Just a few weeks after a high-profile cyberattack on a children’s hospital in Chicago, the broader healthcare industry was left reeling by an even bigger problem. On February 21, hackers shut down operations at the nation’s largest billing and payment clearinghouse.
Operated by multinational insurance giant UnitedHealth Group, Change Healthcare is a digital network that handles hundreds of millions of dollars in insurance payments every day. It also manages one of every three patient records in the U.S., totaling nearly 15 billion transactions a year.
But with operations effectively halted after a ransomware attack froze billing and payment transactions, money is no longer flowing between hospitals, doctors, and medical providers. Desperate practitioners have had to borrow hundreds of thousands of dollars to cover employee payrolls and everyday expenses—and many worry that the problems could continue for weeks or months.
On March 7, UnitedHealth revealed details of the cyberattack; it also announced a loan program that would try to fill the gap with insurance payments to medical facilities and providers. But many organizations said that wasn’t adequate to cover immediate costs—and called attention to the fact that UnitedHealth still didn’t know when normal operations would resume.
Bigger fears have also started to surface: Was patient data compromised by the cyberattack? Was a $22 million Bitcoin transaction linked to the suspected hackers a ransom paid from UnitedHealth to try and recover that data? Could the targeting of Change Healthcare represent an escalation of last month’s attack on Lurie Children’s Hospital, which took a month to restore normal operation? And is this the “new normal” for the lucrative and essential healthcare industry?
Worries for the future.
The powerful American Hospital Association believes that’s the case. Last week, they called the cyberattack “the most significant and consequential incident of its kind against the U.S. healthcare system in history.” They also speculated that its member institutions may have to stop providing services to patients: “Nothing in [UnitedHealth’s] announcement materially changes the chronic cash flow implications and uncertainty that our nation’s hospitals and physicians are experiencing as a result.” It could be “weeks—if not months—before our hospitals and other healthcare providers will be made whole.”
So far, providers and patients are the ones bearing the brunt of the disruption. Around the country, people have had to pay out-of-pocket to fill critical prescriptions. Independent physician practices have had to postpone employee paychecks. And the federal government has asked providers to switch payment portals, a process that many say could take up to 90 days.
Meanwhile, cybersecurity experts working in the healthcare industry are looking for answers—not so much to expose UnitedHealth’s shortcomings but to instead understand how the breach happened so that other organizations can strengthen their own defenses.
Why are hackers targeting healthcare organizations?
Because such institutions continue to be viewed as easy and convenient targets. Medical groups manage thousands—even millions—of sensitive patient records and are considered more willing to pay ransom payments to try and maintain essential services. And if UnitedHealth really did pay $22 million to try and retrieve stolen data, that could actually incentivize hackers to attempt further attacks—not back off. A former federal cybersecurity official put it best in an interview with NPR: ”When there’s gold in the hills, there’s a gold rush.”
Looking further into the future, the escalating attacks enhance doubts about whether the private companies that make up the U.S. health system and the government that regulates them can withstand so many ongoing cyberthreats. The FBI reported nearly 250 ransomware attacks against healthcare and public health organizations in 2023—and many believe the number is significantly higher.
How did this cyberattack happen?
As with most high-profile incidents, details have not been released—and rumors are swirling. However, experts warn that a devastating breach can occur via something as simple as a click on an illicit link in a phishing email or an inadvertent response to a spam phone call. Both of these threat vectors proliferate, even in the face of tighter regulations and stronger cybersecurity defenses.
The healthcare industry is particularly at risk because of the thousands of connected medical devices in use across the country. Devices with outdated software could provide easy access for hackers looking to break into a hospital network. The FDA recently increased its efforts to measure the digital defenses of medical devices and issue recommendations to fix them. But vulnerable machines often stick around because of how expensive they are to take offline or replace.
What can healthcare organizations do to protect themselves?
Just as they did last month in light of the attack on Lurie Children’s Hospital, IT providers like CMIT Solutions are urging businesses in the healthcare industry to reconsider their cybersecurity measures and strengthen their defenses. This includes solutions like proactive system monitoring, advanced threat detection technology, reliable data backup, enhanced employee training, and much more.
Below, we review the details of these critical tools and how they can protect businesses in the healthcare sector and other industries:
- Implement multi-layered cybersecurity measures. These range from broad-based security for all systems to specific protections for electronic medical records and medical scheduling. At CMIT Solutions, we recommend a diverse approach that includes advanced firewalls, intrusion detection systems, and endpoint encryption for every device. It’s also critical to regularly update and patch software and systems and to mitigate the risk of exploitation.
- Conduct regular security audits, risk assessments, and incident response reviews. Working with a trusted IT partner, companies operating in every sector should undertake comprehensive cybersecurity audits to identify potential vulnerabilities and weaknesses in your organization’s infrastructure. Risk assessments can outline the potential impact of cyberthreats, while simulated incident response protocols can help employees know what actions to take to protect information in the event of a problem.
- Provide ongoing employee education and training. If the source of the cyberattack on Change Healthcare is confirmed to be ransomware, cybersecurity experts will likely point to human error as the cause of the infection. When employees know how to spot phishing attempts, strengthen passwords, and follow cybersecurity protocols, the chances of negative impacts decrease. Healthcare businesses should also implement clear policies and procedures for the secure handling of sensitive data.
- Back up critical information regularly. Since Change Healthcare serves as a clearinghouse of information, many wonder whether data backups could have saved the business from this attack. But if UnitedHealth did pay a $22 million ransom, they either did not have sufficient data backups in place—or they stored them on devices connected to a main network, allowing them to be infected when the ransomware struck. If data is backed up regularly, remotely, and redundantly (i.e., stored in multiple on-site and off-site locations), businesses can quickly bounce back from ransomware attacks by wiping affected systems clean and rebooting from a recent backup.
- Establish incident response plans. It’s also important to have procedures and protocols in place in the event of an attack. These response plans involve testing backup systems to verify data integrity and restoration capabilities, conducting regular simulation exercises to understand the effectiveness of such responses, and identifying areas of improvement before a real attack strikes.
- Maintain regulatory compliance. Any business operating in the healthcare industry is required to comply with relevant regulations and standards like HIPAA (the Health Insurance Portability and Accountability Act). More importantly, any HIPAA violation can lead to civil and criminal penalties, substantial monetary fines, and reputational impacts that are difficult to recover from.
- Work with a trusted expert in your community. Not sure how to wrap your head around the long list of recommendations outlined above? Established IT service providers like CMIT Solutions can help to understand emerging threats, promote threat intelligence, implement cybersecurity best practices, and respond when incidents occur. Most importantly, a fellow business owner rooted in your local community will understand the need to solve short-term problems while positioning your company to make sound financial investments that lead to long-term success.
The recent cyberattacks on Lurie Children’s Hospital and Change Healthcare serve as major red flags highlighting the dangers faced by healthcare organizations. Many cybersecurity experts think the industry is at a critical juncture when patients and consumers will demand stronger privacy protections and no longer put up with ongoing digital risks.
At CMIT Solutions, we work hard to stay ahead of industry shifts like that, working with clients across North America to secure data, protect networks, and empower employees to serve as the first line of cyber defenses. As a large North American system with more than 25 years of experience and 250-plus offices across the United States and Canada, we deliver threat protection and trusted advice to every client.
Whether you’re a large healthcare system looking for operational stability or a small office that needs to upgrade its systems to better handle financial procedures, CMIT Solutions can help. Contact us today to prevent ransomware and ensure a safer future for your business.