Original Publish Date: May 7, 2024
A devastating health care cyberattack hit Change Healthcare on February 21, 2024. By forcing the $13 billion company offline, the cyber criminals cut one of the few connections between health care providers and payers, triggering a cash crunch at medical groups, health clinics, hospitals, and pharmacies.
This cyberattack left many health care providers struggling for cash and facing serious consequences. Even now, a second ransomware hacker is attempting to extort Change Healthcare based on the data exfiltrated during the initial attack. The breach also brought to light the vulnerable nature of the industry’s infrastructure. As one of the largest health information exchange platforms in the US, Change Healthcare’s ransomware attack disabled providers’ ability to access the data and systems used to process prescriptions, claims, and payments creating a trickledown effect that significantly impacted all parties.
As entities that process and store vast amounts of valuable data, including personally identifiable information (PII) and other health information that can be used for insurance and identity fraud, health care organizations are increasingly targeted. The data is not only highly valuable, but it is necessary to provide services to patients. These two factors combined make ransomware attacks one of the biggest threats to health care organizations.
Below are some cybersecurity strategies your organization’s leaders can use to mitigate risks against cyberattacks and safeguard your digital assets and patient data.
Safeguard Your Digital Landscape
The Change Healthcare breach highlights how one key failure can cause massive disruption. Improve your organization’s cybersecurity strategy, recovery plans, and continuity capabilities by incorporating the following activities.
Review Cybersecurity Insurance
Cybersecurity insurance or a captive insurance group can provide coverage for a wide range of cybersecurity incidents. Reviewing your policy to clarify terms and covered incidents, such as cyberattacks that occur with a vendor or a vendor’s vendor, can bolster your overall security plan.
Insurance claims are typically slow to pay out making this a less than optimal solution, but knowing what is and isn’t covered can inform insurance strategies, including the use of a captive insurance company, which can reduce insurance premium costs and maximize pay-outs on claims in emergency situations.
Increase Resilience and Build Contingency Plans
To support IT and business resilience, assess your third-party vendor risks and establish backup or contingency contracts with other transaction processors to diversify your organization’s pipeline.
Also review where your organization fits in the overall processing software and systems chain. Use this holistic view to create an effective plan for outage events. The ability to fail-over to another processing provider, with contracts and processes already in place, can allow operations to continue with minimal interruption.
Improve Cybersecurity Posture & Remediate Third Party Risk
A proactive approach centered on identifying weaknesses and the areas breaches can occur can boost your organization’s cybersecurity. Essential proactive measures include regular risk assessments, vulnerability management, incident response planning, and testing response and recovery plans. Risk assessments should include an assessment of third-party risk, which can identify dependencies and potential weaknesses with the third party.
Employee Training
Employee error remains a major factor in cybersecurity incidents that lead to breaches. Comprehensive cybersecurity training programs should involve all employees, from executives to IT staff and include topics like:
Simulated phishing and vishing attacks to assess awareness are highly recommended as these exercises mimic tactics, techniques, and procedures of an attacker and helps evaluate the cybersecurity maturity of your controls.
Next Steps
In the wake of the Change Healthcare attack, it’s recommended that organizations complete an IT security risk assessment at the minimum to assess potential exposure and vulnerabilities that could further impact operations.
We’re Here to Help
To learn more about how IT security risk assessments identify potential exposure, assess third-party vendor risks, evaluate incident response, disaster recovery and business continuity plans, contact your Moss Adams professional.
Additional Resources