7 min read time

Navigating the Aftermath: The Change Healthcare Cyberattack

by in Cybersecurity

The cybersecurity terrain within healthcare was abruptly upended by the cyberattack on Change Healthcare, marking a pivotal moment for the sector's digital defenses. This incident illuminated the stark vulnerabilities within our healthcare systems, showcasing the critical need for a more cohesive and robust cybersecurity framework.

Inside the Attack

On February 21, the digital operations at UnitedHealth Group's Change Healthcare were severely compromised, marking the onset of what would become one of the most significant cyberattacks in American healthcare history. This sophisticated ransomware attack, attributed to the notorious ALPHV/BlackCat group, disrupted critical healthcare services nationwide, from processing medical claims to managing electronic payments. The attackers demanded a hefty ransom of $22 million, putting a spotlight on the audacity and sophistication of modern cybercriminals targeting our healthcare infrastructure.

The Ripple Effect

The cyberattack on Change Healthcare, which unfolded on February 21, quickly escalated into a crisis for the healthcare sector, vividly illustrating the ripple effect such incidents can have. From individual practices to large healthcare systems, the ramifications were both immediate and profound, spotlighting the interconnectedness and vulnerabilities of our healthcare infrastructure.

Personal Stories from the Front Lines

NPR reported on some of the personal impacts of the cyberattack.  Dr. Margaret Parsons and her colleagues at a small dermatology practice in Sacramento, California, found themselves at a standstill, unable to electronically bill for their services. The disruption forced them to consider paper billing, a method fraught with delays and inefficiencies, potentially stretching payment timelines to an agonizing three to six months. "We will be in trouble in very short order, and are very stressed," Dr. Parsons shared, echoing a sentiment felt across the healthcare community.

Similarly, NPR reported that Dr. Stephen Sisselman, an independent primary care physician in New York, faced the dire reality of operating without revenue. "How can you pay staff, supplies, malpractice insurance — all this — without revenue?" he questioned, highlighting the precarious position in which many healthcare providers found themselves.

Financial Strain Across the Board

The attack's financial impact was staggering, with hospitals and medical groups nationwide feeling the pinch. Jackson Health System in Miami-Dade County, Florida, reported the potential loss of up to $30 million in payments if the outage persisted for a month. This financial strain was not isolated to large institutions; small practices and independent providers grappled with similar challenges, underscoring the widespread economic toll.

Government and Industry Rally for Healthcare

In the face of a cybersecurity crisis triggered by the attack on Change Healthcare, both government and industry leaped into action. The Health and Human Services Department (HHS) swiftly rolled out assistance programs for health providers, encouraging insurers, such as Noridian—the Medicare payment processor for California—to accept paper claims. This move aimed to cushion the blow for healthcare providers caught in the financial whirlwind caused by the cyberattack. Yet, the response from insurers, with their minimal loan offers and financial aid, left many in the healthcare field feeling underwhelmed and overlooked.

The gravity of the situation was underscored by the American Hospital Association, labeling the cyberattack as an unprecedented threat to the U.S. healthcare system. This crisis laid bare the sector's vulnerabilities to cyber threats and cast a spotlight on what many saw as gaps in the federal government's cybersecurity strategy. The clarion call for more significant investment and sharper focus on bolstering healthcare cybersecurity has never been louder or clearer.

A United Call to Arms

The incident has crystallized the urgent need for solid foundations and support networks to withstand cyber threats. It's a rallying cry that echoes through the corridors of power, from government agencies to the hallways of the smallest clinics. The push for more robust cybersecurity controls, comprehensive financial assistance, and a collaborative approach to managing such crises is gaining momentum. As we sift through the aftermath of the Change Healthcare cyberattack, the lessons drawn are becoming the blueprint for future-proofing our healthcare sector against cyber onslaughts.

A Proactive Approach

Reacting to the urgency, the Biden administration convened a pivotal White House meeting on 12 March, uniting HHS leaders, cybersecurity leaders, and stakeholders from across the healthcare industry. This summit was more than just a discussion; it was a unified front against cyber threats, driving home the need for collective action to shore up the sector's digital defenses.

Cyber Performance Goals

In these discussions, Deputy National Security Advisor for Cyber and Emerging Technologies, Anne Neuberger, played a crucial role. She emphasized the criticality of adopting HHS's Healthcare and Public Health (HPH) Cyber Performance Goals (CPGs) and the Department of Labor's Cybersecurity Program Best Practices.

