This audio is automatically generated. Please let us know if you have back.
The healthcare sector must take cybersecurity and resilience planning seriously in the wake of the crisis. cyber attack against Change Healthcareas attacks will likely continue to plague the sector, the experts told Healthcare Dive.
The outage at the UnitedHealth Group subsidiary paralyzed the industry for more than a month. Suppliers reported a series of challenges after the attack, from payment disruptions to delayed prior authorization requests.
“Hospitals are clearly reporting to us that their teams are working weekends and nights,” said Molly Smith, group vice president for public policy at the industry trade group. American Hospital Association. “For a month already, they have been working massive overtime. »
The financial impact could be serious, especially for small suppliers or those who relied heavily on change to process complaints. Some hospitals have delayed payments to vendors, tapped credit lines or prioritized payroll, Smith said.
But even if the change begins to restore its systemscyberattacks will remain a challenge for the sector as healthcare digitizes, creating more potential vulnerabilities for cybercriminals to exploit, experts say.
The healthcare sector must learn from the broad impact of the Change attack and prepare for the next one.
“As an industry, a lot of progress has been made in cybersecurity, but we're still pretty far from where we should be,” said Steve Cagle, CEO of healthcare cybersecurity firm Clearwater. “We have to face the reality that this is a problem that will persist for a long time. »
Risk analysis, redundancy protects service providers
Health systems need to assess where they are most at risk and how an outage could affect their finances and operations, experts told Healthcare Dive.
Many providers have not properly linked their business or patient care operations to the IT products that support them, making it difficult to protect those systems or detect intrusions, said Deron Grzetich, head of the practice. West Monroe Cybersecurity Department Board.
“If you don't understand what is essential to patient care and you don't understand the IT, applications and systems that support them, how can you ensure that you are properly protecting them through the appropriate preventative controls ? he said.
Health systems should conduct a risk analysis, identifying where they hold their data, the potential threats and vulnerabilities in their systems, the controls they have in place, the likelihood of an attack and how which it could affect the organization, Cagle said. This would help them prioritize where to spend their resources.
They should also evaluate third parties and ask vendors about their cybersecurity protocols to determine what they need to do to mitigate high risk. For example, if an organization can't push a vendor to implement enhanced security, the system might consider changing vendors or implementing a backup, he said.
Have other provider options for key operations is usually a smart strategy, experts say. Smaller providers with weaker finances were more likely to have difficulties during the Change outage, according to a March report from Moody's Ratings. Many larger, geographically dispersed organizations have relied on multiple claims clearing centers, thereby mitigating some of the revenue loss.
“If you don't understand what is essential to patient care and you don't understand the IT, applications and systems that support them, how can you ensure that you are properly protecting them through the appropriate preventative controls ?
![](https://d12v9rtnomnebu.cloudfront.net/diveimages/corporate_site/teampage/square_profiles/placeholder-200.png)
Deron Grzetich
West Monroe Cybersecurity Practice Leader
The financial impact of an outage at a provider like Change, which processes billions of healthcare transactions each year and affects 1 in 3 medical records, also demonstrates the importance of business planning, experts say. Nearly 60% of hospitals reported revenue impact of the Change attack amounts to $1 million a day or more, according to a March investigation by the AHA.
Health systems should evaluate software and service providers for know which ones are critical to their cash flow and the impact if any of those products were destroyed by a cyberattack, said Kate Festle, a partner in West Monroe's health care mergers and acquisitions group.
Small or medium-sized systems may only have 30 to 60 days of liquidity, which may not be enough in the event of a longer outage.
“I hope the lesson learned from this is that every vendor, regardless of size, does a full diagnostic to say, 'If at any point one of my service or software vendors disappeared or was compromised, what would that mean? mean in terms of how much money I would need on hand?' » Festle said.
Why Vendors Struggle to Invest in Cybersecurity
Cybersecurity is essential to operations in a era of increased attacks against the healthcare industry, but many providers have not devoted enough resources to preventing incidents or preparing for their consequences, experts say.
Investing in cybersecurity is often a story of haves and have-nots in health care, said Greg Garcia, executive director of cybersecurity at the Health Sector Coordinating Council, an industry group that advises the federal government.
Larger health systems are likely further along in implementing cybersecurity protocols, while smaller providers or safety net providers may struggle to find the funds or talent needed to advance their preparedness.
“A significant number of hospitals routinely operate with negative margins. So their ability to tap into resources is much more difficult,” said the AHA’s Smith. “And then frankly, even recruit technology staff or cybersecurity staffthis can be very, very difficult, especially for small independent installations.
Creating redundancy between providers could also be difficult for some providers. Many health systems already want reduce the number of third parties with whom they contract to reduce costs and administrative work.
Building relationships with new providers takes effort, with more contracts to manage and additional invoices to pay consistently, said Andrew Hajde, director of content and consulting at the Medical Group Management Association.
It also might be difficult to find suppliers interested in taking on replacement work, he added.
“A lot of sellers don’t want to just wait in the wings to get paid if needed,” Hajde said.
There may not even be enough suppliers available to create layoffs, or their contracts may not allow suppliers to work with another company with competing products, Smith said.
Additionally, many tools — or a large portion of them — are custom-built, so it's difficult to switch to a new system or train workers on another product, she added.
Federal government pushes for investment in cybersecurity
Federal regulators have announced plans to strengthen cybersecurity and resiliency in the healthcare sector, possibly including financial penalties for hospitals. The HHS voluntary cybersecurity goals published earlier this year, broken down into essential and enhanced protections that include third-party risk assessment, and incident planning and preparation.
The Biden administration proposed budget for 2025 includes funding for hospitals to implement cyber protections, with penalties expected in coming years. Legislation was also recently introduced in the Senate that would allow early and expedited payments to providers in the event of an incident, provided that providers and their suppliers comply with minimum cybersecurity standards.
HHS has been building its cybersecurity strategy for several years, according to HSCC Garcia said. Performance goals are neither mysterious nor new: they are table stakes.
“The longer-term project might take a few years to perfect,” he said. “Tear up the floorboards, look at the plumbing underneath and see where the leaks are. This is what is important to us now.