S2 E18: Change Healthcare – The Impact and the Lessons Learned

Change Healthcare – The Impact and the Lessons Learned


Jordan Eisner: Well, hello everybody. Welcome back to Compliance Pointers. I’m here with our most regular guest, our Director of Healthcare Services, Carol Amick. Carol, good to have you on again.

Carol Amick: Thank you. Good to be here.

Jordan Eisner: And for those of you that are new to the podcast, I’m Jordan Eisner. I’m also VP of Sales for CompliancePoint, but I serve as the mostly dedicated podcast host. I have guests from occasion come in and post other people from their organization. But I think this is Carol and my fourth or fifth time doing this. So Carol’s been a regular and we appreciate it. And that’s because Carol has a lot to offer.

So not only is she the Director of our Healthcare Services practice, but she’s spent a very, I’m going to say meaningful, not long, Carol, because people might not realize that you started doing this when you were 10 years old. So a very meaningful career on both the client side, working in healthcare systems, working for the government there for a little while, right in Tennessee, Carol, working for big consulting firms. So just a plethora of experience in a variety of different areas, consulting, advising, and executing against compliance goals. So good to have her back.

Today we’re going to be discussing a very popular topic in cybersecurity and the healthcare space and really just the whole world. That’s the Change Healthcare cyber-attack and perhaps some lessons we can learn from it as with other cyber attacks and what organizations can do to maybe not prevent, you know, I mean, prevent would be good, but also how do we react? How do we, you know, isolate? How do we respond? How do we get back up and running? How do we make it impact the organization the least as possible in the event it did happen?

So let’s dive right in. This attack has been in the news a lot as discussed. I think it happened in February. It could be off on that. But for our listeners who haven’t been following it as closely, it’s also about the scale and impact of the attack, Carol.

Carol Amick: So just to give you a little background, Change Healthcare has a lot of different things they do. One of the biggest things that’s impacted most of America is they are kind of the intermediary between a payer and a provider. So if you go to the doctor and you have something done, they’re going to bill your insurance company and that all gets processed and dealt with by Change. The same kind of thing if you go to the doctor and he or she sends a prescription to a pharmacy, that all goes through the Change system to facilitate that interaction. So it had a huge impact on just not only the payment of healthcare but the delivery of healthcare.

So this was probably the result in the largest healthcare system being used for all these things going offline. They were by far the largest player in the industry. And they had really been down. They finally started coming up towards the end of March, but even into April, they were still down.

It appears that it’s been a huge impact. They paid a $22 million ransom. It’s been a little vague as to what they got for that in a burst of trusting the criminals is kind of dangerous sometimes. One of the two criminal groups especially involved in this issued a press release saying we’re not helping you get your data back because we didn’t get our share of the $22 million. So there’s a lot of stuff going on in the background.

It was caused by basically people using compromised credentials to get enabled remote access to their network. They didn’t have a multifactor. They were able to get in there. They took over and locked them down. There have been some changes, they haven’t release exactly what was locked down. Surveys are showing significant problems. 74% of the hospitals in America are reporting this is impacting their patient care. It’s 94% of them are saying it’s taking a financial impact. There’s a lot of us who work in healthcare know a lot of hospitals are right on the margin. So having a stoppage in your cash flow can be extremely detrimental.

Just last two weeks ago, Change put a press release on their website that said, we’ve started looking at what could have been breached and we basically are saying a substantial portion of the United States, your data has been breached. And I think substantial portion is probably a lot of us, if not all of us, because most of you, if you’ve ever gone to a hospital, you’ve ever gone to a doctor, you’ve ever gone, there’s a good chance your data went through change and how much data was in what they got. We don’t know yet, but your data was a risk in my opinion.

So this is a substantial breach that has had a huge impact on the healthcare industry and has ability, people’s ability to care and ability people to pay their employees and keep their businesses going. I’ve heard reports of doctors offices having to, you know, take a second mortgage on their home just to pay their staff so they could keep going until they got their money. So it’s been an interesting scenario.

