The ransomware attack on UnitedHealth’s Change Healthcare subsidiary last month demonstrated how appealing the data-rich US healthcare industry is to hackers, how devastating the consequences can be, and how sophisticated cybercriminals are.
Why is Healthcare Targeted?
It’s not the healthcare they’re after. It’s the money.
Unlike other industries, hackers know that healthcare firms are more susceptible to extortion tactics, given the urgent nature of patient care and the willingness of victims to pay ransomware charges to restore access to vital systems.
But there’s more money for the hackers than the ransomware payments.
The profit margin of selling medical data on the dark web is another incentive for cybercriminals to specifically get their hands on healthcare data. This kind of data sells for a higher price than other forms of personal data, like social security numbers and credit card details.
What Should Keep You Up at Night?
Change Healthcare is the largest clearinghouse for insurance billing and payments in the U.S.
This is one big nightmare for thousands of healthcare workers, hospitals, and other institutions that have yet to be reimbursed as Change Healthcare struggles to bring its systems back into normal operations.
But what really should be keeping us up at night is the vulnerability of the U.S. healthcare system.
The Attack Fallout in Numbers
- UnitedHealth provides care for 152 million people.
- About 900,000 doctors, 33,000 pharmacies, 5,500 hospitals, and 600 labs in the U.S. use Change Healthcare to handle about half of their medical claims.
- According to a letter filed to the United States Department of Health and Human Services by the American Hospital Association, Change Healthcare performs 15 billion healthcare transactions yearly. It touches one out of every three patient data records.
- According to the American Hospital Association, 94% of US hospitals have experienced financial difficulties due to the UnitedHealth hack. Over 60% of the 1,000 hospitals polled projected the revenue loss to be around $1 million per day.
- Six class action lawsuits have already been filed in Tennessee and Minnesota on behalf of patients who say their information was stolen in the attack. This number is likely to increase as more information comes in.
How Did the Attack Happen?
Change Healthcare identified an external actor inside its portals on February 21, 2024. Nearly a month ago, the breach was reported on a form 8-K in a regulatory filing with the SEC.
Change Healthcare proceeded to isolate its systems to stop the spread of the breach, which caused administrative and financial fallout for healthcare organizations and providers throughout the United States. Providers lost access to critical services such as claims processing and electronic bill payment.
The specific details surrounding the attack vector used have not been publicly disclosed. There is some speculation about critical vulnerabilities in ConnectWise ScreenConnect that were announced days before the breach was reported. Still, UnitedHealth has not confirmed whether these vulnerabilities were exploited in the UnitedHealth attack.
It’s known that malicious actors wait for advisories like the ConnectWise ScreenConnect vulnerability. They take advantage of the period between the public announcement and the time it takes for an organization to apply the patch. Immediately following newly disclosed vulnerabilities, these nefarious players work to find a way to exploit and capitalize on exploitable systems.
Organizations normally refrain from publicly disclosing attackers’ methods used to breach their systems.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
Investigation Opened
The HHS Office for Civil Rights investigated the event “given the unprecedented magnitude of this cyberattack and in the best interests of patients and healthcare providers.” The investigation will focus on whether a breach of protected health information occurred and if Change Healthcare and UnitedHealth Groups complied with HIPAA Rules.
HIPAA mandates healthcare clearinghouses, insurers, and providers to notify individual patients of breaches within 60 days after discovery; however, the extent of the hack may make it difficult for UnitedHealth and other HIPAA-covered enterprises to complete their reporting duties in this case.
What Can Be Done?
The cybersecurity landscape and the healthcare sector are playing a dangerous cat-and-mouse game. Hackers constantly evolve tactics, techniques, and procedures (TTPs) to exploit vulnerabilities and breach systems. At the same time, cybersecurity professionals strive to stay one step ahead by implementing robust security measures and defenses.
But there’s no path out as long as we play this game, and it’s time for security leaders to realize that spending more money on cybersecurity tools and solutions is only worthwhile if it mitigates risk. Focusing on compliance with an ever-growing laundry list of regulated requirements tends to push decision-makers to invest in products that simplify compliance. But what’s essentially happening is that we’re upping the game level but never winning.
With growing scrutiny and accountability of board members in a major cyber event, security leaders need to communicate this point to the board.
And it’s time for healthcare executives to realize that their primary service is twofold.
- Providing the best medical care and health products to consumers and patients
- Protecting their data
How To Mitigate the Risk of a Breach
The UnitedHealth breach is sadly part of a rising series of hacks in the healthcare industry. The combination of sensitive, highly profitable personal data, growing digital health practices, and healthcare institutions’ responsibility to restore systems after a ransomware attack leaves the health industry vulnerable to cybercrime.
Here are a few measures that healthcare leaders may use to reduce risk and safeguard their patients and organizations:
- Ensure recommendations are reviewed and adopted frequently from all sources, including the AHA, CISA, HHS, and the Change Healthcare incident page.
- Update disaster recovery and business continuity strategies to include alternate processes for critical IT systems and third-party vendors.
- Regardless of your practice’s exposure to this breach, having a proactive risk mitigation strategy is critical to your safety and resilience.
Centraleyes offers a comprehensive cyber-focused GRC solution that empowers healthcare organizations to mitigate risks effectively while ensuring compliance with regulatory standards.
Rather than focusing on checking HIPAA and other regulatory requirements, healthcare executives can leverage Centraleyes to cultivate a culture of security and resilience within their organizations. Centraleyes makes it easier to streamline risk management processes, enhance cybersecurity posture, and confidently protect patient data.
If you have any questions concerning the next steps for your organization, you can schedule a demo to learn more.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
