SIS shares actionable steps healthcare organizations can take to better protect themselves from cyberattacks
The healthcare sector recently witnessed a significant cybersecurity incident with the cyberattack on Change Healthcare, a crucial component of UnitedHealth Group's Optum division. This attack, orchestrated by the ransomware group AlphV, also known as BlackCat, not only highlighted the vulnerabilities within the healthcare industry to cyber threats but also had widespread repercussions. The incident impacted healthcare operations that depend on CHC systems, including billing processes, eligibility verifications, prior authorization requests, and the fulfillment of prescriptions, significantly disrupting essential services across the healthcare ecosystem1. These disruptions emphasized the vulnerabilities and interconnectedness of the healthcare ecosystem, leading to operational headaches for providers and underscoring the critical need for healthcare organizations to enhance their cybersecurity defenses.
The far-reaching effects of the cyberattack against Change Healthcare have prompted an urgent call to action for improved cybersecurity resilience within the healthcare sector. Providers experienced significant operational disruptions, including delayed revenue management services and prescription-filling processes, highlighting the importance of preparing for future cyber threats.
This comprehensive guide aims to synthesize insights from the incident and provide actionable steps for healthcare businesses to bolster their cybersecurity measures, helping ensure they are better equipped to protect against and respond to the evolving landscape of cyber threats.
Think of a risk assessment as a health check-up for your organization's cybersecurity. Just as a doctor examines a patient to find vulnerabilities to diseases, a risk assessment identifies where your organization's cybersecurity could be compromised.
Starting Point: Begin with a thorough inventory of your digital assets, software, hardware, and third-party services. Identify what data you have, where it's stored, and who has access to it.
Adopting a cybersecurity framework is akin to a comprehensive care plan for a patient with a chronic condition. Just as a care plan would include preventive measures (Identify), protective treatments (Protect), regular health monitoring (Detect), emergency interventions if the condition worsens (Respond), and rehabilitation or adjustment of treatments based on outcomes (Recover), a cybersecurity framework ensures the ongoing health and resilience of your organization's digital environment. Each step in the framework functions similarly to stages in patient care, aiming to maintain the system's health, prevent breaches, quickly address any issues that arise, and restore full functionality after any security incidents, thus keeping the organization's data and systems in optimal condition.
Framework Choice: Adopt the NIST Cybersecurity Framework for a structured approach to managing cyber risks.
An Incident Response Plan is A structured methodology for handling security incidents, breaches, and cyber threats, ensuring a quick, effective, and orderly response.
Consider an incident response plan as a fire drill for cyber threats. Just as schools and offices conduct fire drills to ensure everyone knows how to exit safely in an emergency, testing your incident response plan ensures your team knows how to act swiftly to mitigate damage from a cyberattack.
Redundancy and contingency planning in cybersecurity can be compared to keeping a spare tire in your car. Just as you prepare for a flat tire by having a spare, you prepare your organization to continue operations smoothly with backup systems and manual processes in case of a cyberattack.
Strategy Formation: Develop manual processes for critical operations and consider diversifying vendors to reduce reliance on single entities.
Implementation Steps:
Sharing cyber intelligence is like neighborhood watch programs where communities share information about suspicious activities. By joining forums and information sharing analysis centers (ISACs), you're participating in a collective effort to spot and defend against threats before they can harm your organization.
Investing in cybersecurity awareness and training for staff is akin to administering vaccines in public health. Just as vaccines prepare the immune system to recognize and combat viruses and bacteria, thereby preventing infections, cybersecurity training equips employees with the knowledge and skills to identify and defend against cyber threats. This preventive measure, like vaccination, is essential to build a resilient defense against potential attacks, ensuring the organization's digital environment remains healthy and secure.
Cybersecurity insurance acts like a safety net, much like car insurance. In the event of a cyberattack causing financial loss, having cybersecurity insurance helps cover the costs, ensuring your organization can recover more quickly.
However, in today's cybersecurity landscape, the prevalence and sophistication of cyber threats have led to increased cybersecurity insurance premiums and stricter policy requirements. The aftermath of significant cyberattacks, such as the one on Change Healthcare, has underscored the essential role of cybersecurity insurance in an organization's preparedness and resilience plan.
Insurance providers now demand evidence of comprehensive cybersecurity measures, including adherence to best practices in hygiene, incident response plans, and employee training, as prerequisites for coverage. This shift emphasizes cybersecurity insurance as a critical component of an organization's defense strategy, offering a financial safety net that enables recovery and continuity of services post-incident.
Investing in solid cybersecurity practices and securing suitable insurance coverage equip organizations to face emerging cyber threats with greater assurance and resilience.
Good vendor risk management is critical, akin to conducting thorough background checks and continuous performance evaluations in a medical staff hiring process. Just as a hospital must vet each doctor, nurse, and technician to ensure they have the necessary qualifications, experience, and ethical standards to provide safe and effective care to patients, organizations must rigorously assess and monitor their vendors to ensure they meet stringent cybersecurity standards.
Failure to do so can lead to introducing vulnerabilities into the organization's system, much like an unqualified medical professional can put patient health and the hospital's reputation at risk. This meticulous selection and ongoing evaluation process is essential to maintaining the security and integrity of an organization's data and systems, reflecting the critical nature of good vendor risk management in protecting against potential cyber threats.
The cyberattack on Change Healthcare is a wake-up call for the healthcare sector, demonstrating the critical need for enhanced cybersecurity measures. By adopting a comprehensive and proactive approach to cybersecurity, healthcare businesses can strengthen their defenses against future cyber threats. This involves not only implementing robust cybersecurity frameworks and incident response plans but also fostering a culture of cybersecurity awareness, engaging in collaborative intelligence sharing, and ensuring that contingency plans are in place for dealing with disruptions. Through these steps, healthcare organizations can safeguard their operations, protect patient data, and contribute to the resilience of the broader healthcare ecosystem against the evolving landscape of cyber threats.
[1] UnitedHealth Group, Information on the Change Healthcare Cyber Response