Claims couldn’t get processed. Providers couldn’t get reimbursed. Care authorization was paused. Patients ran into delays getting their prescriptions. Those were some of the early — and known — ramifications of the Change Healthcare cyberattack. The dominos are still falling from an event that the American Hospital Association called the “most significant cyberattack” on healthcare in US history.
However you choose to characterize the breach, one thing is abundantly clear: protecting healthcare networks and data can no longer be viewed solely as an IT issue; it’s a business continuity, operations, patient protection, and financial one. Put more succinctly, it impacts every corner of an organization. As such, cybersecurity must be a top priority for and led by CEOs and chief operating officers. While chief information officers still have a critical role to play, the seriousness of a cyberattack demands enterprise-wide attention at the highest level.
Change Healthcare is not an isolated incident
The attack on the UnitedHealth Group subsidiary has been devastating. Executives from Humana and Elevance Health reported seeing a 15% - 20% drop in claims from providers since the attack on February 21. Recognizing the disruption to operations, the Centers for Medicare and Medicaid Services announced flexibilities to aid providers with claims processing, as well as asking Medicare and Medicaid insurers to temporarily waive prior authorization. And there are reports that Change Healthcare paid the Blackcat ransomware gang an eye-watering $22 million.
Unfortunately, this episode is not unprecedented for the sector. Ann and Robert H. Lurie Children’s Hospital of Chicago was hit by an attack during the same timeframe. Phones, email, and MyChart were offline for weeks. The MyChart outage caused serious problems with parents being able to message their child’s care team. Doctors had to revert to writing paper prescriptions instead of e-prescribing leading to challenges at pharmacies. Indeed, the velocity and intensity of cyberattacks across healthcare continues to rise. Breaches costing organizations $10 million or more have become all too common. And beyond the big ransomware payouts to bad actors, patient data represents particularly attractive treasure trove on the black market as records can fetch $1,000 compared to less than $10 for credit cards.
As we continue to digitize care delivery, create more connections between information technology systems, and open the gates to externally generated data, including from patient devices, all healthcare organizations are at risk of being the next victim.
Focusing on business resiliency
Despite the growing set of vulnerabilities in healthcare, many organizations still struggle to prioritize cybersecurity amidst competing demands for resources and attention. On average, healthcare organizations are spending 7% or less of their IT budget on cybersecurity, according to a 2023 survey by HIMSS. Limited budgets, shortage of skilled cybersecurity personnel, and the complexity of healthcare IT environments pose significant challenges to building a robust cybersecurity position.
But the cost of inaction far outweighs the investment required to be proactive. Let’s be clear, the next cyberattack or wave of cyberattacks will be different. They will be more sophisticated, more innovative, more likely AI enabled, and more persistent each and every time.
The clarion call for action is clear: resilience planning must be embedded at the core of strategic decision-making. This involves an executive commitment to regular risk assessments, investment in robust cybersecurity measures, and the development of practical comprehensive contingency plans that are proven to work. This applies within the organization and beyond with third parties, peers, and law enforcement agencies. CEOs and COOs are best positioned to demand action in every business unit and with outside partners.
Moreover, the value of resilience extends beyond risk mitigation. It ensures organizations can also adapt and emerge stronger, positioning themselves as reliable partners in healthcare delivery. Here is a playbook for healthcare executives as they revisit their business resiliency plans in the face of this market-wide disruption.
A 5-step program for business resiliency
Assess: Conduct regular risk assessments to identify vulnerabilities. Third parties must be included in this process.
Prevent: Educate employees about cybersecurity best practices, including phishing awareness, password hygiene, and incident response protocols, to empower them as the first line of defense against cyber threats. Included in this is regularly running simulations to ensure employees are following protocols. Stringent vendor risk management processes are also necessary to hold third parties accountable for maintaining adequate security controls.
Plan a response: Prioritize mitigation efforts based on the potential impact on patient safety, data integrity, and operational continuity. Develop and regularly test incident response plans to ensure a swift and coordinated response, minimizing disruption to patient care and mitigating the impact on the organization.
Monitor: Implement robust technical controls, such as network segmentation, endpoint protection, and intrusion detection systems, to detect and prevent cyber threats before they can cause harm. Stay abreast of evolving regulatory requirements and ensure compliance with data protection and privacy regulations to avoid costly penalties and reputational damage.
Collaborate: Engage with industry peers, government agencies, and cybersecurity experts to share threat intelligence, best practices, and lessons learned, fostering a collective defense against cyber threats.
These steps are the foundation of a building up strong operational resiliency plans in response to cyberattacks. While the technical components of each are critical, elevating cybersecurity to a corporate and business continuity priority is the key. By acknowledging the severity of these risks and taking proactive steps to enhance cybersecurity preparedness, healthcare organizations can minimize disruption to their operations, their patients, and the healthcare system more broadly.
Prath Kharkar, associate, contributed to this article.