The cyberattack on Change Healthcare that has caused disruptions across a wide swath of the industry has entered its third week. But why do these IT outages last so long?
It's a combination of ensuring that the hackers are no longer in the system and securing the vulnerability that allowed them to breach it in the first place, according to John Riggi, national advisor for cybersecurity and risk at the American Hospital Association.
"The victim must figure out how the bad guys broke into their network, where they are, throw them out and then seal that technical 'hole,'" Mr. Riggi told Becker's.
So it's not uncommon that IT interruptions persist weeks into a ransomware attack, like the one on UnitedHealth Group's Change Healthcare that took its payer and pharmacy applications offline. Lurie Children's Hospital of Chicago still doesn't have its MyChart patient portal restored following a Jan. 31 hack. The Joint Commission and AHA previously told healthcare organizations to plan for a month of downtime following a cyberattack.
But Mr. Riggi, who spent more than two decades at the FBI, said it could take even longer to fully recover. "These disruptions could linger for several months or a year, and legacy systems that may not have been backed up or destroyed during the attack may become totally unrecoverable," he said.
In the meantime, patients and providers can be left in limbo, unable to access online medical records or pay or bill for services.
"First, the victim organization and their forensics team must ensure that the adversary which penetrated their network has been isolated and eradicated from the network," Mr. Riggi said. "Depending upon the size and complexity of the network this could prove challenging."
Change Healthcare, which processes 15 billion transactions annually, is huge. AHA President and CEO Rick Pollack called the cyberattack the "most serious incident of its kind leveled against a U.S. healthcare organization."
So this type of healthcare hack is already unprecedented. The recovery likely will be as well.
"Once the adversary is contained, steps must be taken to ensure the adversary has been totally eliminated from the network and no 'back doors' have been left behind," Mr. Riggi explained. "Then, once deemed safe to do so, which may take weeks, a methodical and sequenced restoration of services must begin — and that is if the backups themselves have not been corrupted or encrypted."
Change Healthcare is working alongside law enforcement as well as some heavy hitters in the cybersecurity field — Google subsidiary Mandiant and Palo Alto Networks — on the response. The company said March 5 it plans to have its data center rebuilt and database cancer services restored this week before turning its full focus to the reinstatement of applications and services.
"Rest assured, if we suspect an issue, we will immediately sever connections," Change Healthcare stated. "Safe restoration remains of utmost importance. We will not take shortcuts, and we continue to work around the clock to get there."