The healthcare sector needs to get serious about cybersecurity and resilience planning in the wake of the cyberattack against Change Healthcare, as attacks are likely to continue plaguing the industry, experts told Healthcare Dive.
The outage at the UnitedHealth Group subsidiary has hamstrung the industry for more than a month. Providers reported an array of challenges after the attack, from payment disruptions to delayed prior authorization requests.
“Hospitals definitely are reporting to us that their teams are working weekends, they’re working nights,” said Molly Smith, group vice president for public policy at industry trade group the American Hospital Association. “They’ve already for the last month been working massive overtime.”
The financial impact could be serious, especially for smaller providers or those who relied heavily on Change to process claims. Some hospitals have delayed payments to vendors, tapped lines of credit or prioritized payroll, Smith said.
But, even as Change begins to restore its systems, cyberattacks are going to remain a challenge for the industry as healthcare digitizes, creating more potential vulnerabilities for cybercriminals to exploit, experts say.
The healthcare sector needs to learn from the wide-ranging impacts from the Change attack — and prepare for the next one.
“As an industry, there’s been a lot of advancement in cybersecurity, but we’re still pretty far behind where we need to be,” said Steve Cagle, CEO of healthcare cybersecurity firm Clearwater. “We need to face the reality that this is an issue that is here to stay for a long time.”
Risk analysis, redundancy protects providers
Health systems need to evaluate where they are most at risk and how an outage could affect their finances and operations, experts told Healthcare Dive.
Many providers haven’t adequately mapped their integral business or patient care operations to the IT products that support them, which makes it challenging to protect those systems or detect intrusions, said Deron Grzetich, leader of consultancy of West Monroe’s cybersecurity practice.
“If you don't understand what is critical to patient care, and you don't understand the IT and applications and systems that support that, how can you ensure that you're properly protecting those via the right preventative controls?” he said.
Health systems need to do a risk analysis, identifying where they hold their data, potential threats and vulnerabilities in their systems, controls they have in place, the likelihood of an attack and how it could affect the organization, Cagle said. That would help them prioritize where to spend their resources.
They should assess third parties too and question vendors on their cybersecurity protocols to determine what they should do to mitigate a high risk. For example, if an organization can’t push a vendor to implement improved security, the system could consider switching vendors or putting a backup in place, he said.
Having other vendor options for key operations is generally a smart strategy, experts say. Small providers with weaker finances were more likely to struggle during the Change outage, according to a March report by Moody’s Ratings. Many bigger and geographically dispersed organizations used more than one claims clearinghouse, mitigating some of the revenue hit.
“If you don't understand what is critical to patient care, and you don't understand the IT and applications and systems that support that, how can you ensure that you're properly protecting those via the right preventative controls?”
Deron Grzetich
Leader of West Monroe’s cybersecurity practice
The financial effect from an outage at a vendor like Change, which processes billions of healthcare transactions annually and touches 1 in 3 medical records, also demonstrates the importance of business planning, experts say. Nearly 60% of hospitals reported the revenue impact from the Change attack is $1 million per day or greater, according to a March survey conducted by the AHA.
Health systems should evaluate software and service vendors to know which are key to their cash flows and the impact if one of those products was brought down by a cyberattack, said Kate Festle, a partner in West Monroe’s healthcare M&A group.
Small or medium-sized systems might only have 30 to 60 days of cash on hand, which might not be enough in a longer outage.
“I would hope a lesson learned coming out of this is that every provider, regardless of their size, does a full diagnostic to say, ‘If at any point one of my service or software vendors went away, or was compromised, what would that mean in terms of the cash I would need on hand?’” Festle said.
Why providers struggle to invest in cybersecurity
Cybersecurity is key to operations in an era of increased attacks against the healthcare sector, but many providers haven’t devoted enough resources to preventing incidents or preparing for the fallout, experts say.
Investing in cybersecurity is often a tale of have and have-nots in healthcare, said Greg Garcia, executive director for cybersecurity at the Health Sector Coordinating Council, an industry group that advises the federal government.
Large health systems are likely more advanced in implementing cybersecurity protocols, while small or safety-net providers may struggle to find the funds or talent to advance their preparedness.
“There are a substantial number of hospitals that routinely operate with negative margins. So their ability to tap into resources is much harder,” the AHA’s Smith said. “And then frankly, even getting the technology staff or the cybersecurity staff, that can be very, very challenging, particularly for independent, smaller facilities.”
Source: Hospital Cyber Resiliency Initiative Landscape Analysis, HHS 405(d) Program; The State of Supply Chain Risk in Healthcare, Ponemon Institute and the HSCC
Creating redundancy among vendors could be difficult for some providers too. Many health systems already want to reduce the number of third parties they contract with to cut costs and administrative work.
Building relationships with new vendors takes effort, with more contracts that need to be managed and additional invoices that need to be consistently paid, said Andrew Hajde, director of content and consulting at the Medical Group Management Association.
It could also be difficult to find vendors interested in taking a back-up job, he added.
“A lot of vendors don’t want to just be waiting in the wings to get paid if they’re needed,” Hajde said.
There may not even be sufficient vendors available to create redundancies, or their contracts don’t allow providers to work with another company that offers competing products, Smith said.
Plus, many tools — or large parts of them — are custom built, so it’s a challenge to shift to a new system or train workers on another product, she added.
Feds push for cybersecurity investment
Federal regulators have signaled plans to boost cybersecurity and resilience in the healthcare sector, eventually with financial penalties for hospitals. The HHS released voluntary cybersecurity goals early this year, broken down into essential and enhanced protections that include assessing third-party risks, as well as incident planning and preparedness.
The Biden administration’s proposed budget for 2025 includes funding for hospitals to put cyber protections in place, with penalties rolling out in coming years. Legislation was also recently introduced in the Senate that would allow for advance and accelerated payments to providers in case of an incident, as long as the providers and their vendors meet minimum cybersecurity standards.
The HHS has been building up its cybersecurity strategy for several years, HSCC’s Garcia said. The performance goals aren’t mysterious or new — they’re table stakes.
“The longer term project now could take a couple of years to get it right,” he said. “Tear up the floorboards and look at the plumbing underneath and see where the leaks are. That’s what’s important for us now.”