Change Healthcare, a Nashville-based company that offers healthcare data analytics and revenue cycle management services, was hit with a cyberattack in February. Initial reports predicted network disruptions might last until the end of that day “at least.” More than a month later, the financial and human toll of the cyberattack is still being felt — not just at Change, but among its patients, provider partners, and other stakeholders.
The Change incident is not alone. In 2023, more than 540 organizations and 112 million individuals were affected by healthcare data breaches reported to the Office for Civil Rights (OCR), compared to 590 organizations and 48.6 million impacted individuals in 2022. The incidents have become increasingly complicated, and the money at stake is only growing larger.
The global diversification of workforces means that cyber attacks take on a wider impact, too. For businesses that can shut down international access to their systems, preventing their infrastructure from harm is less complicated. Firms with even one international partner — there are more now than ever — face a more complicated picture.
Large businesses aren’t the only ones who must remain vigilant. Small- to mid-size companies are also at increased risk. Companies of all sizes must have protocols and resources in place. What can the healthcare sector learn from the growing wave of cyberattacks, and what resources exist to protect against the next wave?
Some best practices never change. To remain vigilant against security breaches, organizations must follow many of the basic principles that have been true for a decade or longer. Require employees to change out their login passwords frequently. Use two-factor authentication whenever possible. If necessary, log out of any devices that can be easily accessed by anyone else, particularly in a public setting. When an employee leaves, be sure they hand over any company-issued hardware. Organizations should also have comprehensive visibility of all technologies being used by employees on this hardware, understand their scope of use, and keep all hardware and software updated with the latest security patches to mitigate risk.
What’s changed most in recent years are the scope, frequency, and sophistication of global threats. Organizations have been forced to broaden their focus because of the explosion of international ecommerce opportunities, the expansion of outsourced jobs to a growing international talent base, and constant changes to how businesses invest in tools that allow for upscaling abroad. Organizations who do not scale their security protocols along with the rest of their platforms could be subject to a fatal error.
The healthcare sector has been historically vulnerable to emerging threats for a simple reason: Medical records have a tremendous amount of value on the black market. For years, the primary threats were anything that dealt with a breach – bad actors trying to access private patient data. More recently, those bad actors look and smell like terrorist organizations whose objectives focus less on stealing data and more on crippling the U.S. healthcare system.
Consider the measures implemented after the terrorist attacks of Sept. 11, 2001. Security protocols at large, vulnerable institutions like nuclear plants, electrical plants, and water treatment plants heightened. Although they seem dissimilar on the surface, many of the healthcare security incidents have the same end goal: they’re more about disrupting key infrastructure as about stealing data.
By flooding an electronic network with uninvited traffic, a hacker can inflict downtime on any health system. Such attacks — called Distributed Denial of Service, or DDoS — have spiked among health industry organizations since 2019. The Health Sector Cybersecurity Coordination Center, a division of the U.S. Department of Health and Human Services, monitors for these threats and periodically issues advisories around relevant topics to industry leaders.
The Change Healthcare incident was the latest example of a suspected ransomware attack against the industry. The American Hospital Association (AHA) called it “the most significant and consequential incident of its kind against the U.S. healthcare system in history.” Notably, the problem isn’t isolated to healthcare. Cyberattacks increased two or threefold across nearly every tracked metric in 2023, according to SonicWall.
While Health and Human Services scrambled to accommodate stakeholders affected by the fallout of the Change incident, the long-term concern was preventing similar incidents in the future.
The FBI and other government agencies have cybersecurity resources available, offering fact sheets, current threat analyses, industry-specific publications, and white hat hackers — good actors who attempt to identify critical vulnerabilities. If your organization isn’t protecting against cybersecurity threats at the source-code level of your online systems, it’s incumbent to partner with a third-party service that can.
Small organizations wondering where to begin can benefit from regularly monitoring and adhering to the publicly available best practices outlined by the federal watchdogs. Be prepared for the journey to evolve quickly, however. Anticipate customers and clients to place requirements above and beyond a general set of best practices to secure their sensitive information. Typically, those requirements take the form of a third-party audit that certifies compliance with standards such as those outlined by the National Institutes of Standards and Technology (NIST).
SOC-2 certification is an industry-agnostic achievement available to cloud-based vendors. It’s achieved only when a third-party auditor certifies the vendor complies with one or more of the five trust principles based on the systems and processes in place. A SOC-2 Type II document details a company’s security and privacy controls using the SOC-2 criteria. A HITRUST assessment, specific to healthcare vendors, can provide another layer of certification and offer stakeholders, customers, and regulators confidence in your risk management and compliance programs. Security protocols for the various cloud infrastructure providers, such as Amazon Web Services, Azure, Google and Oracle, will differ in their fine print, but all have similar internal procedures in place.
With comprehensive strategies and resources in place, companies of any size can be well-prepared to prevent security incidents from causing a disruption in the first place. Stay abreast of cybersecurity updates and news headlines, so you can continue to be nimble to field evolving conditions. Anticipate that the next cyberattack against your company is a question of when, not if.
Zach Evans is the Chief Technology Officer with Xsolis, the AI-driven health technology company with a human-centered approach, where he is responsible for using Xsolis’ proprietary real-time predictive analytics and technology to support client objectives and internal business operations.