Enhancing Cyber Resiliency in Healthcare: Insights from the Change Healthcare Ransomware Incident

On February 21, 2024, Change Healthcare announced that it had fallen victim to a cyberattack. This cyberattack on Change Healthcare has wrought havoc on the healthcare sector, adversely affecting services for hundreds of millions of Americans dependent on the compromised providers.

The pivotal role of Change Healthcare in the Healthcare Sector

Change Healthcare occupies a substantial role in the healthcare technology field in the United States. Its 2022 consolidation with Optum, a subsidiary of the healthcare behemoth UnitedHealth Group, through a transaction worth $7.8 billion, granted Optum expansive entry to the medical records of tens of millions of Americans.

The Change Healthcare platform delivers a suite of services to healthcare providers, encompassing payment management and the full spectrum of the revenue cycle. It aids providers in handling claims and payments and offers an integrated appeals management system for responding to denied claims. As one of the leading health information exchange (HIE) platforms in the United States, Change Healthcare processes around 15 billion claims annually, amounting to more than $1.5 trillion.

Summary of the Change Healthcare Cyberattack

On February 21, 2024, Change Healthcare announced it had suffered a cyberattack, orchestrated by a ransomware syndicate identified as ALPHV, also known as BlackCat. This breach caused considerable interruption to their critical services. The culprits managed to infiltrate Change Healthcare's network without authorization. The ramifications of this breach have touched millions of Americans who rely on Change Healthcare, either directly or through their connections with various U.S. healthcare insurers, for whom Change Healthcare provides essential backend services.

Impact of the attack

American Hospital Association (AHA) claims that Change Healthcare processes ~15 billion healthcare transactions every year and impacts one in every three patient records in the U.S.

The attack has notably affected several aspects, including:

• Patient Care Services: There's been a significant disruption in various patient care services such as clinical decision support, eligibility verifications, and pharmacy operations.
• Claims Processing and Eligibility Checks: Many claims have been left unprocessed, and the essential eligibility verifications for determining insurance coverage for treatments have been stalled.
• Hospital Finances: There's been an immediate negative impact on hospital finances and their capacity to provide comprehensive healthcare services to their communities.
• Revenue Cycle Management: The ability of providers to manage claims for payments, patient billing, and estimate patient costs has been disrupted.
• Operational Challenges: The ongoing disruption could severely affect hospitals' ability to compensate their clinical staff and other care team members, procure necessary medical supplies, and cover critical contractual obligations.
• Administrative Overload: The shift from electronic to manual processes due to the attack has significantly increased administrative costs for providers and shifted focus from other tasks.

What insights can healthcare firms gain from this breach?

An attack of this scale underpins the narrative that enterprises are more connected than ever across people, process, vendors, technology, and the need for an integrated “resilience” framework is a business imperative. While this may have started as a cyber-attack, the downstream implications create financial, operational, legal, and reputational ripple effects. Healthcare companies should focus on a mix of strategic and tactical considerations and actions, as outlined below:?

Strategic

• Manage concentration risk in third-party resiliency by diversifying suppliers, regularly assessing risks, and preparing contingency plans for potential supplier unavailability.
• While business continuity plans are crucial, they often do not fully cover the specific complexities of a cyberattack. Healthcare entities need cyber-specific contingency strategies, including measures like securing lines of credit in advance to counter disruptions in revenue flows.
• Commitment to ransomware defense is indispensable. Given the persistent threat of ransomware, it's critical for organizations to invest in prevention technologies and strategies to minimize exposure and safeguard their operations and balance with investments made on continuity and recovery solutions.
• Create scenarios for prolonged loss of technology and third-party services and perform simulation exercises for testing. Include stress testing based on volume, compounded outages (e.g. technology plus supply chain), and severe but plausible scenarios
• Create process level value chain maps (end-to-end mapping) to identify internal and external dependencies, identify impact tolerances, and document business continuity and disaster recovery plans to include critical third parties as part of the overall recovery plan to ensure operational resiliency.
• The aftermath of the cyberattack will likely prompt regulatory bodies to revise policies and standards, aiming to strengthen the cybersecurity framework within the healthcare sector. This could include mandates for more rigorous cybersecurity audits, enhanced data protection protocols, and requirements for rapid incident response mechanisms. Healthcare companies will need to stay abreast of these changes and ensure full compliance to safeguard their operations and patient data.
• Strive for more oversight and inclusion of the board in planning for and executing a “resilient” organization. Need for a chief resiliency officer specifically to voice and represent resilience capabilities cannot be overstated.