I wasn’t familiar with the HHS HPA CPGs and had to look them up. The CPGs are currently a voluntary subset of cybersecurity practices for healthcare organizations, and healthcare delivery organizations in particular. The HPH CPGs are intended to strengthen cyber preparedness, improve cyber resiliency, and ultimately protect patient health information and safety. They were built off of CISA’s CPGs and directly address common attack vectors against U.S. domestic hospitals as identified in the Hospital Cyber Resiliency Initiative Landscape Analysis report produced last year by the HHS 405(d) program on patient safety.

Neuberger's push for these CPGs signals a strategic shift towards a cybersecurity posture that's not just reactive but resilient and reimagining our approach to protecting the lifelines of our healthcare sector. The journey from vulnerability to security is paved with shared challenges and collective solutions. As we move forward, I hope the insights gained from the Change Healthcare incident are guiding lights toward a more secure, resilient healthcare ecosystem.

How OpenText Cybersecurity Enterprise can help

While specific security controls were not identified in the aftermath of the White House meeting, given the nature of the attack and the responses it elicited, we can infer that any path forward in strengthening the cybersecurity posture of healthcare sector entities would include alignment with the areas of focus for OpenText Cybersecurity solutions. I’ve included example case studies where we have already delivered solutions in the healthcare sector.

  • Application Security: Ensuring that healthcare applications are developed, tested, and maintained with security best practices to prevent vulnerabilities that could be exploited by cyber attackers. Case study: Tarilian Laser Technologies (FoD)
  • Identity and Access Management: Strengthening policies and technologies that ensure only authorized individuals can access sensitive healthcare systems and data, minimizing the risk of unauthorized access. Case studies: Ontario Telemedicine Network (NetIQ IdM, NAM); Medica (NetIQ IG, IdM, NAM); Carante Groep (NetIQ AA).
  • Data Security and Privacy: Implementing robust data protection measures to safeguard sensitive health information against breaches and ensuring compliance with privacy regulations such as HIPAA. Case Study: Large Healthcare Insurance Organization (Voltage SecureData).
  • Security Operations: Enhancing the capabilities of SOCs within healthcare organizations to detect, respond to, and recover from cyber incidents more effectively. Case studies: Large Healthcare Organization (ArcSight Intelligence); Major Healthcare Provider (ArcSight ESM, Logger).
  • Digital Forensics: Investing in digital forensics capabilities to analyze cyberattacks, understand their impact, and improve defenses against future incidents. Case study: Banner Health (EnCase Information Assurance).

As discussions continue and as the healthcare sector seeks to implement lessons learned from this incident, OpenText Cybersecurity can assist in the safeguarding of healthcare infrastructure and patient data.

The Imperative Shift in Healthcare Cybersecurity

Last year I posted a blog on the risks associated with the healthcare sector. However, the Change Healthcare cyberattack marks not just a threat escalation, but a pivotal opportunity for action across the healthcare sector. This incident starkly reminds us that cybersecurity vigilance is indispensable, and a passive approach is no longer sufficient. It's a wake-up call that underscores the critical need for a collective, proactive effort to shield our healthcare ecosystem from digital perils.

As we navigate the path forward, it's clear that reinforcing our cybersecurity protocols requires a shared commitment that transcends individual organizations, knitting together public and private sectors in a cohesive strategy. This collaborative ethos is essential for crafting a robust defense mechanism capable of safeguarding patient data and ensuring the uninterrupted delivery of care amidst an ever-shifting threat landscape.

This moment of crisis should serve as a springboard for sustained transformation, urging us to envision and work towards a future where the healthcare sector is not merely bouncing back but is fundamentally strengthened against the myriad of cybersecurity challenges on the horizon. By drawing on our collective resilience and determination, we can architect a healthcare ecosystem that's not just more secure, but also rooted in a profound sense of trust and dependability.

For more discussion on this topic, check out our recent podcast episode Change Healthcare Under Siege: Anatomy of a Cyberattack for more discussion on the ramifications and response or read The Change Healthcare Cyberattack: A Wake-Up Call for Healthcare Cybersecurity.

Learn more about OpenText Cybersecurity support for the healthcare sector: