In wake of Change Healthcare, CrowdStrike outages, health systems look to diversify, strengthen supply chain

2024 has been a year that has tested healthcare organizations' cyber resilience, and shone a spotlight on critical vulnerabilities.

In late February, UnitedHealth Group’s Change Healthcare unit faced a significant ransomware attack, sending shockwaves through the healthcare sector with far-reaching financial consequences. Change is a major component of UHG's claims processing and revenue cycle management services.

Per a survey released in March, "94% of hospitals reported some financial impact stemming from what the American Medical Association called 'the most significant and consequential cyberattack' on healthcare in the country's history."

Just a week after the Change Healthcare attack was disclosed, the President’s Council of Advisors on Science and Technology (PCAST) released a report on fortifying the nation’s cyber-physical systems. Cyber resiliency is now a critical topic that's front and center for every healthcare provider, payer, vendor, health tech company and supplier.

"The report got into some critical truths about how we need to start thinking about cybersecurity differently and really focusing less on efforts to predict and respond to threats but more that we build systems that can adapt to change and disruption and withstand attacks. Maybe not defeat them, but stay up and running and keep critical services and critical functions going without exception," Taylor Lehmann, director of the Office of the Chief Information Security Officer at Google Cloud, said during a recent virtual roundtable on healthcare cybersecurity.

"We've seen the need for this in 2024," Lehmann continued "This has been quite a year where resilience and our lack of were put on display. As an industry, our supply chain has experienced tremendous interruption earlier this year, with technology architectures, teams and organizations who are affected by some of the largest security events in the history of cybersecurity, and unfortunately, the largest examples were in the healthcare industry in particular."

Cybersecurity leaders at major health systems and leading health insurers say they are now keenly focused on building more a resilient healthcare ecosystem rather than just reacting to threats. But that effort requires more collaboration across the industry, including public-private partnerships. 

It also requires a shift in how companies manage their supply chains.

During the roundtable, hosted by Google Cloud, CISOs at Northwell Health, Highmark Health, Novant Health and ChristianaCare shared key lessons learned from the massive Change Healthcare ransomware attack and CrowdStrike IT outage this year, and insights into how their security strategies are evolving.

And while healthcare organizations are fighting an ongoing battle against escalating cyber threats, there's reason for optimism about the sector's resiliency, according to Greg Barnes, CISO at Highmark Health.

"It's easy for us to look at what's happened in the last year or two and to get caught up in this redacted timeline, where we're only thinking about the bad things that have happened. It's much more difficult to take a look back across the history of this problem and recognize that most organizations have gotten much, much better," Barnes said during the virtual roundtable. "We see punctuations of major events that feel tectonic, and maybe indeed are tectonic. It's very important, I think, to maintain perspective, broadly speaking, that we are getting better."

He added, "There's no win or lose in this fight. The saying goes, 'There is no finish line for winners, but there is a starting line for quitters.' We're in that mode of just making sure that we continue to run the race that we need to run."

Here are five key lessons and best practices for healthcare cybersecurity:

Assessing 'single points of failure' in the supply chain

Consolidating vendors is no longer the name of the game in healthcare, according to health system CISOs.

"The Change Healthcare event really shed light on the fact that we are reliant on certain key critical partners that, if unavailable, can cause material disruption to our organization," said Anahi Santiago, CISO at ChristianaCare. "Over the last few months, we've been having a lot of conversations about the fact that, although we have a dedicated cybersecurity team in place at our organization to serve and protect the organization, there are external factors having to do with the supply chain that can be very disruptive, which we cannot necessarily affect beyond doing security risk assessments and putting in appropriate contractual language. Inevitably, the interconnectedness of our organizations in this industry can be critical and can have material disruptions."

ChristianaCare is a nonprofit health system comprised of three hospitals—with more than 1,200 beds—as well as outpatient and other services throughout northern Delaware and the surrounding area. Santiago said the organization is now assessing where it may have "single points of failure in its supply chain" and where it can diversify.

"At one point, consolidation was key to reducing complexity by reducing the amount of partners that we have, which then makes things more manageable. What we're learning now is that if we have those single points of failure, we can run into a lot of problems,' she noted.

The "pendulum is swinging," Santiago noted, towards more diversification in the supply chain to have backups in the event that a key partner has a cybersecurity event. "It think what has come out of the Change Healthcare incident is a recognition by our organization that just having a cybersecurity program inside the organization isn't enough to protect us," she noted.

