Industry Voices—Change Healthcare attack: Where do we go from here?

Change Healthcare’s parent company UnitedHealth has said that “a substantial proportion of people in America” could be affected by the cyberattack that has crippled vital parts of the U.S. healthcare system since February.

The company, which is reporting costs related to the attack of $870 million to date and is projected to cost a total of $1.35 billion to $1.6 billion this year, also warned it will most likely take months to identify and notify the customers and individuals affected.

Lawmakers have rightfully raised questions about the cyber risks associated with a handful of healthcare companies holding dominant positions, and many providers continue to deal with the fallout of not being able to receive payment for their services for an extended period of time.

As CEO of a large healthcare cybersecurity firm, I know as well as anyone that we cannot prevent every hack, but we can be prepared for them. This event was utterly predictable, and the ongoing aftermath has made it abundantly clear that the extended healthcare ecosystem is not nearly well enough prepared for inevitable events like this.

Healthcare has become increasingly more digital and dependent on technology to deliver care, making it much more susceptible to, and more highly impacted from, cyberattacks. Yet many healthcare organizations still don’t meet basic industry standards. Healthcare continues to spend among the lowest amounts of all sectors on cybersecurity. The Security Budget Benchmark Summary Report published this past November by IANS and Artico Search shows healthcare cybersecurity spending to be 8.1% of the IT budget. That figure puts healthcare spending ahead of only retail (7.2%), 3.5 points behind the overall average across all sectors, and far less than half of tech (19.4%).

In a capital-intensive industry with compressed margins, increasing costs and many competing priorities, underinvesting in cybersecurity has been the standard for most healthcare organizations. But, with cyberattacks on our health system continuing to grow in frequency and sophistication, and ransomware incidents resulting in disruption in patient care, is this acceptable?

Keeping up with the constant stream of zero-day vulnerabilities and required patches, securing endless new software applications and detecting and responding to the never-ending barrage of attacks from cybercriminals is a huge task for resource-constrained internal IT teams at healthcare organizations and their vendors but something that every organization must now do well in order to protect their patients and remain operational.

Investments in new technology must be coupled with greater investment in cybersecurity. And not just by hospitals and health systems but the health IT companies and the broader ecosystem that is a target of cyberattacks.

Our industry is made up of an extended network of vendors and vendors-to-vendors that are vulnerable and, as we’ve seen with Change Healthcare, can create enormous ripple effects when data and systems are not available. My firm works regularly with health systems to run real-world incident response exercises responding to all kinds of cybersecurity scenarios. The goal of these rehearsals is to make sure everyone knows what to do.

Healthcare organizations—and their vendors—must also perform Business Impact Analysis to understand how the loss of an information system affects a business process and the impact to patient care or revenue. While these processes require investment, they are the only way to understand the requirements for disaster recovery and business continuity solutions. This is the work that everyone from vendors to payers to providers to government needs to be doing. While we hope we never have to respond to a cyberattack, the chances are that at some point the organization will, and it will be grateful it followed these industry best practices.

For many, it is a matter of not just the willingness but also the ability to make the necessary investments in cybersecurity, and our government needs to accelerate efforts to provide support.

The state of New York has recognized the challenge that many healthcare providers face and is providing $500 million in grant funding to support healthcare investments in technology and cybersecurity, while also taking steps to enact new regulations governing hospitals’ data privacy and security practices.  

The Biden administration’s budget proposal for fiscal year 2025 indicates recognition of the challenge at the federal level as well. The proposed budget would add $800 million to help “high need, low-resourced hospitals” cover the initial costs of implementing basic cybersecurity practices, and it includes a $500 million incentive program for more robust digital defenses. These incentives will later come with penalties for those that do not comply with basic cybersecurity practices.

Robust security practices based on industry standards like the NIST Cybersecurity Framework, including ongoing risk analysis and risk response, and well-exercised incident response and business continuity plans, must happen at all healthcare organizations, including health IT companies. This is the only path forward to win the war against cybercriminals, and accomplishing this is only realistic with commitment from leadership teams and support from our government at all levels.

The Change Healthcare attack, along with recent ransomware attacks on hospitals and other healthcare organizations, have been devastating. Unfortunately, until we change our approach to how we support and prioritize cybersecurity investments, we can continue to expect to see these attacks and the accompanying impacts to our healthcare system and our patients. Boards and executives must prioritize cybersecurity at healthcare organizations, and, for those smaller provider organizations with limited resources, we must have more support and resources from our government.

Cybersecurity is patient safety. We must do more as an industry and as a nation to ensure healthcare cybersecurity programs are appropriately funded.

Steve Cagle, the CEO and a board member of Clearwater, is responsible for leading Clearwater’s strategic growth plan and managing the cybersecurity company’s overall operations. He has extensive experience leading, innovating and scaling healthcare and technology businesses, including guiding numerous companies through critical transformation periods.