The ransomware attack on Change Healthcare in February 2024 revealed the vulnerabilities within the sector and the serious consequences of such breaches.
The Change Healthcare incident, orchestrated by the ransomware group ALPHV (also known as BlackCat), has been labeled "the most significant and consequential incident of its kind against the US healthcare system in history" by American Hospital Association President and CEO Rick Pollack. The hackers gained remote access to the company's Citrix portal, which lacked multifactor authentication, and stole six terabytes of sensitive data, including personal information.
The aftermath of this breach has been nothing short of catastrophic. Change Healthcare was forced to go offline, creating a backlog of unpaid claims that left hospitals and doctors' offices reeling from cash flow problems and threatened patient access to care. The financial impact on the company's parent, UnitedHealth Group, is estimated to exceed $1 billion, including lost revenue, recovery costs, and a $22 million Bitcoin payout to the hacker group.
Read also: UnitedHealth confirms scope of Change Healthcare attack
The ripple effects of the Change Healthcare breach have been far-reaching, with clinicians and healthcare organizations across the country bearing the brunt of the fallout. An American Medical Association survey revealed that 80% of clinicians lost revenue during the incident, 77% experienced service disruptions, 55% had to use personal funds to pay bills, and 44% were unable to purchase supplies. One clinician even shared that the incident "may bankrupt our practice of 50 years in this rural community."
The damage has sparked consumer anger, investigations, and calls for more stringent regulations and rigorous evaluations of enterprise defense strategies. It has become a sobering reality for healthcare executives and a reminder to leaders in other industries about the potential of a successful cyber attack.
The Change Healthcare breach has spotlighted cybersecurity within the healthcare sector. Research paints a concerning picture, with the 2023 HIMSS Healthcare Cybersecurity study finding that 55% of respondents reported experiencing a security incident in the prior 12 months, and 12% had suffered a ransomware attack.
The Study on Cyber Insecurity in Healthcare 2023 from Ponemon Institute and Proofpoint further illuminates the challenges, revealing that 88% of organizations experienced an average of 40 attacks in the prior 12 months, with the average total cost of a cyberattack being almost $5 million. Additionally, 64% of organizations had suffered a supply chain attack in the prior two years, 63% had an average of 21 cloud compromises during the same period, and 54% experienced an average of four ransomware attacks.
Healthcare entities are frequently targeted by cybercriminals due to the abundance of sensitive information they hold, including Social Security numbers and financial data. The sector's complex technology environments, including both IT systems and operational technology, as well as the regularity of legacy systems, create an expansive attack surface and multiple entry points for hackers.
Furthermore, the healthcare industry's high level of interconnectedness, with entities of all sizes and security maturity levels sharing data, makes third-party attacks both more probable and more potent. The sector's reliance on software vendors to create, deliver, and maintain secure products also introduces vulnerabilities, as healthcare IT and security leaders often lack the ability to thoroughly assess the security of these solutions.
Compounding these challenges, many healthcare organizations, particularly smaller and rural ones, struggle to allocate the necessary resources to bolster their defenses due to competing priorities and limited budgets. The sector's need for 24/7 availability also complicates the process of updating and patching systems, leaving vulnerabilities exposed.
Read more: Why healthcare is a major target for cyberattacks.
In response to the growing threat, the healthcare sector is taking steps to bolster its cybersecurity posture. The HIMSS survey revealed that 55% of respondents reported higher security budgets in 2023 compared to the previous year, and 58% expected their budgets to increase further in 2024.
Additionally, cybersecurity is now a board-level concern, with 62% of respondents stating that their boards oversee cybersecurity risk, and 68% indicating that their directors receive regular briefings on the subject. Initiatives such as the US Food and Drug Administration's 2023 guidelines for secure-by-design medical devices and increased information-sharing through channels like the Health-ISAC Threat Operations Center (TOC) are also contributing to the industry's efforts to enhance its security resilience.
Despite these positive developments, security experts and industry leaders agree that more needs to be done to safeguard the healthcare sector. The HIMSS report authors called for greater board-level engagement, with the idea being that "more healthcare organizations will embark upon the proactive journey of regularly briefing their boards of directors" on cybersecurity risks.
Likewise, the need for supply chain risk management was mentioned, with less than half of respondents indicating that their organizations had established a dedicated cybersecurity supply chain risk management program. The adoption of frameworks like the NIST Cybersecurity Framework Version 2.0 and the US Department of Health and Human Services' voluntary cybersecurity performance goals (CPGs) were also recommended as steps to strengthen the industry's defenses.
Related: HHS releases new voluntary cybersecurity performance goals
The Change Healthcare breach has served as a wake-up call, reiterating the need for the healthcare sector to prioritize cybersecurity and implement security measures. As Senator Ron Wyden aptly stated, "Every new devastating hack hammers home the need for mandatory cybersecurity standards in the healthcare sector, particularly when it comes to the largest companies that millions of patients depend on for care and medicine."
The time for complacency has passed. Healthcare security leaders and executives must heed the lessons of the Change Healthcare incident, accelerating their efforts to enhance their organizations' resilience and protect the sensitive data and critical services that their patients and communities rely upon. Failure to do so will only invite further attacks, with consequences that reverberate across the entire healthcare system.
A data breach is an incident where sensitive, protected, or confidential data is accessed, disclosed, or stolen by unauthorized individuals. This can include personal information such as names, social security numbers, credit card details, and medical records. Data breaches can occur through various means, such as hacking, malware attacks, insider threats, or inadequate security measures.
Yes, legal action can result from a data breach, as affected individuals or organizations may sue for damages caused by the breach.
Healthcare organizations can reduce the risk of data breaches by implementing strong cybersecurity measures, conducting regular security training for employees, and using encryption to protect sensitive data.
Upon discovering a data breach, a healthcare organization should contain the breach, assess the scope of the impact, notify affected individuals and relevant authorities, and begin an investigation to understand how the breach occurred and how to prevent future incidents.
Learn more: HIPAA Compliant Email: The Definitive Guide