Jordan Eisner: Yeah, that’s terrible and scary. So what lessons can organizations take away? That’s always the question out of these. There will be another. What can you do to reduce it being you?

Carol Amick: Yeah, I think this one’s hard because this is such a big organization, such a critical component of the system. You do need to be able to be flexible. One of our clients, for example, used Change. Within a couple of weeks realized this is not coming back fast enough and they went out and found that they had a backup vendor. They had a relationship with already. They were able to move to that vendor and get their customers back up and running.

So looking at your disaster recovery plan, does it have, what would you do if one of your really big partners goes down in your, in your information kind of supply chain, you know, what are you going to do if you lose one of those partners? That’s really key.

But you also want to be monitoring. You want to be making sure that you’re not the leak that lets these people in to the environment and starts it to happen. So I mean, this is a continuing saga within the United States health care system. This ransomware, there’s attacks.

A lot of our data, unfortunately, as I say, a lot of times we have the best data in health care and a lot of cases have the worst protection. It’s not uncommon for data still to be unencrypted. It’s not uncommon for data not to be protected by strong multifactor authentication. For example, one of the things that apparently is coming out of the Change is there were places where multifactor authentication could have been in place and it was not. And had that been there, would it have stopped it? I don’t know, cause I’m not on the response team, but it could have helped.

What, what could they have done to make it harder for these people to compromise their credentials? You want to make sure you’re not compromising your credentials.

Make sure your passwords require complexity. I actually had somebody hand me a password one time and it was one, two, three, four, five, six, seven, eight. I’m pretty sure that you don’t have to be a genius to break that password. So make sure your passwords require, that your workforce use a complex password. Make sure they know that they’re not supposed to use that password on their Facebook account. That’s a separate password, not your work password.

So you know, training your employees on what to do, training them on not to click on the links, training them on, you know, phishing. You know, even here with CompliancePoint where we don’t really have a lot of PHI or PI in our system, we do phishing training and get, you know, emails that are entertaining sometimes, but sometimes they’re very good and can throw you. So you want to make sure if no one ever clicks on your phishing email training, if you’re probably not making it complex enough. You’re making it too easy.

And the truth is, these people are good. You know, the old days where they would say, see, you’ll see spelling errors and stuff. That’s not true anymore. These things look just like an email that Jordan and I would send to each other now. There’s no difference. They’ve, you know, they’ve gotten smarter.

Jordan Eisner: I agree completely. I have seen that over the years. It used to be laughable, at least from my perspective and easy to catch. And I’ve clicked some lately. One recently actually was with Hulu. It turned out it was legit, but I clicked it and I was like, I didn’t even stop to think it looked and it was a little mysterious, right? Based on where somebody is trying to access and turned out it was somebody, it was a legitimate email from Hulu, but somebody had access to my account from somewhere else. And so you just never know. It’s tough. You’ve got to be really diligent, really thorough.

But one of the things you mentioned when you were just talking about there was a weakness to adapt and change, right?

So if a company does experience a cyber incident, which they’re likely to, it’s important to respond quickly and effectively. What are the keys to doing so? From your perspective. You’re in the healthcare space. You’re working with covered entities and business associates, a lot of health technology, and that’s your world. But I think it can be generally applied to other people that we might have listening that work outside of healthcare.

So quickness is important and obviously effectiveness. What are keys to that to you?

Carol Amick: You need to have a plan that’s been exercised. And you need to realize that this is not going to happen Monday at 10 a.m., which is when you scheduled your exercise. It’s going to happen the Thursday of Thanksgiving at 10 p.m. That’s when they’re going to hit the button and execute the ransomware because they know it’s going to be hard for you to find your IT cybersecurity professionals. They’re going to be hard for you to find people and get them into your office to deal with this.

So you need to have a plan that you’ve actually exercised. I feel like kind of maybe even in real time. Imagine on a Saturday, see what happens on a Saturday. You have a problem. Can you find the right people? Do you have the right cell phone numbers? Do you have the right email addresses? Do you know where to find them?

