The February cyberattack on UnitedHealthcare's subsidiary Change Healthcare affected healthcare organizations across the country as revenue flow was crippled. But what has healthcare learned from the incident?
'[Don't] put your eggs in one basket'
According to CNBC, Change Healthcare operates the largest clearinghouse for medical claims in the U.S. and handles nearly 15 billion transactions annually, interacting with 1 in 3 medical records.
The attack, which forced Change to disconnect from more than 100 systems, did not allow the company to process medical claims.
Aaron Weismann, chief information security officer of Radnor Township, Pa.-based Main Line Health, told Becker's this has taught healthcare organizations to not "put all your eggs in one basket."
"From what I've read and heard, the downstream catastrophic impacts of the attack were a result of Change being responsible for predominately or all of some healthcare organizations' revenue cycle and/or clearinghouse activities," he said. "If claims can't be processed, for whatever reason, revenue halts pretty abruptly."
Flagstaff, Ariz.-based North Country Healthcare had 98% to 99% of its claims processed by Change as CMS recommends using a single clearinghouse, Darrell Bodnar, the health system's CIO, told Becker's. When the hack hit, the organization had to process some paper claims and move to another third-party clearinghouse.
"We had to make these decisions within days of [the Change hack] happening," he said.
Vasanth Balu, CIO of Bozeman (Mont.) Health, told Becker's that going forward, healthcare organizations need to establish connections with several clearinghouse systems rather than one.
"Processing all transactions through a single clearinghouse risks delayed payments," he said.
The risks posed by third-party vendors
James Wellman, CIO of Gloversville, N.Y.-based Nathan Littauer Hospital and Nursing Home, told Becker's the Change hack revealed how vulnerable healthcare is to third-party attacks.
"Our reliance on complex interconnected systems and third-party vendors exposed our exposure to cyberattacks that I think many of us neglected to address as we probably placed too much trust in the 'system,'" he said. "The risk to the healthcare ecosystem was exposed, and we can expect more of these types of attacks in the future."
According to a Security Scorecard report, third-party breaches have had a profound effect on healthcare. Thirty-five percent of healthcare organizations have encountered such breaches, while 98% of these organizations have ties to third parties that have experienced breaches.
Zafar Chaudry, MD, chief digital officer and CIO of Seattle Children's, told Becker's the key takeaways from the hack involve enhancing scrutiny of vendors' cybersecurity protocols and "building in redundancies to avoid relying on a single source."
Nicole Perez, vice president of health information services at Astoria, Ore.-based Columbia Memorial Hospital, echoed Dr. Chaudhry's statement, saying the hack emphasized the need for third-party risk management to be on everyone's radar.
"We need to understand not only the security posture of the organizations we contract with, but also the organizations that they contract with," she told Becker's.
This is extremely important as Will Landry, CIO of Franciscan Missionaries of Baton Rouge, La.-based Our Lady Health System, told Becker's it had a few minor services that were affected during the hack that the organization did not know were recently acquired by Change Healthcare.
"Continual risk and security assessments are critical in understanding and documenting vendor relationships that create single points of failure with our SaaS services," he said.
A 'defibrillator shock'
"The Change Healthcare cyberattack is a wake-up call, like a defibrillator shock to our cybersecurity heart," Muhammad Siddiqui, CIO of Richmond, Ind.-based Reid Health, told Becker's. "Healthcare organizations must prioritize cybersecurity as a strategic investment, allocating resources to implement advanced threat detection, incident response capabilities and regular security audits."
In 2023, health systems experienced 46 ransomware attacks, up from 27 in 2021 and 25 in 2022, according to a report from cybersecurity firm Emsisoft. Ransomware was listed as one of the biggest safety concerns in health technology for 2024 by nonprofit patient safety organization ECRI.
The Change hack coupled with the increase in sophisticated cyberattacks is causing CIOs to strengthen their organizations' cybersecurity posture.
"CIOs like myself are looking to fortify their cyber posture both through increasing our cybersecurity budget and simplifying our technology profile to better manage attack vectors," Mark Albright, CIO of Oceanside, Calif.-based Tri-City Medical Center, told Becker's.
Similarly, Allentown, Pa.-based Lehigh Valley Health Network has implemented stringent measures to protect its organization, Luis Taveras, PhD, CIO of the organization, told Becker's. These include utilizing complex passwords with more than 15 characters, employing dual-factor authentication for all applications, conducting monthly phishing exercises with severe repercussions for failure, installing insider threat software and restricting external email access to non-essential personnel.
Increased cybersecurity collaboration
The Change hack also underscored the need for healthcare organizations to have a more collaborative approach.
"Every cyberattack including the Change Healthcare attack emphasizes the need for greater collaboration on cyber events and cybersecurity," Mr. Albright said. "Collaboration on everything from the actual threat intelligence to joint incident responses. This includes promoting transparency after the experience of a cyberattack."
In April, Scott MacLean, chair of CHIME and CIO of Columbia, Md.-based MedStar Health, testified during a hearing about the Change Healthcare ransomware attack. In it, he said hospitals are often reluctant to share information about cyberattacks — even with one another — because of liability concerns.
Institutions are also advised against such transparency due to legal and reputational concerns, Mr. Albright said.
"Organizations have to adopt the 'not if but when' mentality when it comes to a cyberattack," he said. "My experience with a recent cyber event was that the government sector could offer very little and other institutions who also had such an event didn't want to share. Collaboration and transparency will help to increase everyone's cyber position."
Regarding what's next, Mr. Wellman said healthcare will have to continue to evaluate and learn from this event, adding that acknowledging that the disruption to delicate financial processes will pose a significant challenge for numerous organizations.