BLOG

By Dia Black 

The healthcare sector has always been a lucrative target for cybercriminals. This target is rapidly growing and becoming more valuable. Hackers are becoming more sophisticated, yet the healthcare industry’s cybersecurity practices continue to lag behind other sectors. The volume of sensitive data and the criticality of services make the potential impact of a significant information security incident increasingly devastating.  

This is further exacerbated by the complex partnerships, third-party relationships, and interconnectivity within the healthcare sector. The recent incident involving Change Healthcare, part of Optum and owned by UnitedHealth Group, underscores the growing vulnerability of this sector. 

On February 21, 2024, Change Healthcare announced they were experiencing a cybersecurity issue that impacted its payment and pharmacy operations nationwide. 

The Significance of the Incident 

This cybersecurity breach is not an isolated incident but another example of the healthcare industry's escalating threats. It is notable not because it’s unique but because it’s increasingly common. The breach serves as a stark reminder that no organization, regardless of its size or reputation, is immune to the tactics of motivated cybercriminals. 

The attack on Change Healthcare is believed to be the work of a sophisticated nation-state actor. This further emphasizes the scale and complexity of cybersecurity threats. Change Healthcare's systems were forced to shut down, thereby disrupting prescription processing nationwide.  

This should be an industry-wide warning of the potential for significant operational disruption and clinical impact due to cyberattacks. 

What Should You Do? 

• Monitor updates from Change Healthcare: https://status.changehealthcare.com/incidents/  
• This web page provides information about which applications have not been affected and product updates.  
• Follow and subscribe to trusted cybersecurity and healthcare industry news sources. 
• Do not connect or reconnect impacted applications until Change Healthcare confirms that they have been restored. 
• For nonimpacted systems: assess the potential risks to your organization. 

How could disconnecting nonimpacted Change Healthcare systems impact daily operations, including patient care, clinical operations, or business functions? 

Are these more of a threat than the projected impact of a potential network compromise?

If you haven’t had a security risk analysis, it’s time. 

If you don’t have a current inventory of your third parties and tools your organization uses, if you haven’t been rating risks and conducting business impact analyses, it’s time to start. Don’t wait. Don’t be the next headline or industry example. Contact Meditology.

Preparing for a Cybersecurity Incident 

The Change Healthcare incident reinforces the need for robust cybersecurity measures. It’s unlikely you’ll be able to prevent a cybersecurity attack, which is why you need to be prepared.  

Here are some actions you can take: 

1. Asset Management: Map your data and track all of your assets. This includes hardware, software, technical tools, devices, and vendors. Make sure you know who is responsible for managing and maintaining each of these.  
2. Vulnerability Management: Conduct vulnerability scanning and penetration testing. Review the results and be sure you’re remediating or mitigating the findings. Track reputable news sources so you’re aware of threats and trends that could affect your organization. Consider implementing a Security Information and Event Management (SIEM) system and intrusion detection and prevention systems (IPS/IDS). Make sure alerts are monitored and someone is responsible for responding and accountable for the results.  
3. Risk Assessment: At least annually, assess risks to your organization. Are your offensive and defensive plans enough to protect your critical assets? Learn from other organizations’ information security incidents. Review the results, develop a plan, and implement it.  
4. Incident Response and Disaster Recovery Plans: Develop comprehensive response strategies that help triage what to prioritize, projected responses and actions. Are all the key stakeholders involved? Define the triggers, roles, responsibilities, notification obligations, and other considerations. Don’t just focus on likely scenarios. Consider threats that would impact specific locations, patient populations, technologies and systems, vendors, or business operations. Communication plans for internal stakeholders, customers, the general public, media, regulatory agencies, and law enforcement should also be included. 
5. Table-Top Exercises: Don’t let your documented policies and plans gather dust in a binder on someone’s bookshelf. Take them out for a test drive. Conduct table-top exercises to see whether your plans can be implemented. Are they effective? Does your incident response plan adequately address your risks? Is the contact information still correct? Test your incident response and disaster recovery plans regularly, and when there are significant changes to your organization, integrate lessons learned and continually evolve your processes. Practice may not make perfect, but it will certainly help.  
6. Internal Audits: Track changes to and compliance with applicable laws or regulations. Are people monitoring and responding to security alerts? Are applications being patched on a regular basis? Are your identity access controls working? Conduct quarterly audits to ensure that everything is appropriately mitigated and/or remediated. 
7. M&A Due Diligence: Include IT in the pre-acquisition process. Ensure that the target company has robust change management, identity access control, vulnerability management, incident response, and disaster recovery plans in place. Be prepared for the increased likelihood of a cybersecurity incident. Monitor your information systems more closely: significant data breaches occur during and immediately following a merger or acquisition.  
8. Engage Professionals: Engage a third-party firm to conduct a security risk assessment. They can objectively analyze your compliance obligations and suggest an appropriate framework. 
9. Third Party Incident Preparedness: Continuously maintain key security incident response contact information for your critical vendors and ensure you have a way to reach out to them during your own incident response activities. CORL’s Third Party Incident Response platform can automate both activities for you.  

