The Change Healthcare ransomware attack and its lasting impact on healthcare delivery organizations across the country is now in its third week, highlighting the fragile U.S. healthcare ecosystem that stakeholders have long warned about.
The hack was attributed to a ransomware group known as ALPHV or BlackCat, and Change Health reportedly paid the attackers a $22 million ransom to recover data stolen during the breach. He claims to have paid. The transaction has not been confirmed by Change Health officials.
As it stands, much of the Change Health system remains offline, and officials say the downed systems should be up and running by March 15. The company is offering a temporary payment solution to fill the gap, as is the Centers for Medicaid and Medicare Services. (CMS) also provides support. However, stopgap solutions are not enough to solve cash flow problems, nor can they cover all losses.
Latest estimates show that the outages could cost Change Healthcare billions of dollars in lost revenue and customers as provider organizations explore alternative payment options to keep them afloat. It is shown. However, those most at risk of losing business entirely are typically health care providers operating on razor-thin profit margins, especially small practices and rural groups.
Industry conversations paint a bleak picture, with providers considering taking out loans to pay employees, while others are taking out mortgages to pay payroll. .
While the current impacts are alarming, they are just the tip of the iceberg. It will take years to recover the losses, and many small clinics, hospitals, and health care providers may not recover at all without government support. While this incident may have started as a cyberattack, the Change Health outage has become so large that it is simply a crisis, especially a financial crisis that will continue into the foreseeable future.
In a March 10 letter, the Department of Health and Human Services (HHS) asked United Health Group, which owns Change Healthcare, to address the attack, including improving communications and providing a list of affected entities to Medicaid agencies. It called for immediate measures to be taken to reduce the impact. Other risk mitigation measures that may reduce dire consequences.
The exact impact of the attack on Change Healthcare remains unclear. Additionally, this incident is just the latest in an ongoing onslaught of targeted attacks against the entire healthcare industry. Industry groups are calling on Congress to intervene to help organizations affected by these disruptions.
A series of predicted unfortunate events
In the healthcare industry, third-party, third-party, and third-party risk is just one layer of visibility challenges facing enterprises. Visibility into vendors' cyber operations has been an unresolved problem for years, exacerbated by the rapid adoption of digital technologies, mergers and acquisitions, outsourcing of business partners, and the push for care outside the hospital.
The Biden administration has included health care among 16 critical infrastructure areas identified by the federal government. But there are also healthcare-specific challenges that require a different type of intervention, as they not only impact supply chains and critical business operations, but also put patients' lives at risk. For example, consider a small hospital that has to close due to the Change Healthcare outage. He may be the only medical provider available within 100 miles of the area. Additionally, some patients may not have the means to travel that distance. For serious illnesses such as strokes and heart attacks, each delay in care can result in a reduction in the quality of care.
As the public and perhaps Congress are only beginning to understand the precarious state of healthcare cybersecurity, the Change Healthcare outage highlights how easily ransomware attackers can gain the value of healthcare data and a foothold into healthcare networks. This amplified the systemic problems that have persisted since the discovery. .
A similar cyberattack against payroll vendor Cronos in 2022 disrupted payroll for providers across the country, leaving employees without pay while the system was down. Some health systems have been sued for nonpayment after relying on paper procedures during power outages, resulting in wage discrepancies.
According to data from Emsisoft, 42 hospital systems were affected by ransomware attacks in 2023. Studies have shown that these attacks have affected affected organizations, and even nearby hospitals have seen a decline in the quality of care, increased patient volume, and extremely long wait times.
Following the recent collapse of some of the major players in the ransomware industry, the remaining groups have vowed to take the gloves off and begin attacking critical healthcare infrastructure. In addition to the significant attack against Change Healthcare, this current version of the malicious actor has also chosen to compromise actual patient records, making it the first low-level healthcare attack to date.
Malwaretips reported last year that in a dual extortion ransomware attack, attackers chose to leak the data and photos of cancer patients in order to blackmail medical institutions into submission. Rather than attacking hospitals directly, these enhanced attacks are primarily what are called “fourth-party” level attacks, where success is achieved through the hospital's business associates and partners in the supply chain. It is contained.
The Change Health situation is a reminder of how technology impacts clinical operations and business operations. Congress requests federal funding and $800 million to support high-need hospitals to cover the cost of implementing critical cyber practices, and an additional $500 million to help providers invest in advanced cyber tools. The public and health care leaders must continue to raise funds as we consider a $1 billion request. alarm.
Change Healthcare attacks cannot be considered as isolated incidents. This is actually an indictment of the fragile state of healthcare cybersecurity and the need for federal support. The public, and especially Congress, must understand that good cybersecurity keeps patients safe now and in the future.
Toby Gouker, Chief Security Officer, First Health Advisory