This audio is automatically generated. Please let us know if you have back.
In February, a massive cyberattack on UnitedHealth-owned Change Healthcare disrupted many healthcare organizations' financial operations.
The industry is still recovering. Suppliers had difficulty receiving payments, verifying coverage, and submitting prior authorization requests. CMS has issued guidance on payment flexibilities to provide support to suppliers affected by the change outage.
The attack impacted Change's complaints information centers as well as its network of pharmacies. In a recent call for resultsUnitedHealth executives said that while most of Change's operations have resumed, the company should not expect to return to “expected service levels” until 2025.
Healthcare Dive spoke with two cyber experts – Phil Morris and Chad Peterson, both managing directors at cybersecurity firm NetSPI – about how healthcare organizations can recover from the attack and what they should do to protect themselves in the future.
This interview has been edited for clarity and length.
HEALTH DIVING: A survey of American Hospital Association found that 94% of respondents were financially impacted by the Change attack. Why were so many providers affected by this breach?
PHIL MORRIS: The cyberattack on Change Healthcare is very similar to the Francis Scott Key Bridge incident in Baltimore. It sits at the heart of a very complex ecosystem that we call healthcare delivery and payment systems here in the United States. They handle many claims (pharmacy benefit managers), imaging, analytics and revenue management.
This is truly a weak point in health care resilience, because we have such a profit-driven health care system that the destruction of that organization has had a ripple effect not only on hospitals, but also on network providers, pharmacies and patients. The repercussions of this situation will be felt throughout the health system for some time.
CHAD PETERSON: Unfortunately, there are too many eggs in one basket, and this has been the main bottleneck for many healthcare systems that conduct their treatment through (Change Healthcare). So what they did was hit the most vulnerable area to have the biggest impact.
How will the growing use of artificial intelligence impact the ability to predict and stop cyberthreats in the healthcare sector?
PETERSON: AI is not a silver bullet. We won't go that far. But I think one of the biggest benefits of AI will be the ability to automate some mundane tasks to ensure that basic blocking and grappling gets done. You do everything to proactively identify different problems within your system. Once you know this attack path, use something like AI to recreate this attack path to see if you are still vulnerable.
MORRIS: AI will be enabling and disruptive. This will help you make your organization's data more accessible so you can use it to make better decisions.
There are a lot of risks in using AI this way. And there's a lot of risk in creating your own large language models to run yourself. And we see clients using AI in both directions and spend a lot of time advising them on how to manage risk, regardless of how they adopt the AI paradigm.
What steps should healthcare providers take to protect themselves following this type of massive cyberattack?
PETERSON: Perform basic blocking and measurement, from account management to multi-factor authentication and identifying potential vulnerabilities. Know your attack points and identify areas of your environment that are essentially like Swiss cheese on the inside. So it's about doing your due diligence to know what you have, what you're susceptible to, and then prioritizing how to correct or at least mitigate many of those issues to make yourself less vulnerable. This is basic risk management.
Make sure this incident response plan is not only created, but also tested. This goes beyond what I do while it's happening or how to identify something; that's whether I have backup systems or contingency plans in place, although unfortunately that goes back to paper documentation.
And make sure your staff is trained, whether it's from a technical standpoint, how they protect data, what to click on, what not to click from a phishing standpoint.
MORRIS: This is where this idea of proactive security becomes really important. When something bad happens, are you ready? Not if something bad happens, are you ready? We spend a lot of time advising our clients on these scenarios so they can be better informed on how to be resilient and recover from them.
And how does proactive security apply to healthcare in particular?
PETERSON: I think it's even more important in healthcare because unfortunately, in general, the emphasis on safety is not as high from a budgetary perspective. You need to be proactive with your security fundamentals, integrate them into the way you do business, and make them an integral part of your daily operations. And you create this “proactive” (strategy) simply by making it the way you do business.