Because you can’t wait until Monday. You can’t sit there going, well, we’ll just be in Monday. We’ll deal with the problem. By that point, they’ve cut you down.

I think the other thing you really need to have looked at is looked at your entire information supply chain, as I said earlier. A lot of times what we see with incident response plans is people are depending on their vendors to recover for them. So they’ll be like, oh, we don’t have to worry about that because Company X, in my case, it’s a medical record system. And Company X runs the medical record system and they’ll get it back up.

No, you do need to worry about that. What if Company X is Change Healthcare and they’ve been down for two months? What are you going to do? Do you have a manual workaround? Do you have a backup? What are you going to do?

Because we’ve seen with ransomware, particularly in healthcare, people will say, well, we’re going to revert to the paper system. Have you tried reverting to the paper system? As we move farther and farther down the technology road everywhere in the world, you probably got a group of caregivers and nurses and technicians who have never actually used those paper forms. So your assumption that they’re going to figure out how to use them in a hurry when the world kind of stops on them, it may have some flaws.

So I think that’s a lot of it. As I said, I think being able to get the alerts and have responding to alerts quickly, we had a client who had a breach. Their intrusion detection system notified them within minutes of something starting to be exfiltrated. They were able to block it, shut it down, and they lost about 10,000 records. It’s a big number, but it’s not what it could have been considering the amount of data they had. And that’s because they had kind of a real-time alert system that got worked 24-7. It wasn’t, we’re only going to, the alert will come in and we’ll look at it Monday when we get to the office. No, you got to look at it Saturday night when it’s going off and stop the bleeding as soon as possible. Take that system offline, take that network down, do what you have to do to stop it before it gets too far in there.

So I think there are things you can do, but part of that response plan is real-time practice and really saying that this is not going to be a Monday through Friday, nine-to-five kind of problem.

Jordan Eisner: Tabletops. Be the company that’s going to be prepared. It takes an investment. It takes an investment in security.

Carol Amick: Yeah, and your tabletop needs to be more than just, we’re going to talk about it. Okay? We’re going to go, the surgery centers we own, we still in healthcare, are going offline because of the network, their system’s down. Can they do paper? Do they actually have the paper? Do they know how to do it? How did they cancel non-essential surgeries?

You know, do we just, is that going to be our plan? We cancel non-essential. How do you do that? We don’t have their phone numbers. We don’t have emails. You’ve got to think beyond just the IT side. You’ve got to get the operations side involved.

Jordan Eisner: It’s a tough pill to swallow to use a medical term, right? Just in that, I’m sure that there’ll be lost revenue even in a test, right? If it’s a real test to your point, Carol, right? I think that’s probably why organizations aren’t doing more of that, but what do I know?

Carol Amick: I think it’s a cost thing. I don’t know if there’d be lost revenue in the test, but I think there is a cost of doing the test.

And, you know, I talked a little while ago about some healthcare systems and some healthcare operations. While everybody looks at how much healthcare costs, the truth is, if you look at the financials for a lot of county hospitals and small rural hospitals and places like that. The margins are thin.

Jordan Eisner: I saw somebody say it. It’s probably been a saying for a long time. I only saw it recently, but security costs too much until it doesn’t, right? You know, and I’ve been, I’ve kind of grasped that one. I like that one.

Well, looking ahead, how do you think this one in particular is going to change your industry, right? Healthcare organizations, should they expect more scrutiny from, I’d say, you know, vendor security evaluations, maybe credentials they need to have to play in the health system space, that sort of thing, right?

I think of HITRUST, for instance, but there’s other data stewardship certifications or, you know, frameworks that companies can abide by. What do you see? What do you think?

Carol Amick: So I will say Change Healthcare is part of Optum and they are very involved in one of the frameworks you talked about, HITRUST. They have been, and probably a lot of these applications that have been compromised were HITRUST certified. So, you know, I think having a certification is great and it does show a good plan, but nothing’s bulletproof and we know that.

