It’s been nearly one year since reports started emerging that Change Healthcare, the enormous clearinghouse, was experiencing a significant cyberattack.
The company – which processes claims for hundreds of thousands of physicians, pharmacies and others, trafficking some 15 billion transactions each year – had been hit by BlackCat ransomware and essentially debilitated.
In the weeks and months afterward, the fallout continued as the size and scope of the breach became apparent, with countless healthcare organizations nationwide of all shapes and sizes unable to get their claims paid.
It was also revealed in UnitedHealth Group testimony before Congress that hackers had been able to gain access to Change’s network thanks to the absence of simple security tools like multifactor authentication.
By the end of 2024, the attack was easily the biggest healthcare data breach of the year and – so far at least – all time. Even as recently as this past month, the number of impacted individuals was revised upwards, with some 190 million individuals having been affected, according to a January report.
In the 12 months since that far-reaching cybersecurity event, what lessons have we learned?
We heard recently from several vendor execs at companies in all corners of the industry about their experience – and about their thoughts on what positives might have emerged from the breach that was felt across healthcare.
“This incident was a stark reminder of unresolved vulnerabilities involving vendors, third parties, and partners – issues long debated but largely unaddressed,” said Scott Mattila, chief information security officer and chief operating officer at cybersecurity firm Intraprise Health, a Health Catalyst Company.
“While the breach was a significant setback, it spotlighted systemic problems, spurring overdue legislative progress and driving innovation among healthcare cybersecurity leaders,” he said. “Although challenges remain, this breach has set the stage for imminent changes as we move into 2025.”
Those lessons include understanding the “critical importance of a robust security framework, like HITRUST, to manage security risks and protect sensitive data,” added Jonathan Shoemaker, CEO of ABOUT Healthcare, which develops AI-powered patient throughput tools. “It also reminds us of the importance of operating with high quality best practices to measure and monitor risks that ultimately help us protect our systems, data, and clients’ patients effectively.”
The weeks-long downtime put a spotlight on the need to have healthcare information where and when it’s needed – and offered a lesson in the need for iron-clad security.
“Data is invaluable, so we must be more diligent in safeguarding the data we store and transmit,” said Kim Perry, chief growth officer at emtelligent, the AI-enabled analytics company. “This is especially critical as we seek to increase data liquidity to meet the requirements of HITECH, HT-1, and other health data and interoperability standards.”
The incident “highlighted the vulnerabilities inherent in centralized healthcare platforms, where the concentration of sensitive data can become a prime target for cybercriminals,” said Dr. Michael Poku, chief clinical officer at value-based care company Equality Health.
“To mitigate such risks, we must invest in advanced security measures, including quantum security technologies, to protect our systems,” he added. “Enhancing endpoint detection and response capabilities is also crucial. Additionally, robust employee education programs are essential to prevent phishing and other cyber threats.”
A year since the Change Healthcare breach, “we’ve gained a profound understanding of the critical need for stronger cross-industry collaboration,” said Jett Reidy, chief product and technology officer at revenue cycle management firm EnableComp.
“Payers, providers, clearinghouses, EHRs and revenue cycle companies need to establish redundancy and create multiple layers of protection to both defend against and respond to the ever-present threat of cyberattacks,” said Reidy. “By sharing insights and resources, we can enhance our collective defenses and safeguard the healthcare ecosystem more effectively.”
But it starts with the basics, and simple tools, such as MFA, said Chris Carmichael, senior VP of business development at R1, which specializes in revenue cycle and patient experience.
“The healthcare industry still has significant progress to make in combating increasingly sophisticated cyberattacks,” he said. “Far too many organizations prioritize convenience over security, leaving themselves vulnerable.
“Simple but impactful measures, such as implementing multi-factor authentication, rigorous employee training and consistent third-party security testing can go a long way toward safeguarding systems,” he added. “The industry must embrace a culture of proactive cybersecurity to protect sensitive data and maintain trust in the digital age.”
Mike Miliard is executive editor of Healthcare IT News
Email the writer: [email protected]
Healthcare IT News is a HIMSS publication.
Source : Healthcare IT News