Cyber Resilience After the Change Healthcare Breach

By: Jennifer Yoo , Sari Heller Ratican , Ana Razmazma , Blair Mills , Samuel Dodson

What You Need to Know

  • The 2024 Change Healthcare cyberattack significantly disrupted healthcare operations nationwide, which affected 152 million patients and could cost UnitedHealth Group an estimated $1.6 billion this year.
  • Healthcare data, due to its sensitivity and operational urgency, is a prime target for cybercriminals, with attacks doubling from 2016 to 2021.
  • Cyberattacks can yield severe real-world implications such as technical outages and subsequent financial instability across the healthcare landscape.
  • In the aftermath of the Change Healthcare breach, healthcare entities should heed cybersecurity recommendations from regulatory bodies to prevent future attacks and mitigate post-attack enforcement actions.

More than two months after the February 2024 Change Healthcare cyber-ransom attack, the healthcare industry continues to grapple with the fallout, creating significant challenges, disruptions, and outages to the healthcare operations of hospitals, physicians, pharmacists, and other healthcare providers across the country. And the known impact continues to expand as most recently, Change Healthcare, owned by UnitedHealth Group (UHG), confirmed the compromise of personal information including protected health information of some of its 152 million patient customers. During its recent first-quarter earnings call, UHG reported it has advanced more than $6.5 billion in payments to thousands of affected providers through its interest-free loan program and also stated that the cyberattack could cost the company up to $1.6 billion this year.

In light of the “unprecedented magnitude” of the cyber-ransom attack, the Department of Health and Human Services (HHS) publicly announced it is investigating Change Healthcare and UHG, exemplifying the importance of internal compliance and security measures across the healthcare industry. In addition to the ongoing investigation, on May 1 UHG CEO Andrew Witty faced both chambers of Congress, where Change Healthcare was criticized for lacking basic security controls to prevent the initial hack – with Sen. Ron Wyden (D-OR) stating that such controls were the equivalent of “Cybersecurity 101”—and where Witty was implored to provide specific timelines for when patients and providers would be “made whole” and when impacted parties would be identified and notified.

Background

Change Healthcare, a billing support vendor to providers, pharmacies and insurers, has been dealing with an extensive series of ransomware attacks since February 2024 that have disrupted providers and pharmacies across the U.S. and led to delivery backlogs for prescription drugs. The first attack was linked to the ALPHV Blackcat operation, which said it stole 6 TB of data and demanded a $22 million ransom payment. Change Healthcare recently confirmed it paid the ransom as part of its commitment to protect patient data from disclosure. Now, a second group, RansomHub, has obtained Change Healthcare’s stolen data, which the group claims includes “sensitive” medical records, hospital bills, payment information, patients’ Social Security numbers, and company contracts with business partners. As of April 16, 2024, the bad actors have started to release some of the stolen data and demanded payment to prevent the release of further information.

Why Health Data Is Vulnerable to Ransomware Attacks

From 2016 to 2021, the annual number of ransomware attacks on healthcare delivery organizations more than doubled, with common disruptions being electronic system downtime, cancellations of scheduled care, and ambulance diversions. Hospitals and other organizations with health data are highly vulnerable to cyberattacks due to their collections of sensitive patient information and because of the need for health systems to resume operations as quickly as possible. To protect patients’ sensitive information and to resume providing care, health systems often have a higher incentive to make ransom payments. Charges filed by the U.S. Department of Justice in 2023 against a cybercriminal network with alleged ties to Russian intelligence indicates that U.S. hospitals paid over $100 million to just one organization that year. Moreover, smaller hospitals and healthcare practices are particularly at risk as financial and human resources may not be sufficiently allocated to securing patient information.

Real-World Implications

While the impacts of the Change Healthcare attack continue to unfold, a look at recent healthcare provider cyberattacks demonstrates commonly reported implications are intricately connected—namely, the technology outages that leave healthcare providers unable to review and record treatment records, submit treatment orders and prescriptions electronically, schedule appointments and procedures, process claims, receive and transmit payments, and provide cost estimates lead to financial instability and operational gridlock across the healthcare continuum.

This and the many prior cyberattacks highlight the necessity for the healthcare sector, especially those entities processing or facilitating transactions, to carefully review and act on the cybersecurity recommendations from the HHS, the American Hospital Association (AHA), and the Cybersecurity and Infrastructure Security Agency (CISA). These agencies carefully review current vulnerabilities impacting healthcare providers and suggest protocols for protecting against vulnerabilities aimed at crippling payment systems, information security controls, and healthcare providers’ ability to provide care for patients. Not only will alignment with agency recommendations prevent or deter future attacks, but it could likely mitigate the severity of enforcement actions imposed by such agencies in the aftermath of an attack.

How to Shore Up Privacy and Security Controls to Deter Bad Actors

Compliance with both enforced regulations and voluntary recommendations is critical for entities and providers within the healthcare industry—both to maintain data integrity, confidentiality, and availability as well as to protect against severe enforcement actions should an attack be successful. From what has been learned from the Change Healthcare breach to date, suggested controls include:

  • Identifying and even contracting with a vetted backup clearinghouse (i.e., intermediary) to engage in the event the primary clearinghouse is compromised or down;
  • Regularly reviewing and, where appropriate, implementing authoritative industry recommendations such as those published by the HHS, AHA, and CISA;
  • Using agency-created resources, such as the HHS Security Risk Assessment Tool or NIST HIPAA Security Rule Toolkit, to ensure compliance with the HIPAA Security Rule;
  • Implementing HHS’s voluntary healthcare-specific Cybersecurity Performance Goals in internal cybersecurity policies and practices;
  • Regularly assessing the cybersecurity practices of vendors and partners, particularly those handling sensitive health data, to ensure they meet required security standards and current best practices;
  • Updating and testing disaster recovery and business continuity plans to harden policies and procedures for key IT systems, including its internal Active Directory, and third parties in the event of a cyberattack; and
  • Staying informed of the tactics used by specific threat groups targeting the healthcare sector, such as the ALPHV Blackcat ransomware group.

HIPAA Compliance Recommendations

HIPAA compliance requires adherence to its many rules including the HIPAA Security Rule, which establishes standards to protect electronic personal health information (PHI) created, received, used, or maintained by a covered entity and its business associates. The Security Rule requires certain risk assessments be conducted to confirm access to PHI is appropriately restricted and unauthorized disclosure, alteration, and destruction is prevented.

Further, the Security Rule requires covered entities and their business associates to “[i]implement policies and procedures to prevent, detect, contain, and correct security violations” (45 C.F.R. § 164.308(a)(1)). Among other specific requirements, this required security risk management process calls for a risk analysis and an information system activity review incorporating an assessment of the reasonably anticipated risks and vulnerabilities to the confidentiality, integrity, and availability of PHI held by the entity. As part of his May 1 Congressional testimony, Witty acknowledged the hackers accessed the Change Healthcare network through compromised credentials used to access a company server that lacked multi-factor authentication—an absent control overlooked by the company’s security auditors.

As security vulnerabilities evolve as bad actors’ skills and capabilities improve, to remain compliant and appropriately safeguard e-PHI, HIPAA covered entities and their business associates must ensure their existing security risk management procedures require the regular effectiveness and coverage assessments of security controls implemented by both the covered entity and their business associates.