Hackers are learning health plans’ infrastructure and are attacking the places with the highest value information. Transferring data is the weakest point in the healthcare ecosystem, panelists said at the AHIP meeting in Las Vegas.
In the wake of the Change Healthcare cyberattack, information security has taken on increased importance.
Healthcare organizations are now the second top target for hackers, Ari Schwartz, managing director of Cybersecurity Services at the law firm of Venable, said during a session on cybersecurity at the annual AHIP meeting in Las Vegas.
Change Healthcare, a UnitedHealth company that provides claims processing, was hacked on Feb. 21, 2024, which created huge disruption to pharmacy and medical claims services, including electronic prescribing, claim submission and payment transmission. A group representing itself as ALPHV/Blackcat had launched the cyberattack, United Health officials said. The federal Cybersecurity & Infrastructure Security Agency (CISA) issued an updated warning about ALPHV/Blackcat on Feb. 27, 2024.
Ransomware attacks in healthcare are increasing. In the first month after Change Healthcare paid hackers $22 million to unlock its systems, there were 44 additional healthcare-related attacks, Wired reported earlier this week.
“Personal and health information have significant value,” Clark Harshbarger, director, Incident Response at CrowdStrike, a cybersecurity technology company based in Austin, said during the AHIP session.
“Threat actors are not worried about shutting down critical systems. They are learning your EMR systems or ERP systems so that they have fine detail of how to navigate within your infrastructure and attack those places with the highest value information. As we move to cloud and SaaS based operations, they are also becoming familiar with that infrastructure.”
Healthcare is particularly vulnerable to breaches, speakers said, because the industry is an ecosystem of partners delivering care — and sharing information. Application programming interface (API) is the mechanism for data transfer, and this is often the weakest link in the healthcare ecosystem. This is the point where data are vulnerable to attack even if the systems that hold the data are well-protected.
API systems were designed to focus on availability, confidentiality, and data integrity, Harshbarger said.
Schwartz said that in the past, there was a lot of focus on compliance. “That’s understandable because that was seen as the biggest liability for a healthcare company,” he said. “But that isn’t the biggest liability currently. That’s not to say that compliance isn’t part of a good risk management program.”
What’s just as important as compliance is being prepared for a cyberattack and having a plan to lessen the impact of an attack. The speakers at AHIP agreed that it’s difficult to stop all attacks.
“Compliance can be a distraction on the front end and the back end, but it can distract you from the overall objective of adding layers of security,” Harshbarger said.
“I’m seeing chief information security officers (CISO) are being elevated to the executive team and at the board level,” said Steve Roberts, CEO, Eclipz Cybersecurity, which provides encryption technology. “They can help provide that risk-reward assessment. Getting a seat at that table is imperative for helping the company recognize that it’s not if but when you are going to have a data breach of some scale.”
Panel members said it’s important to have mechanisms in place to help prepare organizations for a potential attack that includes how to address anomalies and what to do if an attack happens.