Change Healthcare Breach is a Sobering Wakeup Call on Cybersecurity

It seems that every month, the threat becomes greater and greater for hospitals across the country: the possibility that bad actors can disrupt the hospital’s operations – or effectively bring them to a halt – without the offenders leaving their couch.

John Hawkins, President/CEO, Texas Hospital Association — Hawkins

As I write this, hospitals and hospital systems everywhere have spent recent weeks dealing with the implications of a major cyberattack in February on Change Healthcare, which is part of the health care technology behemoth Optum. Both, in turn, are owned by insurance giant UnitedHealth Group. Change Healthcare, by its own accounting, processes 15 billion health care transactions each year and touches one out of every three patient records. American Hospital Association President Rich Pollack called the attack “the most significant and consequential attack of its kind against the U.S. health care system in history.”

Cyberattacks on hospitals – including those involving ransomware, where hackers demand payment in exchange for releasing the captured hospital records and patient information – have become an all-too-common fixture of the news in the past decade or more. For example, Ardent Health Services, which has 15 facilities in Texas, got hit by just such an attack last November. But the Change attack illustrated how hospitals and other health care facilities can be devastated without even being the target.

AHA and we at the Texas Hospital Association quickly jumped in to assess the ramifications and appeal to state and federal authorities for guidance, help and flexibility on claims processing, payments and more. Even after a New York Times story on March 5 detailed what security firms believe was a $22 million ransom payment by United to the perpetrators, facilities across the nation are still trying to analyze and crawl out from under this seismic disruption to their cash flows and day-to-day operations.

This breach underscores just how dependent the health of hospitals is on timely insurance payments. And even though this particular attack wasn’t on a hospital system, it’s an unfortunate wakeup call for all our facilities – a reinforcement of just how important it is to make sure your hospital or clinic stays on top of cybersecurity and takes steps to protect its IT infrastructure.

Now granted, the health care cyberthreats we periodically get warnings about from federal authorities like the FBI aren’t the easiest thing for most hospital personnel to digest. They usually contain arcane technical information that might only be fully understood by a hospital’s IT department. In the context of everything else a medical facility has to worry about each day, it may be easy to brush them aside and focus on patient care or the standard basics of hospital administration.

But in this age, it’s essential for hospitals to be as secure as possible. If your facility hasn’t explored the resources out there to do so lately, use this unfortunate news as a good time for a cybersecurity refresh.

Last fall, THA’s chief strategy officer, Fernando Martinez, authored this guide for hospitals to manage cybersecurity threats. I recommend appropriate hospital personnel review it for a starter on your revitalized journey toward firewalling your facility. Another excellent resource is the Stop Ransomware webpage from the federal Cybersecurity and Infrastructure Security Agency, which includes a guide on best practices.

In the grand scheme, we’re still in the early days of a new age in health care, where digital information storage and transmission – in everything from patient records to claims information and more – is king. There are excellent aspects of that massive and inevitable shift – but cybersecurity, if not duly addressed, can be a devastating pitfall. Like a health scare for yourself or a loved one that leads to a renewed focus on living longer, let’s use the Change breach as an impetus to make our hospital tech systems as impenetrable as possible.