Ransomware

Will the Change Healthcare case finally make providers do a business impact analysis?

Share
Supply Chain Attacks on Hospitals

Just over a month since the cyberattack on Change Healthcare disrupted business operations, prescription access, and billing for providers across the country, United Health Group last week confirmed what industry leaders have suspected: patient data was compromised during the incident.

For several weeks, a second ransomware group known as RansomHouse claimed to have accessed and acquired over 4 terabytes of data tied to Change Health. Early reports show the UnitedHealth subsidiary already paid BlackCat, or ALPHV, $22M to restore access to encrypted data.

These claims have not been verified by the insurance giant, but both Axios and Reuters reported to have seen the data proofs that included patient data. If RansomHouse’s actions are true, we are now in a double extortion scenario for Change Healthcare.

The initial estimates from United Health reveal the cyberattack will cost UnitedHealth $1.6 billion. While it’s a staggering number, company executives expect to meet the 2024 earnings forecast. And although $1.6 billion for the majority of healthcare would be a devastating loss, it’s just a drop in the bucket for the insurance giant: the company reported $281.4 billion in full-year revenues in 2023, with an operating earnings increase of $16.4 billion.

UnitedHealth reportedly expects the disruption to not significantly impact its bottom line. However, the bottom lines are not so healthy looking for the hundreds of thousands of Change Healthcare customers who relied on their services.

The fallout takes shape

The most concerning news this week is not these staggering numbers, but reports that UnitedHealth or Change Healthcare won’t see any real fallout. The biggest losses are being seen right now with the smallest providers, the rural hospitals, specialists, and other health systems.

A poignant piece from Minnesota Public Radio describes in detail what providers face across the U.S.: impacts akin to those faced during the COVID-19 pandemic. In one example, a small practice of licensed social workers saw all existing claims for payment stop immediately after the outage as Change Health pulled those systems offline.

While workarounds were provided to dampen the blow providers faced, small providers, clinics, and hospitals across the country have been borrowing from mortgages, requesting payment leniency, and other financial workarounds just to maintain payroll. Some clinics have reported a 70% decrease in revenue – in just one month.

What’s more, the workaround was equipped with a challenging application form that, even when accepted, did not offer enough financial support to support the mass number of losses.

For its part, Change Health and UnitedHealth are encouraging those who need assistance to reach out. But for most, many questions remain as for how much some patients owe, as well as concerns over billing patients all at once.

No one has conducted an adequate business impact analysis

The complete picture of the cyberattack impact may not be seen for months, or even years. But it’s painfully clear that none of the impacted healthcare entities have conducted an adequate business impact analysis (BIA). And because of rampant nth-party relationships in healthcare, it’s possible no one ever will.

Believe it or not, it’s not the first major healthcare discussion on the importance of BIAs and the need to confirm mission-critical systems in the wake of a cyber incident. These conversations bubble up in response to cyber events, especially in healthcare, each and every time.

The last major service disruption occurred in 2022 when Kronos, a human resource and payroll vendor, faced a widespread ransomware attack and fell offline for more than a month. A number of health systems were unable to pay workforce members and correctly track hours, leading to employee lawsuits, financial losses, and other impacts.

Disgruntled employees and clients took to the media to vent frustrations, wondering why contingencies were not put into place to ensure employees were paid. The consensus was that healthcare entities needed to leverage accurate BIAs to determine systems critical to business operations and contingencies that would ensure operations could continue in downtime for at least four weeks – the average period of downtime.

But as media coverage waned, progress on shoring up contingencies faded.

Hospitals and healthcare delivery organizations have faced some of the most historically stressful situations in recent years. But compliance checklists, free resources, and security standards have proved not enough for the majority of healthcare entities. Limited security talent and a lack of understanding on how to prioritize remediation have enabled persistent gaps to essentially leave the door open to attackers.

In 2021, MITRE told SC Media that the key to reducing the fallout of an incident to maintain patient care and necessary business operations is a well-practiced response plan. Remediation priorities will change by entity and what’s considered mission critical, but ensuring the workforce knows what to do in the event of system outages is critical.

If enterprise security leaders can’t eliminate the risk, it’s clear what needs to happen: healthcare entities need an effective BIA with a well-practiced incident response plan to establish the systems that are mission critical and the processes or workarounds needed to prevent massive financial losses and patient safety risks.

Instead of BIAs, many organizations have been leaning heavily on their cyber insurance policies. But this transfer of risk no longer works as a viable option. Insurance firms are now requiring specific action plans. Without preventative measures and BIAs, insurance premiums are being increase by as much as 50% or coverage is being denied altogether.

Effective cyber planning begins with identifying the risks and the most critical elements within the enterprise that are necessary to maintaining business operations, especially payroll and claims. An effective BIA will deliver these insights, when performed by an experienced team with healthcare experience given the unique, patient-facing impacts that occur with technology disruptions.

It’s easy to point fingers in 20/20 hindsight after a cyberattack. But a post-mortem analysis will help the healthcare sector assess its shortcomings and move forward, smarter and more secure. Progress can only occur if stakeholders continue to hold these conversations, and act on the lessons learned and recommended actions.

Toby Gouker, chief security officer, First Health Advisory

Will the Change Healthcare case finally make providers do a business impact analysis?

The industry has talked about BIAs for years – and most providers still lean on cyber insurance in the wake of attack. That has to change.

Toby Gouker

The former Provost for the SANS Technology Institute, Toby Gouker brings a wide breadth of privacy and security expertise to First Health Advisory’s cyber health practice. Coupled with years of experience in the federal healthcare IT industry, his expertise sits at the nexus of cybersecurity, health policy, and healthcare risk management. With over 30 years of industry experience and 10 years in education, Gouker is both a scholar and practitioner, offering healthcare organizations guidance on business tools and techniques that help organizations protect IT and data assets.

LinkedIn: https://www.linkedin.com/in/toby-gouker-phd-chisl-gslc-cism-cpem-5285901/

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.