Perspective from Andrew Limouris, President & CEO, Medix
In the early hours of February 21, 2024, when employees of healthcare technology provider Change Healthcare noticed connectivity issues, it’s doubtful that anyone suspected a massive cyberattack as the cause.
As IT teams found applications to be inaccessible and troubleshooting attempts were failing, efforts were undertaken to see how deep the damage ran and through how many spidery channels.
Richard J. Pollack, president and CEO of the American Hospital AssociationTM, called the attack ”unprecedented.” He added that the breach “imposed significant consequences on hospitals and the communities they serve.” Pollack made these remarks in a February 26 letter to Xavier Becerra, secretary of the U.S. Department of Health and Human Services (HHS).
Pollack warned of the potential need for “immediate federal support.” He requested that HHS continue to help ensure transparency in Change Healthcare’s provider updates, that it assist providers seeking advanced and accelerated Medicare payments, and that it provide public education.
Practically Limitless Potential for Harm
Seized caches of Social Security numbers, birthdates, driver’s license numbers, health records, and the like give hackers an opportunity for further crimes including fraud and identity theft.
In the case of a recent data breach at genetic testing company 23andMe, fears included personal attacks and physical harm. At least some of the data stolen singled out Chinese and Jewish customers, sparking worries that extremist groups might use the data to target Jews and that Chinese intelligence agencies would commandeer it as a tool for pursuing dissidents.
Anatomy of an “Unprecedented Attack”
The Change Healthcare cyberattack caused extensive disruptions to U.S. health systems and pharmacies. According to the hackers, a group identifying itself as ALPHV/Blackcat, data seized included Social Security numbers and medical records from Change Healthcare client giants such as CVS, Medicare, and Tricare.
Delays and deadends were widespread, and certain system shutdowns were made to prevent further damage. Gut punches to Change Healthcare included loss of administrative and financial operations, blocked Medicare payments, compromised clinical decisions, and the inability to verify patient insurance coverage. Additional threats included salary stoppages for clinicians and other patient care providers, supply and medication shortages, and impacts to the contract services meeting physical security, dietary, and environmental needs.
Change Healthcare touches 15 billion healthcare transactions yearly and one in three of all patient records nationwide.
Healthcare Industry: A Prime Target for Hackers
For years, the healthcare industry has been a favored prey among cybercriminals because of the lucrative data it maintains. IT talent shortages have helped to hold it in the crosshairs. Job dissatisfaction, including burnout, especially in high-stakes cybersecurity roles, worsened during the pandemic. When these conditions triggered the Great Resignation, many IT professionals packed up their laptops to seek greener pastures. Their sudden departure left gaps in healthcare cybersecurity.
The Status of the Change Healthcare Data Breach
Arguments over whether to pay ransom to cyber attackers have regenerated following reports that Change Healthcare paid $22 million in ransom to the hackers.
Debates surrounding ransom are longstanding. Arguments include the risk that hackers will flee with the money and not return stolen data and that paying ransom encourages future hacking. Counter-arguments contend that a complete ban on ransoms would be unfair to some victims, especially when the consequences can mean life and death.
UnitedHealth Group acquired Change Healthcare in 2021. Following the ransomware attack, CEO Andrew Witty said, “We are committed to providing relief for people affected by this malicious attack on the U.S. health system.” He added, “All of us at UnitedHealth Group feel a deep sense of responsibility for recovery and are working tirelessly to ensure that providers can care for their patients and run their practice and that patients can get their medications. We’re determined to make this right as fast as possible.”
On March 12, the Biden administration called on Witty to increase sorely needed funding to providers, and on March 13, a federal investigation was launched into UnitedHealth Group and Change Healthcare. Lawsuits were mounting, and the data breach was costing Massachusetts hospitals alone roughly $24 million a day.
Takeaways for Business Leaders
If the Change Healthcare cyberattack teaches us anything, it is the importance of sound cyber health, including state-of-the-art systems and approaches that are frequently assessed and refined. Business leaders should insist their teams train on mandatory requirements, prepare for data breach protocols—and do whatever else it takes to mitigate and preferably eliminate data vulnerabilities.
Business leaders take note: Healthcare is not the only industry susceptible to catastrophic cyberattacks. Financial institutions, the energy sector, construction, and manufacturing are all potential victims, along with others.
We need more and better-trained IT talent in the pipelines. It’s a goal we can achieve by locking arms to remove education inequities that bar worthy people from futures in IT. We can revamp hiring practices and tap online communities, social media, and trade schools for new talent.
We must improve salaries and benefits packages to offset cybersecurity job burnout. Industries can stabilize workforce weak spots by partnering with staffing agencies such as Medix to source new IT leaders.
I am convinced that we must do everything possible to safeguard all cybersecurity interests from threats. There must be painstaking scrutiny of mergers and acquisitions, especially any that involve mammoth organizations such as UnitedHealth Group. Mergers and acquisitions offer the promise of streamlined operations and expanded capabilities, but they also consolidate vast amounts of sensitive data under larger, potentially more attractive targets for cybercriminals. Regulators and companies themselves must conduct thorough cybersecurity due diligence during the M&A process to ensure robust defenses and response plans are a non-negotiable aspect of any deal.
Finally, we should reconsider the wisdom of granting any company the capacity to touch one in every three patient records in this country due to the risks it poses to so many people.