Tactical

• Conduct controlled execution of adversarial emulations (e.g., Ransomware, Data Exfiltration (DLP), Social Engineering) to test technical security controls
• The importance of access to insurer portals cannot be overstated. It's vital for organizations to maintain current logins for all major insurers and have plans for operational adjustments in the event of a cyber incident.
• The role of Active Directory (AD) in cybersecurity is pivotal. Protecting AD is essential to prevent the spread of ransomware.
• Ensure effective communication channels are in place for promptly notifying stakeholders, including patients and partners, of any disruptions.
• Include clauses in vendor contracts that address service availability guarantees, cybersecurity requirements, and contingency plans.
• Carry out simulation exercises at the executive level tailored to predetermined scenarios, and record the insights gained.
• Continue to monitor and independently evaluate information provided by Change Healthcare to inform its own risk-based decisions regarding nonimpacted systems.
• Collaboration across the industry, sharing insights and leading practices, will be key to building a more secure and resilient healthcare ecosystem.

How Grant Thornton can help

At Grant Thornton we offer a comprehensive array of cybersecurity and resilience services to our clients. Grounded in our extensive interactions with a range of technology vendors and our profound expertise in assisting healthcare organizations, our knowledge of cybersecurity and resilience trends is both broad and deep. We are equipped to deliver complete, end-to-end support to our clients. Here are some of the key services we offer to clients encountering similar challenges:

• Concentration risk analysis which involves assessing the risk associated with relying too heavily on a single vendor, system, service, or resource for critical operations or functions within an organization.
• Value chain & dependency mapping to understand the interconnectedness of their operations and to identify potential vulnerabilities that could disrupt their business processes.
• Third Party resiliency analysis to assesses the ability of third-party vendors or service providers to maintain continuous operations and quickly recover from disruptions or failures and ensure appropriate contract coverage. ?
• Cybersecurity Program Assessments and Audits to ensure the protection of sensitive patient data and compliance with regulatory standards such as HIPAA and other relevant laws and best practices.
• Cyber Incident Response Services to assist clients with detection, containment, and remediation from various cyber events.
• Business Continuity and Disaster Recovery Planning –to ensure cyber-attack scenarios are documented with response plan on prolonged outages with their business continuity and restoration efforts being distinctly defined and documented.
• Tabletop Exercises conducted for scenario–based readiness assessments for cyber events to improve the organizations' ability to respond to cyber incidents and test their Incident response plan and BCP/DRP. Exercises are conducted both at the executive and operations level.
• Penetration Testing and Vulnerability Assessments to improve the security across their environment by identifying flaws and remediating various vulnerabilities / flaws found through our penetration testing and vulnerability assessment services.

?Conclusion

The Change Healthcare cyberattack is a wake-up call for the healthcare industry, highlighting the urgent need to reassess and reduce dependencies on centralized service providers. By embracing decentralization, strengthening cyber resilience, leveraging technology innovations, adapting to regulatory changes, and building a culture of preparedness, healthcare companies can navigate the challenges of today's digital landscape more effectively. The future of healthcare lies in the ability of organizations to adapt, innovate, and collaborate in building a secure and resilient infrastructure that prioritizes patient care and data protection above all.

As the healthcare industry continues to navigate the complexities of digital transformation, the lessons learned from incidents like the Change Healthcare breach will be instrumental in shaping a more secure and resilient healthcare ecosystem for the future. The path forward requires diligence, innovation, and collaboration to safeguard the trust and well-being of patients worldwide.