by – Rinkle Dudani & Team AHT
In the early hours of February 21st, Change Healthcare, a company largely unfamiliar to many Americans yet deeply intertwined within the U.S. healthcare system, made an unsettling announcement: some of its critical applications were “currently unavailable.”
What initially seemed like a minor technical hiccup soon escalated into a full-blown cybersecurity crisis, sending shockwaves throughout the healthcare industry.
As the day progressed, Change Healthcare revealed the true nature of the disturbance—a cyberattack! This revelation marked the beginning of a rapidly unfolding crisis, impacting not only the company itself but also rumbling across the broader healthcare system.
Change Healthcare & United Health Group
Change Healthcare was recently acquired by the insurance behemoth UnitedHealth Group. The company is a major health Tech player and processes 14 billion transactions annually, ranging from vital payments to crucial insurance authorisation requests.
However, the ramifications of this cyber assault extend far beyond corporate concerns. Hospitals find themselves unable to receive payments, pharmacies struggle to process prescriptions, and countless patients face disruptions in accessing essential healthcare services.
Who is Behind this Attack?
Media reports are pointing fingers at ALPHV, a notorious ransomware group also known as Blackcat, as the potential perpetrator behind the cyberattack on UnitedHealth. ALPHV ransomware group has garnered fame for its involvement in numerous high-profile cybercrimes and has been the subject of intense scrutiny by law enforcement agencies worldwide.
While UnitedHealth Group has characterised the attack as a “suspected nation-state associated” incident, some external analysts have questioned this attribution.
In December, the Department of Justice alleged that victims of the Blackcat ALPHV ransomware had already paid hundreds of millions of dollars in ransoms, stressing the scale and profitability of their illicit activities.
Moreover, in a deleted message posted on their darknet site, the group claimed responsibility for stealing millions of sensitive records, including medical insurance and health data, from UnitedHealth. The group has remained elusive despite repeated attempts by media outlets, including Reuters, to reach out to Blackcat for comment.
How Common Are Such Cyber Attacks?
Cyber attacks targeting the healthcare sector have become increasingly common, with 2023 setting a grim record for health-related cybercrime. According to a January report from The HIPAA Journal, there were 725 large healthcare security breaches last year, surpassing the previous record of 720 breaches.
How Does This “Alleged” Blackcat Hack Affect Patients?
In the aftermath of the Change Healthcare attack, patients may be redirected to alternative pharmacies less affected by billing issues. However, billing and prescription processing delays persist, worsening the strain on patients seeking timely access to essential medications and care.
Moreover, the compromised security of patients’ medical records raises the spectre of identity theft. Individuals may face heightened vulnerability to fraudulent activities depending on the nature of the stolen data. While companies often provide free credit monitoring services in the event of a data breach, the repercussions extend beyond financial concerns to potential impacts on patients’ health and well-being.
Disturbingly, research also suggests a correlation between ransomware attacks and increased mortality rates among patients in affected hospitals.
As investigations continue, patients remain in limbo, grappling with uncertainties surrounding the security of their sensitive medical information. Federal agencies, including the Department of Health and Human Services, are closely monitoring the situation.
What Can Be Done Now?
In light of the escalating threat posed by cyberattacks on the healthcare sector, organisations must take immediate action to bolster their cybersecurity defences and enhance their resilience to potential breaches. Drawing from recommendations provided by the AHA and other cybersecurity experts, here are essential steps that organisations can take:
1. Test Network Security, Redundancy, and Data Backups
This presents an opportune moment for organisations to assess the security, redundancy, and resiliency of their networks and data backups. Utilising backup technology that renders backups “immutable” can safeguard against data deletion, alteration, or encryption by malicious actors. Ensuring that backups remain offline further mitigates the risk of data compromise.
2. Patch Known Vulnerabilities
Organisations should prioritise patching high-criticality vulnerabilities, particularly those that are internet-facing and have been exploited. Timely patching helps close security gaps and fortify defences against potential cyber threats.
3. Review and Test Incident Response Plans
Cyber incident response plans should be thoroughly reviewed and tested to ensure they are well-coordinated and integrated with emergency management plans. Testing callout procedures for activating incident command structures and backup communications plans is essential, especially in scenarios where primary communication channels such as email and VoIP may fail.
4. Enhance Business and Clinical Continuity Procedures
Reviewing and reinforcing downtime procedures for both business and clinical continuity is paramount. Organisations should ensure that mission-critical and life-critical functions can sustain operational disruptions, including a potential loss of information and medical technology, for up to 30 days.
5. Designate Downtime Coaches and Safety Officers
Designating experienced individuals as downtime coaches and safety officers for each shift can facilitate the implementation of downtime procedures in the event of an EMR and medical technology outage. These individuals can provide guidance and leadership to ensure safe and quality care continuation during operational disruption.