Healthcare leaders are coming together to try to identify and prevent the next big cyberattack like the huge 2024 hack of Change Healthcare.
The Health Sector Coordinating Council Cybersecurity Working Group, a public-private partnership comprising hundreds of entities such as hospitals and health systems, has been mapping out choke points across the industry that hackers could exploit to cause large-scale disruptions at healthcare organizations.
“It gives them an opportunity to ask: Who is doing this for us, and what is the relative risk of that service to our workflow?” Greg Garcia, executive director of the Health Sector Coordinating Council Cybersecurity Working Group, told Becker’s. “Is this a service that has low redundancy or no redundancy? Are there not many companies doing this, or is it a company that’s based in another country that might not be friendly to the United States?”
The 2024 ransomware attack on Change Healthcare delayed claims and prescription processing for large swaths of the country. The company, less known at the time, processes 1 in 3 healthcare transactions. The hack also exposed the healthcare data of an estimated 190 million Americans.
The working group is trying to answer the question: Are there any other Change Healthcares out there? Members are mapping out critical functions of the industry — such as pharmacy, payments, medical imaging, blood supply and distribution — and identifying where concentrated risk exists among third-party vendors.
“What happens when it does go dark?” Mr. Garcia explained. “What is our backup plan? What redundancies have we built into the system? What is our incident response capability?”
The group is looking into how to not only identify risky vendors but prevent cyberattacks against them. For instance, group purchasing organizations might require minimum cybersecurity standards before a company can sell to their hospital and healthcare system clients.
“Then we actually can prevent it through the power of the purse, by incentivizing better cybersecurity by the third-party provider,” Mr. Garcia said.
The group plans to publish the map to council members by the summer. The report won’t name the at-risk companies but will allow health systems to research the vendors they use for the specific bottlenecks.
“The government may very well, once they look at those maps, do their own assessment of all of those service providers,” Mr. Garcia said. “So government takes that responsibility to engage with the private sector if it isn’t already regulated. How is it that we try to maintain a minimum level of security and resiliency on those critical functions that support critical infrastructure?”
Just because a company has a large market share doesn’t mean it has a poor cybersecurity posture, Mr. Garcia noted.
“It doesn’t mean that they are negligent,” he said. “It just means that they are in a position of being vulnerable and of being a choke point or a single point of failure.”
