Change Healthcare Attack – What We Can Learn

On February 21, Change Healthcare went DOWN. The impact on the US healthcare system has been significant! The American Hospital Association (AHA) surveyed nearly 1,000 hospitals with 74% reporting this outage was impacting patient care and 94% reporting a financial impact with more than half of those indicating the financial impact was “significant or serious.” An American Medical Association survey of physician practices noted over 80% of the practices responding indicated that they had lost revenue and had to commit additional time and resources to their revenue cycle. Almost one-third of those surveyed could not make payroll. 

It’s been more than two months since the incident occurred and tracking on the Change Healthcare website still shows that eleven of their products are not yet fully operational. Additionally, as of April 28^th, they have not reported to their covered entity partners any information regarding potential breaches of PHI that may have occurred because of this incident. This means that both Change and the covered entities have not been able to comply with the HIPAA Breach reporting requirements which require reporting to the Department of Health and Human Services (HHS) and affected individuals within 60 days of discovery of a breach.  

The HHS Office of Civil Rights (OCR) has already indicated that they are opening an investigation into this incident. While the OCR stated that their investigation interests in covered entities that partnered with Change Healthcare are secondary, they did not rule out investigations of covered entities.

Change Healthcare is part of a major corporation and had been audited by independent third parties who attested to their security and yet here we are. The incident really points out to healthcare providers of all sizes that you cannot depend on your partners to “protect” you from cybersecurity risk!

What should you be doing?

Vendor Management

Organizations should carefully vet and monitor third-party vendors that have access to your PHI. While that will not fully protect you from a vendor breach, should you be investigated it does provide proof that you exercised the required due diligence. At least annually check your accounts payable and confirm that you have Business Associate Agreements with ALL vendors who have any potential access to PHI. For vendors critical to your business, make sure that you are doing periodic reviews. Sure they may have been great when you onboarded them, but did they keep those security measures in place? Is there any independent verification of their security or has their environment changed which increases your risk?

Proactive Monitoring

Regular monitoring of systems and networks can help detect unusual activities before they become a full-blown crisis. Sign up for alert reporting from the FBI, NIS, etc. to see what might be heading your way and follow their suggestions. Industry publications are indicating that the Change Healthcare breach was a result of the ALPHV Blackcat ransomware as a service (Raas). In December 2023, the FBI, CISA and HHS sent out a Joint Cybersecurity Advisory guiding organizations on how to identify and stop this ransomware. All healthcare providers and business associates should read and implement the guidance in these advisories and use them to improve the monitoring of their system.

Have a Response Plan

Healthcare organizations and their business partners need a well-defined response plan to help them respond to cybersecurity incidents. The response plan needs to include ALL areas of your organization not just your care delivery. Additionally, your response plan should not be “My vendor is going to take care of this.” As the Change Healthcare attack has clearly shown, a major incident by a critical vendor could impact your ability to pay your staff and vendors. It could even put you completely out of business. The response plan needs to have considered all critical elements of your operations and what you would do for both short and long-term downtime.  

Train

The ALPHV Blackcat RaaS and other ransomware products are often unintentionally introduced to your environment by your workforce. ALPHV uses advanced social engineering to gain access. Actors pose as company workforce members using data they have learned about your workforce. The 2023 HIMSS Cybersecurity Survey found that over 58% of the reported significant security incidents started with a phishing email.  Workforce members need training on how to identify and report these threats. It’s not enough just to hang up on the caller or delete the email, your staff needs to report it to your security department.  

How do I do all this?

Earlier this year HHS published its Cybersecurity Performance Goals (CPGs) to help your organization prioritize the implementation of high-impact cybersecurity practices. The CPG gives guidance on both a “basic” cybersecurity framework that includes these recommendations and others. For smaller organizations, it might be wise to consider partnerships with outside consultants to help you manage your cybersecurity to decrease the cost while helping you to remain current on risks and mitigation strategies. 

The learn more about the lessons from the Change Healthcare attack, listen to our podcast.

CompliancePoint has a team of experienced healthcare, privacy, and cybersecurity professionals that can help your organization design, implement, and manage an effective cybersecurity program. Contact us at connect@compliancepoint.com to learn more about our services.