I think a couple of things we are seeing, I went to the Healthcare Compliance Association conference a month or so ago up in Nashville, and there were several people from the Department of Health and Human Services, Office of Civil Rights there, and they’re the ones who lead these investigations for breaches. And the breach hasn’t even been reported yet, and they are already planning to do an investigation. So there’s definitely going to be government focus on this and that will probably result in some more regulations, some more guidance.

The other thing you want to be sure is you have a business associate agreement, and that is what you should have with any of these partners that kind of says this is what you’re supposed to do if there’s been a breach. One of the challenges here is if I’m a covered entity and my data has been breached in this Change Healthcare breach, I’m supposed to report that to the government within 60 days of the breach. Well, we’re well beyond 60 days right now, and no one has any idea what to report to the government.

So you at least want to be able to show the government, look, I have a letter, I have an agreement with them that they were supposed to give me this data so I could give it to you and push it back to them so it’s not your fault that you didn’t, you want to have that agreement.

You do want to make sure that your organizations and you have the faith, look that there’s cybersecurity framework and their information security framework in your vendors. A lot of vendors, a lot of people, as I said, are just assuming their vendors are going to get them out of trouble when they get in trouble. So they’re assuming that Change Healthcare are whoever they’re partnered with is going to be back online, be able to handle and recover. As this shows, you probably want to do due diligence on your vendors. Do they have a certification? Does that certification mean they have an incident response in a disaster recovery plan that’s been tested?

Now, obviously, I would expect Change had a lot of these things and just the volume of what went down is interesting. But I think this will, I think, have some stuff coming out. I think we’re going to see the government putting a lot more focus on, they’ve already started it, but this is really, you could tell, driving them on cybersecurity.

The HIPAA regulations that most of us use for information security and healthcare are over 20 years old. They don’t even address phishing because there’s no such thing as phishing when they came out.

Jordan Eisner: Well, there was. It just wasn’t that sort of phishing.

Carol Amick: Really didn’t, you know, people, everybody didn’t have emails. I mean, when HIPAA first came out, I worked for a place where the business office had one password and login. It was posted. Every morning it was posted so everybody knew how to log in. Now, you know, in the ensuing decade, that would be impossible at this point in time. But the regulations really haven’t had that many updates since that point in time when that was an accepted practice in the industry.

So we are seeing emphasis already, but I think that’s going to happen.

I think where you’re going to be getting it, and unfortunately it’s hard, I mean, you’re going to be getting questions from patients. When you start sending out these letters, if you’re a covered entity, when Change finally gives you the letter and says, you’re going to be getting questions then. What did you do? How did you know it? And so I think that’s going to be a real challenge for a lot of us. You’re going to be on the phone talking to people, trying to explain to them that it’s not our fault, even though we sent you the letter and we’re sorry.

Jordan Eisner: Well, what can companies do to stay current then? Like new threats like this, responses, right?

Where we’re adapting, what changes are coming out of the Change Healthcare incident. Where can working companies go?

Carol Amick: Well, a couple of things. There are government sources that help you. For example, the ransomware that attacked Change Healthcare, and I don’t even know how to pronounce it, the ALPHV Black Cat ransomware. In December of last year, there was an alert sent out by the joint effort by the FBI, CISA, and Department of Health and Human Services saying, this is out there, it’s targeting healthcare, here are the things you need to do.

Now what we don’t know is if Change did those things, but you should be doing those things. If you haven’t done them, go do them now because obviously this thing hasn’t gone away.

Jordan Eisner: And what is that? Who sent it?

Carol Amick: It came out in December, 2023. It was from, it’s a joint security effort from the FBI, HHS and other federal agencies. And they send these out periodically and you can sign up on the Department of Health and Human Services website to get these alerts. They send them out when they see things happening. You want to be getting those.

NIST has a subscription list serve type thing. You can sign up and get these and see what’s going on. Sign up for these alerts so that you get them and see what’s coming out so that you know what’s happening. That’s a real key.