"I don't think we can understate the importance of having the diversification of our key suppliers to make sure that we can continue operations and regularly exercise business continuity or operational plans so that if a system is impacted, the organization can continue to operate and provide the services that it does," noted Kathy Hughes, Northwell Health's CISO.

'Can't work in silos': Urgent need for more collaboration, information sharing

Strengthening the healthcare ecosystem will require all stakeholders working together and more public-private collaboration, all the CISOs agreed during the roundtable discussion.

"This is not something that an individual company can solve or an individual entity can solve. It's something that the government can't solve by itself, but it's something we need to very rapidly understand and begin to collectively respond to," said Barnes. And while the Change Healthcare cyberattack caused massive disruptions to claims processing and rev cycle operations, Barnes noted that a future attack could be much worse if a company that sits at a pivotal point in the healthcare ecosystem were to be hit. 

"Change Healthcare certainly wasn't the first supply chain attack we've ever seen. And here's a bold prediction, it won't be the last one. But worse than that, to my way of thinking, it's not even the worst one that I can imagine in the healthcare ecosystem. That particular attack did not actually disrupt drug supply. It only indirectly affected urgent healthcare," he said.

Healthcare organizations working in silos face the challenge of "limited staff, limited needs and limited capabilities," Santiago noted.

She is a member of the board at the Health-ISAC (H-ISAC, Health Information Sharing and Analysis Center), a non-profit, member-driven organization. These types of organizations can share vital physical and cyber threat intelligence and best practices with each other, she noted.

"Becoming a member of Health-ISAC, you become part of an industry-wide community that is there to lift each other up, to educate each other, to share information, to share, not only threat intelligence, but also capabilities and how we're collectively solving problems. Being able to leverage those kinds of partnerships can help us augment our own internal capabilities and therefore also improve the industry as a whole," she said.

She also pointed to the Healthcare Sector Coordinating Council as another valuable resource. HSCC has more than 400 healthcare industry organizations working together.

"They are working together to collaborate and build capabilities for the industry in terms of developing artifacts on how to implement strong cyber defenses, how to build strong incident response plans and on how to implement model contract language so that we are all not reinventing the wheel when we're working with third parties on mutual protections for implementation across the organization," Santiago said. "These are public-private partnerships that have really helped the industry advance its capabilities over the years."

Lehmann stressed that information sharing among healthcare stakeholders should be "acceptable and tolerated" to protect the overall sector.

"It's not OK that it took days or hours or even minutes for the indicators of compromise to come out of any of the major security events we talked about," he said. "That stuff needs to be able to be shared quickly and rapidly and without necessarily compromising the organization's integrity or getting attorneys and lawyers stood up to like fight information sharing for reasons of self-protection, as opposed to sector protection. We need to do more to make it easier to share information." 

Addressing the 'cybersecurity poverty line'

The healthcare industry, as a whole, needs to improve its competency in cyber defense, the health system CISOs noted.

While larger health systems can afford to invest in dedicated cybersecurity leaders and capabilities, less-resourced organizations are falling behind.

"Healthcare organizations, sector-wide, as a general matter, tend to operate on lower margins so their ability to attract and retain and develop the most competent defenders in the marketplace is therefore necessarily limited," Barnes noted. "It's even more greatly magnified when we're talking about those organizations that live below what some of us refer to as the 'cybersecurity poverty line. Organizations like small and rural and even inner-city hospitals. It's difficult enough to attract and retain when you have the means, and healthcare arguably sits at the bottom of that escalator."

Membership in organizations like the Health-ISAC and HSCC  would be a "step in the right direction" for many of these smaller, less-resourced organizations, he noted.

Better information sharing also will help to address these gaps and help the industry become collectively stronger, Santiago noted.

"I serve on one of the working groups for underserved provider communities, and the work that we're doing is really to help identify what are the challenges that small- to mid-sized organizations or inner-city organizations that live under the 'cyber poverty line' are facing. What are the challenges that they're experiencing and what are the tools and the things that they need in order for us to elevate them and give them a level playing field through that public-private partnership," Santiago said. "I think the way for us to really improve cyber resiliency across our industry is by working together, collaborating and working with our federal government partners to find ways and means to collectively improve our cyber posture across the industry."

Many smaller, rural and inner-city organizations and medical clinics might not be aware of the resources, like Health-ISAC, that are available and also face barriers to leverage those resources.

There is a role for larger healthcare organizations to play, along with collaborations with the federal government, to support these providers, Barnes acknowledged.

