Change Healthcare cyberattack shows ‘no one is immune’ | HIMSS 2024

Orlando, Florida – The Change Healthcare cyberattack has come up regularly during the HIMSS Global Health Conference & Exhibition.

Lee Kim, senior principal of cybersecurity and privacy at HIMSS, talks about cyberattacks and the need for better defenses at the HIMSS 2024 Global Health Conference & Exhibition.

A subsidiary of UnitedHealth Group, Change Healthcare suffered the attack nearly three weeks ago, and hospitals and physicians have seen serious disruptions and financial pressures. Change processes more claims for providers than any other company, and doctors and health systems have said the interruption to cash flows have been costly. The attack has delayed tasks such as filling prescriptions and checking insurance eligibility.

Lee Kim, senior principal of cybersecurity and privacy for HIMSS, said the attack offers some vital takeaways for hospitals and other providers.

“No matter how large or how small the entity is, no one is immune,” Kim said Tuesday.

Other cybersecurity experts have offered similar assessments.

Tyler Hudak, incident response practice lead for TrustedSec, a cybersecurity firm, told Chief Healthcare Executive® in an interview that even the largest organizations can’t assume they’re impenetrable. Hudak said that from the perspective of a security firm that has worked with both small organizations and Fortune 500 companies.

“There's no perfect security out there,” Hudak said. “There's no company that's invulnerable to being attacked or compromised. There's always going to be weak spots.”

Kim also offered another lesson illustrated by the Change Healthcare cyberattack.

“It's safe to say that ransomware is here to stay,” she said.

• Read more: Cybersecurity budgets are rising, but workers are hard to find

Evolving attacks

Groups such as ALPHV Blackcat, which UnitedHealth said is behind the Change Healthcare cyberattack, have grown increasingly sophisticated with their attacks, she said. Ransomware groups are changing their tactics to breach organizations, even many times over the course of a day.

“They can change their attack patterns every few minutes,” Kim said.

Cybercriminals are also studying organizations closely for lengthy periods and gaining more intelligence about vulnerabilities.

“They have this asymmetric advantage because they know our networks and systems so much better than us,” Kim said. “We need to sort of flip that equation so that we know our devices, systems, networks, … a lot better than the bad guys.”

Health organizations are going to have to use AI-powered defense tools to help reduce the risk of breaches, since ransomware groups are using AI tools as part of their attacks, she said.

What providers can do

Healthcare organizations become more vulnerable as the industry is increasingly interconnected, either through partnerships, third-party vendors, or the merger of organizations. “I think it underscores how interconnected we all are,” she said.

• Read more: Understanding the ‘blast radius’ of cyberattacks of hospitals | HIMSS 2024

Hospitals, health systems, and medical groups should also take another lesson from the Change Healthcare cyberattack. They need to be taking a look at their vendors and third parties when it comes to cybersecurity.

“It's really good to ensure that with your vendors, if they have an incident like that, you have agreements in place where they will notify you ASAP,” Kim said.

Providers should also ask vendors about their response and backup plans to deal with cyberattacks, she said.

Hospitals also need to be prepared in the event of a ransomware attack. Some organizations that are focused on response plans have paper backups that they can utilize if their electronic health records and other systems go down. The Joint Commission has advised hospitals to be prepared to care for patients even if key systems are down for several weeks.

“I think the most valuable thing anyone can take away from the Change Healthcare incident is, even if it didn't happen to us, we shouldn't say ‘Thank God, it was not us,’” Kim said. “We should say, ‘Okay, what kind of lessons can I apply to my own business continuity, disaster recovery, resilience?’”

“I think it's about questioning our assumptions because unfortunately, there are bad people in the world … you know, they just want to achieve their outcome of disruption or destroying data, and unfortunately, then patients suffer,” she said.

Hospitals and health systems need to develop a better “intelligence cycle” around cybersecurity threats, Kim said.

“People aren't necessarily comfortable with reporting things that seem suspicious. and they've reported sometimes when there's it's too late,” Kim said.

Healthcare organizations also must talk more about suspicious activity they’re encountering, so others can look out for potential threats.

“I think that more organizations need to do better with sharing what people are actually seeing, hearing, experiencing, because that is real intelligence,” Kim said.

Federal response

Some healthcare organizations grumbled over what they perceived as the slow response of the federal government to the Change Healthcare cyberattack. But healthcare groups were encouraged by the U.S. Department of Health & Human Services statement issued Sunday.

The health department urged UnitedHealth Group to expedite funds to cash-strapped providers, and to communicate more frequently and transparently with the healthcare community. The government also asked insurers to make interim payments to providers, as well as pause prior authorization requirements and be flexible on deadlines for filing claims and appeals.

Rick Pollack, president and CEO of the American Hospital Association, said in a statement that he appreciates the recognition of “the unprecedented nature of the Change Healthcare cyberattack and its far-reaching impacts on hospitals, physicians and the health care sector.”

““It’s critical that all payers help providers during this incident to ensure patient care is not compromised,” Pollack said.

The American Medical Association has also sent a letter to the health department asking that timely filing deadlines for claims and appeals be waived. The AMA also suggested the creation of an up-to-date database of payers offering advanced payments to physicians.