Electronic Health Reporter

By David Sampson, VP of Cyber Risk & Strategy, Thrive.

In February, hackers took Change Healthcare offline in one of the most high-profile and wide-reaching cyberattacks to date. Change Healthcare serves hundreds of thousands of providers in the U.S. and processes billions of transactions every year. With Change Healthcare’s systems compromised, cash stopped flowing for hospitals and physician offices everywhere. Providers couldn’t submit new claims, pharmacies couldn’t charge appropriately for prescriptions, and prior authorizations couldn’t go through for critical procedures.

Even after Change Healthcare’s parent entity, UnitedHealth Group, paid a $22 million ransom to the group behind the attack, there’s still risk that sensitive patient data could be leaked online. More importantly, the healthcare industry saw how a cyberattack on a third-party vendor could directly interfere with patient care.

Unfortunately, cyberattacks on the healthcare industry are growing – and, like the Change Healthcare attack, can wreak havoc on everyday operations and impact patient safety. However, if hospitals take the right precautions, they can mitigate these risks and better protect themselves from hackers, ransoms, and disruptions to business.

The Importance of Evaluating Third-party Vendor Risk

Healthcare organizations often rely on third-party vendors for various services. Delivering high-quality patient care is complicated in and of itself. Building an ecosystem that includes services and solutions like telemedicine, wearables, digital electronic medical records (EMRs), patient-centered mobile apps, and other cutting-edge innovations is impossible for smaller healthcare providers.

Many times, the best way to extend the range of services offered is to work with third-party vendors. The problem is this outsourcing expands the surface area of attack for cyber criminals. Every third-party vendor relationship comes with a new IT integration and potential entry point for hackers. In other words, more third-party vendors means increased organizational risk.

Healthcare leaders must recognize this tradeoff and think intentionally about how best to strike the balance between healthcare excellence and IT integrity. Before onboarding a new vendor, providers must conduct thorough audits, identify all vulnerabilities, and work constantly to ensure systems are integrated in a safe, secure, and resilient fashion. This is not a point-in-time exercise, but one that both healthcare providers and vendors have to engage in regularly to keep intruders away from sensitive patient data.

Responding Effectively to Cyber Incidents

When cyber incidents do occur, healthcare providers and vendors must be ready to respond. Improving IT resilience means not only uncovering risk proactively, but also containing the blast radius of any attacks. As the Change Healthcare situation revealed, this means providers must be able to continue operating successfully while minimizing the data lost to malicious actors.

Health systems and providers should review their cyberattack response plans frequently and make updates as needed. IT teams should simulate fake attacks through initiatives like penetration testing and evaluate how well their systems and processes respond to different types of threats. Just as cybersecurity technology is always improving, so are cybercriminals and their techniques. There is no room for complacency, especially in an industry as attractive to hackers as the healthcare space.

Building a More Resilient Industry

Sophisticated cybersecurity is no longer a nice-to-have feature; it’s an essential function for any healthcare group – and maintaining resilient IT systems and robust response plans requires participation from both inside an organization and the industry at large.  The broader healthcare sector can benefit from more collaboration between all stakeholders – health systems, insurers, regulators, and the greater cybersecurity community. Experts from all sides should come together often to discuss best practices, share lessons learned, and set security standards that keep more groups safe from cyberattacks.

An information sharing and analysis center (ISAC) or similar industry consortium could also serve as a centralized place for collecting data about the biggest known cybersecurity threats. Such a repository would enable healthcare organizations to assess their own capabilities against known issues and take action to address gaps or vulnerabilities. It would also help regulators better understand where to implement stricter compliance standards that force better cybersecurity behavior.

Just as gaining insight and expertise from outside sources would be valuable for healthcare organizations, so too could partnering with a managed security services provider – especially for smaller healthcare providers, pharmacies, and health systems that don’t necessarily have the resources to stack into in-house teams. These groups can also monitor security trends and best practices when it comes to thwarting the latest types of attacks, so those within the organization can focus on what matters most: delivering exceptional patient care.

As the healthcare sector depends more and more on interconnected digital technologies, the cybersecurity function is only going to increase in complexity. By shifting to a more proactive posture, the healthcare industry will be able to avoid more situations like the Change Healthcare incident, thereby protecting sensitive patient data and ensuring continuity of care when it matters most.