"I think whatever the future holds for us, it must involve a very adaptive organization, not trapped by the traditional operating system of the government, that is empowered by the government and funded by the government and working directly with not just the healthcare sector but others to provide those point solutions for small hospitals, rural hospitals, inner-city hospitals and clinics to just try to solve for some of these challenges," he said.

The federal government can play a major role by creating incentives for healthcare organizations to adopt cybersecurity, much like the Meaningful Use program incentivized providers to adopt electronic health records, Hughes noted.

"Back when the HITECH Act was passed and there was incentives to organizations to adopt electronic health records, that program worked really well, and what we were left with is actually a whole bunch of technological adoption without thoughtful implementations of cybersecurity," she said. 

Those incentives could be through the Health and Human Services (HHS) cybersecurity performance goals or measures.

"Cybersecurity is expensive, it is complicated, and not every organization with slim margins has the resources to be able to invest effectively, and so this is an area where I think the federal government could really assist in providing the right kind of support and incentives," Hughes said.

AI can play a critical role in bulking up cybersecurity

Northwell Health continues to make investments in new tools, capabilities and resources to strengthen its cyber defenses, Hughes said during the roundtable.

There are promising opportunities to use artificial intelligence and machine learning technologies to supplement the cybersecurity team by culling through threat intelligence information, she noted.

"We all know there's talent shortages out there, and it's very difficult to get talented people and even to bring them up to speed. So that's a key area," she said.

Sanjeev Sah, CISO at Novant Health, said AI is giving healthcare organizations new tools to improve operations.

"There is a careful, guided approach that industry is employing when we are embracing it and we are wanting to leverage this new technology to enhance care, be more efficient in how we operationally do work and even come to quicker solutions. We are being safeguarded about creating no harm or doing it responsibly. That in itself, that particular viewpoint that the industry has largely embraced, goes to show that we want to take advantage of opportunities that are presented but we want to do it in a way that's safe and secure, and it's ethically responsible as well," he said.

Northwell also continues to focus on the basics of "cyber hygiene" with zero-trust protocols and the health system invests in ongoing security awareness and training programs for its staff. 

"Making sure that systems stay patched, and not only the workstations, but the medical devices and all the other devices on the network that have operating systems that could potentially be exploited, those get overlooked," Hughes noted. "And then, just the ongoing assessments that we do, the continuous monitoring that we do, the new threats that come out that might require a new technology to be brought in, or the knob on one of the existing technologies to be turned up. Those are just other ways that we learn about the threats and then we translate those into actionable plans to further protect the environment," she said.

Healthcare organizations stepping up scrutiny of third-party vendors, M&A

It has since come to light that the hackers involved in the Change Healthcare ransomware attack exploited a vulnerability on a server lacking multi-factor authentication—a fundamental security measure.   

Change Healthcare was brought into the fold at UnitedHealth Group in late 2022.

During a Congressional hearing in May, UnitedHealth Group CEO Andrew Witty testified that as the company was in the process of integrating Change into Optum over the past year and a half, the company was working to complete a massive upgrade to all of its systems. Witty said that Change's aging technology meant that much of its data was stored in physical data centers rather than in the cloud, which made it more vulnerable. 

Healthcare organizations rely on a long list of third-party vendors as part of clinical and business operations, from cloud service providers to EMR service providers to lab services.

As third-party products and technologies can introduce vulnerabilities into the system, it's critical for healthcare executives to risk assess vendors' security posture and cyber controls, CISOs said.

"We risk assess vendors based on, are they involved with protected health information? Does it deal with sensitive systems? Are we transacting data? So we take a variety of different components into the equation to evaluate that vendor relationship, and then we look to partner with them to have the right security posture," Sah with Novant Health said. "I find our partners want to work with us and engage in that effort to try to cure for any security gaps. Where a partner is not able to meet those requirements, I think absolutely we need to exercise other options. We cannot, given all of the risks that we've experienced in the recent months and years, create a gap in security for our organization."

It's also important to include security teams when procuring products or acquiring new technologies, Hughes said.

"You need to ensure that appropriate contract language can be built in, where you get assurances that they will have resilient systems and that they have disaster recovery and business continuity plans," she said. "You need appropriate terms and conditions in the agreement, things like indemnification and they have appropriate cyber insurance. It's extremely critical that a decision about acquiring a service or a piece of equipment should be done in partnership with the security team and holding them accountable. You need to have the ability to monitor what they do, to a degree, to understand what their risks are, and to make sure that they understand what your internal standards are that they need to comply with in order to secure their environment."