The recent cyberattack on Change Healthcare highlights the healthcare industry’s vulnerability when threatened with criminal attempts to disrupt technology and operations. The ransomware strike caused a chain reaction among healthcare providers, where payment systems were disrupted, cash flow halted, and—worst of all—patient safety was put in jeopardy.
For many healthcare providers, the incident reinforced the reality that cyberattacks targeted outside their organizations can still significantly impact daily operations. It has been a wake-up call for providers to start considering processes that can help protect against incidents of this nature in the future.
The Scope of the Problem
Healthcare IT systems present an unfortunate appeal to cyber criminals. Medical records are a valuable commodity to sell as they collect and store vast amounts of personal information, including social security numbers, passwords, and other data. The confidential nature of medical data also makes it easier for criminals to extort organizations once they have access. This is why ransomware attacks are so common in the healthcare sector.
During the COVID-19 pandemic, providers accelerated their use of digital tools to deliver care and continue operations. As a result, a greater digital footprint now leaves healthcare organizations more vulnerable than before 2020. Healthcare providers now report cybersecurity as the top digital investment planned to increase in 2024. Despite these investment priorities, there is a race between cyber resilience and the damage that cyber attackers can do.
The fallout from the recent cyberattack has caused immediate havoc across the healthcare enterprise. Industry experts estimate that the obstruction of revenue cycle processes is costing healthcare providers more than $100 million a day. Healthcare providers have been forced to scramble forward with inefficient and costly manual processes. Many have had to divert staff from core patient care duties to manage the switch from automated systems to manual processes.
Long-term implications are still unfolding but will likely entail increased financial pressure due to delayed payments, operational disruptions, and costs related to addressing the effects of the cybersecurity breach. The American Hospital Association (AHA) warned that many providers will be unable to meet payroll due to financial strain caused by the attack.
February’s cyberattack reminded providers that actions entirely outside their control can negatively impact operations. However, there are ways organizations can help mitigate some of the effects of attacks now and in the future.
Mitigating Cyberattack Fallout
With cyberattacks frequently reported on both small and large healthcare organizations, it is difficult for healthcare providers to predict who will be the next target for an attack. This is why it’s important to diversify vendors as much as possible with a fully tested and implemented business continuity plan. Sometimes, it is easier to rely on one platform for a whole host of processes, but as we have seen in the past month, that can leave the organization over-reliant on a single entity.
Many providers have attempted to switch systems to revive processes taken down by the recent attack. However, changing vendors is notoriously difficult and, in many cases, can take 90 days when cash flow is severely impacted. Making the switch pre-emptively in an organized manner is easier than having to change vendors in the middle of a crisis.
Given the impact of this cyberattack and the potential for future incidents, providers should also consider how they can make manual stand-ins and workarounds more efficient. Streamlining processes, assigning trained personnel, and scenario planning can reduce disruptions to a minimum.
Preventative Measures to Bolster Resilience
The chaos caused by the latest cyberattacks should convince providers that the best time to address security is now. This includes evaluating cybersecurity technology, risk management, and authentication procedures. The attack proved that the healthcare industry can only be as strong as a single exploitable link, so every organization needs to take steps to strengthen defenses in the long term.
To achieve this, healthcare organizations need to adopt a zero-trust security model. This is based on the “never trust, always verify” approach, which limits avenues of attack by implementing robust verification at all possible points. These extra security checkpoints make it much harder for cybercriminals to breach systems even if they’ve already obtained login credentials.
Healthcare providers also need to ensure they implement 24/7 threat detection. This strategy provides constant monitoring through a managed detection and response (MDR) service. Maintaining an approach like this can be challenging for any organization, so third-party turnkey solutions can ensure a security team is on hand to respond to any attempted breach, no matter when it occurs.
Cybersecurity requires a constant commitment to monitor risks and vulnerabilities. The threat environment is ever-changing, so organizations need to perform regular vulnerability scans and penetration tests to stay ahead of the game.
The Next Steps
Unfortunately, the cyber attackers will see their actions as a success. Wired reports that the group of hackers behind the ransomware attack on Change Healthcare received a hefty ransom in bitcoin which could signal that the healthcare industry is a profitable target and attract other bad actors. The FBI reported 249 ransomware attacks against public health and healthcare organizations in 2023, although the actual number is likely much higher. Given the effects of the most recent attack, that number could rise in 2024.
The latest attack on the industry will not be the last or—unfortunately—the most disruptive. However, by adopting an attitude of constant vigilance and preparing for the most devastating scenario, healthcare providers can avoid some of the catastrophic risks when planning to increase their digital footprints.
This latest attack didn’t just impact IT systems, administrative processes, or the bottom line; it threatened the quality of care for patients. Only the most robust contingency plans can prevent it from happening again.
Jason Griffin, Managing Director, Digital Health Strategy and Cybersecurity, Nordic Consulting
Jason is a healthcare IT executive with 25 years of progressive leadership positions and a comprehensive understanding of the industry’s evolving digital landscape. Throughout his career, Jason has proven himself to be a skilled leader with a talent for building high-performing teams around cybersecurity, EHR planning and implementation, and IT strategic planning. He has a track record of delivering results in challenging and high-stakes environments.
Andy Adams, Managing Director, Performance Improvement and Advisory Services, Nordic Consulting
Andy has over 20 years of professional services experience supporting healthcare clients with strategic decision-making to positively impact financial and operational performance. He has advised many large national healthcare providers on revenue cycle transformation, patient access transformation, and digital patient experience improvement. His passion is to help clients enhance net revenue, reduce operating costs, centralize and standardize operations, implement new IT solutions, and improve performance across various key indicators.