And then deal with them. I mean, if they just go in your inbox, in your junk file or your inbox and that’s not there yet. You have to get them out there. You have to get them to the right people. You’ve got to evaluate.

And that’s another thing. Ask your partners, what are they doing? Are they getting these alerts? The HITRUST certification you talked about earlier, which we do a lot of now requires that organizations get these alerts and that we ask as the assessor, what are you doing with them? Are you distributing them through the workforce? You’re distributing them out.

Are your vendors and are you doing things like vulnerability testing and penetration testing? Have you checked to see where your gaps are that could be exploited and get you in trouble?

Doing those things is no guarantee. I mentioned earlier one of our clients had a breach several years ago. They found the vulnerability. It was on their plan to get patched and got exploited in the weekend between finding and fixing it. But it still prevents it as much as possible.

So you want to get in there and know what you’re up against. A lot of people think they have a small network and they don’t need vulnerability testing and they don’t need penetration testing. But you’re just as likely to be breached as Change.

I like Shange because it was $22 million. There’s a lot of hackers out there. I’ll be perfectly happy with getting a couple hundred thousand dollars out of you. So you want to hit that off. Make sure you’re doing what you can.

Look at what comes out. You’ve got the HHS has recently published Cybersecurity Performance Goals. They’ve obviously made it clear they’re going to continue to push this. They’re trying to find a way to get some funding, which I know is part of the problem for healthcare. Everything I’m talking about costs money and some places just don’t have it. But there is an effort out there. Make sure you’re in good shape.

If you’ve got things on your network that can’t be patched, that can’t be controlled and I know a lot of healthcare providers have equipment in their hospitals and places that it’s so old you can’t fix the operating system anymore. It’s not supported. Figure out how to isolate that so that it’s not going to be the first thing that gets the rest of your network down. You want to protect yourself as much as you humanly can. So there’s a thing you can do.

You know, we do a lot of assessments for organizations. We do risk assessments that are looking at what are your risk and what are you doing to control that. And that’s I think we’re going to see more of that. If you have done a risk assessment within the past 12 months that kind of meet some basic standards and you do have a breach, the government is supposed to reduce the amount of work they do on an investigation.

So you want to have that even if it doesn’t stop the breach, it might save you money on the back end on the penalties and fines.

Jordan Eisner: If you don’t have the money, budget forward next time. You know, take it up, bring it up in the budget section of your annual meetings, whatever.

Carol Amick: And I will say I hope I mean, I understand the budget dichotomy. There’s a lot of pressure on high healthcare budgets. And you know, some things bring in revenue and some things don’t. Cybersecurity generally doesn’t bring in any revenue. But I think that one thing Change has pointed out to us is how vulnerable we are in our cybersecurity information supply chain.

And so hopefully that will help a lot of CISOs when they go to their governing body and say, look, we really need to invest in this. I think the publicity kind of has started to bring it home to everyone. Wait a minute. This is not just protecting data. It’s also basically protecting the entire system. Can we keep doing what we do for a living?

Jordan Eisner: Hope you’re right. Well, thank you, Carol, for your time, as always. This has been good insights and organizations may be a little worried about this and listeners thinking about it beyond just what they’re seeing about in the news.

So thank you for listening to our listeners. We publish content like this quite frequently and are giving our thoughts and leveraging our experts to share processes, practices, policies, right, things you can do tactically, conceptually to try and mitigate risk around these sort of areas. So please do subscribe and come back and listen to more.

And if you want to talk to us further about any of these things, your organization is seeking support in these areas. Feel free to connect with Carol or myself on LinkedIn. Come to our website, CompliancePoint.com. There are many different channels that you can reach out to directly and schedule time to talk.

So until next time, thanks, everyone.

Let us help you identify any information security risks or compliance gaps that may be threatening your business or its valued data assets. Businesses in every industry face scrutiny for how they handle sensitive data including customer and prospect information.