back together take a human and financial toll that is brutal on the organization.
The Lessons Learned
The industry is feeling a lot of pain but there is no reason to feel helpless.
In front of Congress, the CEO of UnitedHealth explained that BlackCat was able to hack into Change Healthcare’s systems because some of their servers were not using multi-factor authentication. That was frustrating information to learn because MFA is a cybersecurity best-practice so often emphasized by IT professionals.
The hard lesson is that the criminals have many weak points to attack because the healthcare industry is still using obsolete equipment, software and security systems. In his testimony to Congress, CEO Andrew Witty shared this insight:
“What we saw in Change Healthcare…was an older company [that] had older legacy technologies. But I think it is very typical of many small-to-medium-sized organizations in our healthcare environment. And therefore, inevitably, there’s going to be a lot of work to be done to upgrade those standards.”
The reason to be optimistic is that the best practices work. The criminals are not attacking with super-powers that we don’t understand. Any healthcare company can go through an assessment process with a strong managed IT partner and come away with a plan that will work.
There are six essential best-practices that every healthcare provider should implement. Taken altogether, the costs are manageable while the benefits are critical. This is what you need:
- Multi-Factor Authentication (MFA)
- Passwords and User Permissions
- Security Awareness Training
- Vulnerability Scanning and Remediation
- Endpoint Detection and Response
- Incident Response Planning
Developing a custom implementation plan that is right for your business is a sophisticated project but a strong IT advisor is more than capable of this challenge. The further behind you are, the more expensive and disruptive the process of implementing the plan will be. But, once the plan is activated, the long-term investments are manageable. Given the clear and present danger, nobody in the healthcare industry can afford the costs of procrastination.
Electronic Office always treats questions about cybersecurity seriously – whether or not you are one of their clients. If you have immediate concerns or if you need advice about the six best practices, do not hesitate to contact us.