Just over a year ago, cybercriminals launched a ransomware attack on clearinghouse Change Healthcare in what became the biggest hack to ever hit the healthcare industry.
In late January, UnitedHealth Group, the parent company of Change, estimated that 190 million people were effected in the cyberattack. The hack also stymied provider payments nationwide for weeks, with some organizations still feeling the impacts today.
David Bailey, vice president of consulting services at Clearwater, a firm focused on cybersecurity in healthcare, told Fierce in an interview that the incident highlighted challenges in healthcare beyond fending off digital threats, as organizations grappled with a key service taken offline.
The Clearwater team fielded questions from groups across the industry, and what became clear is that there are still significant barriers to information that organizations need to prepare themselves for a cybersecurity event, even one on a smaller scale than the hit on Change, he noted.
“I believe hospital CISOs should have a security clearance, be read and know exactly what’s happening,” Bailey said. “There needs to be a mechanism, a true mechanism, for information sharing as part of critical infrastructure that doesn’t exist today.”
Cybersecurity and IT leaders in the industry can get snippets of information out of the Federal Bureau of Investigation and analysts who track threat actors, but their knowledge is lacking in a way that could expose critical gaps, he said.
And in the wake of the cyberattack on Change, information was what clients were seeking, Bailey said.
“I think a lot of folks were really yearning for information,” he said, “and I was very thankful that we, just through Clearwater, and my experience with our clients and all of our partners and folks that we have worked with, were able to at least connect the dots.”
For instance, the cybercriminals targeting healthcare are known to experts who track their activity, he said. ALPHV or BlackCat, the gang that conducted the ransomware attack on Change, first appeared in 2021 and hit dozens of organizations in and outside of healthcare in the years leading up to the Change hack.
And given that these are not new problems for healthcare, there are critical steps organizations can take moving forward, Bailey said.
“The great news about all of this is that there really isn’t anything new that we have to tell them,” Bailey said. “And there are priorities and there’s focus areas that we can have organizations really look at and help prioritize.”
For one, it’s key to conduct an assessment to identify an organization’s risk profile and potential vulnerabilities, and then find ways to plug those holes. But, he said, what the Change hack does highlight is that it’s important for healthcare groups to be thinking about vulnerabilities beyond ways that hackers can get into their own platforms.
They also need to be considering external services that would cause massive issues should they go down. When Change was taken offline to contain the ransomware, it also took down critical payment infrastructure nationwide, creating ripple effects across the industry.
Organizations need to identify those vendors or partners and have action plans in place to continue operations should their platforms face a similar breach, Bailey said.
The magnitude of the cyberattack on Change also made it easier for technology executives to go to the top brass and boards of directors to make the case for greater investment in cybersecurity and emergency preparedness, he noted. This hack in particular, given how much of an impact it had, reached people who do not necessarily have the pulse of cybersecurity.
“You have to leverage the opportunity,” Bailey said. “And I think a lot of folks did leverage it. There was a lot of dialogue.”
For instance, if the CEO is making the push for training or security testing exercises, that’s an excellent sign. And that’s a trend Bailey observed following the Change hack.
In addition to looking at risks associated with outside partners, the Change Healthcare attack also highlighted how critical those assessments are in the integration process, Bailey said. UnitedHealth Group closed its acquisition of Change in late 2022, and later revealed that the company was breached on an older server that did not have two-factor authentication enabled.
Integrating systems and different vendor relationships can also expose new vulnerabilities, Bailey said.
Building a response is critical as these attacks aren’t going away. Healthcare is a prime target for cybersecurity threat actors as it has a wealth of valuable data that organizations are likely to pay a ransom to recover. Especially in the wake of the COVID-19 pandemic, these hackers have built sophisticated strategies for targeting organizations directly, rather than catching them in a wide net, as was common previously.
Bailey compared preparing for these entities to a game of Whack-a-Mole.
“I got them today, but tomorrow they’re going to come up through another hole,” he said.
Publisher: Source link
