The 2024 Change Healthcare attack was a hacker’s delight! The staggering cyberattack on Change Healthcare, a subsidiary of UnitedHealth Group (UHG), raises significant governance questions.
Change Healthcare processes over 15 billion medical transactions annually, handling nearly one-third of U.S. patient records. The February ransomware attack, which resulted in a $22 million ransom payment, led to the shutdown of critical services, affecting 131 million patients and nearly 67,000 pharmacies nationwide. Still in evaluation and post-aftermath impact, the total cost for UHG is estimated to be between $2.3 billion and $2.45 billion this year, about $1 billion more than previously reported.
The American Hospital Association (AHA) deemed this incident “the most serious of its kind against a U.S. healthcare organization,” reporting that 94% of hospitals faced adverse financial impacts, with over half experiencing significant challenges.
Many providers reported cash flow issues, with nearly 60% estimating daily revenue losses exceeding $1 million. The repercussions extended to patient care, with 74% of hospitals reporting delays and setbacks, necessitating labor-intensive workarounds.
The urgent need for effective cybersecurity measures has never been more apparent as the healthcare sector continues to grapple with the aftermath of this fallout.
Although UnitedHealth paid the ALPHV/BlackCat ransomware gang a $22 million Bitcoin ransom after the attack, Change Healthcare took several vital measures to enhance cybersecurity following the devastating cyberattack, such as:
- Notifying Customers and Patients: Change Healthcare notified hospitals, insurers, and other customers that the attack may have exposed patient information.
- Reviewing Impacted Files: The company has reviewed over 90% of impacted files and found no signs that doctors’ charts or complete medical histories were taken.
- Offering Credit Monitoring and Identity Protection: The company offers to pay for two years of credit monitoring and identity theft protection for people concerned about their exposed information.
- Investigating the Attack: Change Healthcare is still investigating the full scope of the attack and how the hackers gained access to its systems.
- Restoring Core Systems: After the attack, UnitedHealth CEO Andrew Witty stated that all of Change Healthcare’s core systems, including claims payment and pharmacy processing, were functional again.
Cybersecurity Strategies for Smaller Companies
UnitedHealth Group has paid over $3.3 billion to providers affected by the breach, which was especially challenging for smaller healthcare providers who rely heavily on timely reimbursements.
This incident is a stark reminder that even large organizations are vulnerable, prompting the question: if a giant like UnitedHealth Group can be compromised, how can smaller companies protect themselves?
Smaller healthcare organizations must adopt robust cybersecurity measures to protect their operations. Here are essential strategies to consider:
1. Disable Inactive Accounts
Review user accounts regularly and deactivate any inactive or unnecessary accounts. This reduces the risk of unauthorized access through forgotten or unused credentials.
2. Implement Firewall Geo-blocking
Configure firewalls to restrict traffic to only those geographical locations relevant to the business. For instance, a US-based company should limit access to traffic originating from the US, minimizing exposure to international threats.
3. Restrict Remote Access
Limit remote access to only those employees who need it. Regularly review access rights to ensure only essential personnel have remote capabilities, preventing potential breaches through less secure accounts.
4. Subscribe to Security Operations Center as a Service (SOCaaS)
SOCaaS is a cost-effective solution for smaller companies looking to enhance their cybersecurity posture in a scalable manner. This proactive approach can help identify and mitigate threats before they escalate into significant breaches.
5. Implement Password Rotation Policies
Adopt policies to restrict access for former employees and minimize the risk of shared passwords, ensuring only current staff can access company systems. It also helps reduce the impact of any breach, as compromised credentials are frequently updated.
6. Conduct Administrative Role Reviews
Regularly audit administrative roles within systems. Limit access to elevated privileges to only those who require it, reducing the risk of insider threats.
7. Invest in Phishing Awareness Training
Implement training programs to educate employees on recognizing phishing attempts. This can significantly reduce the likelihood of falling victim to scams that could compromise sensitive information.
8. Secure Internal Systems
Ensure that internal systems are not exposed to the internet. Access should be restricted through VPNs, protecting sensitive patient data from external threats.
Safeguard Your Healthcare Organization from Becoming the Next Target With ‘Healthy’ Cybersecurity
The cyberattack on Change Healthcare was an eye-opener for all healthcare providers. Organizations must upgrade their defenses to navigate skillfully as the digital landscape becomes more hostile. Implementing these cybersecurity strategies can help companies add extensive layers of protection to their operations against potential threats. proactive measures are essential to protecting the organization and the patients and communities it serves. As healthcare evolves, prioritizing ‘healthy’ cybersecurity will be crucial in maintaining trust and operational integrity.