How to Prevent Another Change Healthcare Attack—Or Worse

Ferdinand Hamada, Managing Director, Sector Services Lead for Healthcare, Pharmaceuticals and Life Sciences at MorganFranklin Consulting

The healthcare industry is dealing with unprecedented disruption. The recent cyberattacks on Change Healthcare—ransoming the organization twice and broadly impacting third parties—have deeply affected both patient experiences and financial operations. Attackers will continue to exploit vulnerable healthcare organizations, especially considering those organizations often do not know their vulnerabilities exist.

From a cybersecurity perspective, the Change Healthcare attacks are rife with implications of industry shortcomings. Many healthcare organizations allocate insufficient resources to cybersecurity, leading to outdated systems, inadequate training, and limited incident response capabilities. When employees in healthcare settings are not well-versed in cybersecurity best practices, organizations are far more susceptible to phishing attacks and other social engineering tactics. One of the first lines of defense is training within the organization to ensure employees are educated in executing best practices.

Additionally, healthcare data is highly valuable and appealing to cybercriminals because of its comprehensive personal information, meaning, regardless of the investment, hackers will put all of their resources into cracking the latest code.

Although compliant does not necessarily mean secure, healthcare organizations are still subject to comply with stringent regulations, such as the Health Insurance Portability and Accountability Act (HIPPA) which governs the protection of patient health information. Compliance requirements can be complex and challenging to navigate, diverting resources from proactive cybersecurity measures.

Healthcare organizations need prompt, actionable advice to enhance their cyber resilience, ensuring more secure and convenient communications and services for patients, shareholders, third parties, staff, and other affiliates moving forward.

Take Stock of the Full Perimeter

The Change Healthcare attack stemmed from an exploited third-party vulnerability, so companies need to continue to mature controls to manage and protect their full attack surface. Third-party cybersecurity vulnerabilities in healthcare organizations often result from inadequate vetting processes where organizations fail to thoroughly assess the security practices of third-party vendors before engaging in partnerships. This lack of scrutiny can lead to the adoption of vendors with insufficient security measures, thereby exposing healthcare systems to risks.

Additionally, insufficient contractual agreements may result in unclear responsibilities and liabilities regarding cybersecurity, which leaves gaps in protection. Integration challenges also contribute—for example, connecting third-party systems with internal healthcare networks can introduce vulnerabilities if not done securely. The dynamic nature of cybersecurity threats means that even compliant vendors may face risks if they fail to adapt.

To safeguard against third-party cybersecurity vulnerabilities, healthcare organizations must implement rigorous vendor risk assessment procedures before engagement to thoroughly evaluate third-party vendors’ security practices and compliance. Robust contractual agreements should be established, outlining clear security requirements, data protection measures, and incident response protocols. The same level of scrutiny implied to internal systems should be turned outward to each touchpoint and endpoint, building a more certain picture of the security of an organization’s full perimeter.

Healthcare perimeters are also in flux due to heightened personnel transitions in the post-pandemic era, with turnover and vacant positions at an all-time high. Enhancing onboarding and offboarding protocols in healthcare organizations is crucial. Beyond meticulous management of employee permissions, organizations must prioritize establishing comprehensive protocols that ensure seamless transitions while minimizing the risk of exploitation.

Automation is a powerful tool to support this endeavor, streamlining onboarding and offboarding procedures to mitigate human error and bolster efficiency. By automating the provisioning and de-provisioning of access privileges, organizations can increase security and reduce the potential for unauthorized access during transitional periods.

Focus on Core Resilience Services

Operational resilience encompasses the entire timeline of preparedness, response, and recovery. It includes key aspects such as emergency response, incident response, crisis management, business continuity, and cyber resilience/disaster recovery.

We recommend the Cyber and Operational Resilience framework (CORe) to our clients, which starts with establishing the program governance first, assessing resilience with risk and business impact analyses (BIA), determining strategies and solutions that best fit organizational structures and guidance, exercising and testing implemented security protocol, and measuring their performance.

Proactive surveillance is one of the first fundamental steps, particularly through anomaly detection systems, to empower timely threat neutralization and mitigate potential damages. Techniques such as single sign-on (SSO) and multi-factor authentication (MFA) represent foundational measures in bolstering access controls, significantly reducing the risk of unauthorized breaches.

To stay ahead of sophisticated adversaries, organizations should explore adaptive MFA, which dynamically adjusts authentication requirements based on risk factors. They should also employ attribute-based access controls, which grant permissions based on specific user attributes and can add layers of complexity that deter malicious actors, minimizing the potential impact of any security incidents.

Regular audits and assessments of core resilience protocols and procedures are essential to ensure alignment with evolving threats and organizational needs. Embracing a proactive and adaptive approach while keeping the fundamentals in mind not only improves cybersecurity posture but also instills confidence in patients and stakeholders regarding the protection of their sensitive information and the integrity of healthcare systems.

Prioritize the Business Case for Cybersecurity

The financial repercussions of a cybersecurity breach can be staggering and encompass direct costs such as regulatory fines and legal fees as well as indirect costs such as loss of revenue, remediation expenses, and damage to market value. By investing in cybersecurity, organizations mitigate these financial risks and ensure long-term viability and profitability in an increasingly competitive market.

Healthcare organizations rely heavily on their reputation to attract patients and partners. A single data breach can tarnish years of hard-earned trust and credibility. Fostering a culture of accountability and vigilance, where employees feel encouraged to report suspicious activities promptly, is a crucial line of defense to protect business interests against sophisticated cyber threats.

Regular simulations of phishing and business email compromise (BEC) attacks can enhance staff readiness and resilience, ensuring healthcare organizations effectively protect patient data and organizational integrity against evolving cyber risks by mirroring real-world, costly scenarios.

Avoid History Repeating Itself

Stringent regulatory frameworks, though occasionally difficult to navigate from a security standpoint, are strict for a reason—knowing that healthcare data is a treasure trove for identity theft, insurance fraud, and other nefarious activities remains relevant for years and provides cybercriminals with enduring opportunities for exploitation, it’s paramount that healthcare organizations do everything in their power to ensure history does not repeat itself.

Medically and financially, healthcare organizations and their patients cannot afford another Change Healthcare-style attack. Training programs should educate internal staff and third-party vendors on cybersecurity best practices and threat recognition. Additionally, ensuring secure integration of third-party systems with internal networks, as well as engagement with regulatory bodies for guidance and updates, enhances the overall cybersecurity posture of healthcare organizations.

By fortifying defenses and staying vigilant, we can chart a path forward that safeguards the integrity of healthcare systems and thwarts the recurrence of devastating cyber incidents.