The Change Healthcare cyberattack is recognized as the most prominent medical data breach in American history, impacting over 190 million people nationwide. Immediately after the attack, hospitals, clinics, and pharmacies suffered the repercussions as much of their critical infrastructure and operations were halted. In addition to exposing sensitive medical and financial data, the breach froze day-to-day conduct and delayed treatments, ultimately costing the parent company, UnitedHealth Group, a $22 million ransom payment. Over a year later, healthcare organizations are still grappling with the fallout from the attack.
The Change Healthcare attack should not be remembered as a one-off incident but rather as a wake-up call for what could happen to any organization in any industry dealing with sensitive data. To better prepare for and ultimately prevent similar attacks, security experts and IT professionals must learn from this incident and preemptively put the right safeguards in place in their organizations.
Every Vendor Partnership Has Risk
Regarding cybersecurity standards, organizations are only as strong as their weakest link. This is why they must continuously work to identify vulnerabilities and protect all endpoints. Unfortunately, third-party vendors can often be that weak link in an organization’s security chain, especially when they have access to sensitive information. If attacked, a single third-party vendor can lead to widespread operational shutdowns and breaches, whether big or small.
Change Healthcare is a major solutions and services provider that processes thousands of healthcare organizations' billings, claims, and transactions. According to the company, it processes 15 billion healthcare transactions annually. Because of its reach, the attack impacted thousands of hospitals, pharmacies and other healthcare organizations, leading to data exposure and operational downtime. This is just one example of how deeply reliant healthcare (and all) organizations can become on their third-party relationships, for better or for worse.
Organizations—in healthcare and beyond—must do their homework before working with a new vendor or partner. Any business dealing with sensitive data must conduct a complete audit of third-party vendors and partnerships, doing research and asking questions like:
- Does this vendor or partner meet the required security standard, and how do they do so?
- Do they work with other organizations in the same industry?
- Are they compliant with industry regulations?
- What are their disaster and recovery protocols?
- Do their security practices and safeguards align with ours?
By conducting thorough background checks on third parties, organizations can better understand their security standards and practices and see if they align with organizational standards before authorizing credentials and integrations into critical systems. Security audits should not be put to rest once an organization starts working with a third-party vendor. Upholding cybersecurity standards and compliance is an ongoing journey, so there should be regular reviews to avoid lapses in security protocols.
Keys to Avoiding Prolonged Downtime
When a cyberattack impacts an organization to the point that it freezes operations, it can be disastrous. In the case of Change Healthcare, the attack directly impacted patient care. Electronic payments and reimbursements could not be completed without the ability to process claims and billings, resulting in real consequences such as widespread service outages and downtime. Because of this, many healthcare providers canceled appointments with patients, while pharmacies could not verify prescriptions without the required systems.
The key to avoiding the disastrous consequences of an attack is preparation across systems, processes, and people. When it comes to systems, regularly testing vulnerabilities is critical. By conducting regular penetration tests in conjunction with regular vendor reviews, IT and security teams can identify vulnerabilities that may be lurking. Once identified, teams have a road map for where to shore up their tech stack, addressing the riskiest problems first.
However, even patching up vulnerabilities doesn’t make an organization invincible. For this and many other reasons, every organization must have a business continuity plan before an attack occurs. A strong business continuity plan should be highly structured. It should include senior management identifying and approving team responsibilities and prioritizing critical business operations during a crisis. Organizations should also preemptively execute a business impact analysis to identify critical processes to ensure ongoing delivery and fast recovery following a disruption. Assessing a disruption's impact on service delivery and how long an organization can operate without those services will help prioritize plans and goals.
After detailing workaround plans, it is crucial to hold staff training sessions so that each employee knows how to perform tasks in accordance with the crisis playbook if something goes wrong. These should include mock scenarios of what to do when critical third-party systems go down, putting plans to the test and seeing how teams collaborate to solve the problem. Based on these exercises, organizations can collect insight and feedback to refine and improve plans. When regularly trained against plans, reactions become second nature—and while no organization wants to experience a cyberattack, having employees ready can make for a smoother process, ensure collaboration and communication, and ultimately limit downtime. Working with industry peers and exchanging information with other organizations on trends, best practices, and security challenges can also be incredibly helpful.
Always Assume the Worst Can Happen
The Change Healthcare cyberattack made a lasting impact on the healthcare industry and security professionals worldwide. Over a year later, it is still pointed to as an example of a breach that can have devastating consequences, but the lessons security leaders can take away will help them be better prepared for the future. As cyberattacks continue to evolve, so must security solutions and protocols.
Cybersecurity is never complete. No organization or system is 100% secure, and no cybersecurity solution can guarantee that nothing will ever go wrong. For this reason, cybersecurity should be seen as an organization-wide initiative prioritized by all employees at every level. When this mentality is adopted, security professionals can start to make headway in minimizing risk and ultimately better protecting the organization and all those who use, work for, and partner with it.