The Change Healthcare incident serves as a stark reminder of the potential havoc that even a third party’s cybersecurity breach can wreak on healthcare providers and patients alike. As cyber threats continue to grow, the healthcare industry must remain vigilant and proactive. Robust preparation, continuous monitoring, and swift response plans are critical to limiting the impact of such incidents. 

Meditology Services is a leading provider of risk management, cybersecurity, and regulatory compliance consulting services that is exclusively focused on serving the healthcare community. More than a provider of services, Meditology is a strategic partner committed to providing our clients with actionable solutions to achieve their most pressing objectives. With experience serving healthcare organizations ranging in size, structure, and operational complexity, we uniquely understand the challenges our clients face every day and dedicate ourselves to helping solve them. 

In the ever-changing and challenging landscape of healthcare cybersecurity threats, CISOs, and cybersecurity leaders often find it difficult to stay ahead. At Meditology, we provide a comprehensive range of testing services that enable organizations to identify vulnerabilities in their IT environment. Our tests are specifically tailored to the high-stakes and 100% uptime demands of the healthcare IT environment. 

With Meditology, you can ensure the utmost security and protection for your healthcare organization's IT infrastructure. 

Our cybersecurity testing solutions include: 

• Penetration and technical testing 
• Vulnerability management 
• Cloud security testing 
• Medical device and IoT security testing 
• Incident response testing 

CORL, our sister company, offers a service-centered solution that combines technology and services to revolutionize TPRM models for providers and vendors. The best part? CORL’s service-centered approach can be customized to suit your specific objectives and realities. 

TPRM services powered by CORL, our sister company, include: 

• Vendor response validation 
• Vendor risk measurement and reporting 
• Third-party incident response 
• TPRM managed services 

Resources 

UPDATE: UnitedHealth Group’s Change Healthcare’s Continued Cyberattack Impacting Health Care Providers | AHA 

https://status.changehealthcare.com/history  

Author 

DIA BLACK | SENIOR MANAGER, IT RISK MANAGEMENT 

Dia leads the Payment Card Industry (PCI) and MDS (Medical Device Security) service lines at Meditology. She has extensive experience in the information security industry, focusing on risk, security, and compliance. Her work includes collaborating with the FDA and CMS on behalf of medical technology companies and managing multiple programs for the Payment Card Industry Security Standards Council (PCI SSC). She has led information security consulting engagements for organizations ranging from Fortune 20 companies to small non-profits. Dia has a MSc in Cybersecurity, and her certifications include ISO 27001 Lead Implementer and Lead Auditor, Payment Card Industry Professional (PCIP) and Qualified Security Assessor (QSA).  

https://www.linkedin.com/in/diablack