The healthcare industry has had a rough start to 2024. It’s still reeling from February’s attack on Change Healthcare that brought production screeching to a halt. The breach shut down offices and healthcare facilities, cut off patient access to medication and care, and cost large hospitals and pharmacies upward of $100 million per day.
Though Change has managed to get many of its systems back online, an American Medical Association survey conducted on April 29 found that 60% of respondents continue to face challenges verifying patient eligibility, 75% still struggle with claim submission, 79% cannot receive electronic remittance advice, and 85% continue to experience disruptions in claim payments.
While the Change breach is one of the largest the industry has seen, it’s not the only disruptive breach this year. At the end of April, Canadian retail pharmacy London Drugs experienced a cyberattack that forced the company to temporarily shut down all of its 79 stores.
Despite all the warning signs, it seems every year keeps getting worse for the healthcare industry. Why is it so susceptible to attacks? Here are the top three reasons hackers are targeting (and successfully disrupting) the healthcare industry, and what healthcare organizations can do to end it.
The Change Healthcare attack put a spotlight on one of the biggest vulnerabilities in the healthcare industries: it’s incredibly consolidated. The breach of one company affected the entire field and will clearly have a lasting and monumental impact.
Change processes 15 billion healthcare transactions annually. It touches one in three patient records and handles about half of all medical claims in the U.S. Its reach and access to massive amounts of sensitive data made Change an attractive target for threat actors because they knew they could ask for a hefty ransom in exchange for getting Change’s systems back online.
When one company touches the data of millions of people, it —plus its vendors and business partners — becomes an appealing target. If the field had more big players, patient and provider information would be spread across several organizations. Everything would look less enticing to hackers and successful attacks would cause less damage.
This risk of consolidation has led the Department of Justice (DOJ) and other federal agencies to launch an investigation into UnitedHealth Group — Change’s parent company — with some lawmakers questioning whether the healthcare giant should be broken up.
The COVID-19 pandemic forced the healthcare industry to undergo rapid digitization — a largely positive change. Patient information has moved from paper charts to digital platforms and medications are transmitted from providers to pharmacies digitally. Telehealth has become an increasingly popular way to seek care with McKinsey reporting that telehealth usage has increased 38x from the pre-pandemic baseline.
This digitization has led to an increase in the number of healthcare technology companies providing services to hospitals, medical providers, insurance companies, and even patients. For instance, the health tech sector raised $27.5 billion in venture capital in 2022. The emergence of so many healthcare technology companies means that supply chains in the industry are expanding, creating more access points for bad actors.
Unfortunately, as healthcare systems quickly moved to adopt this new technology, they didn’t implement the appropriate security controls to protect themselves. According to a 2023 Cybersecurity in Healthcare report from the Ponemon Institute and cybersecurity firm Proofpoint, 88% of healthcare organizations had at least one cyberattack over the last 12 months and 64% said they experienced an average of four supply chain attacks in the last two years. The same report found that 63% of healthcare IT professionals said their organizations were vulnerable to a supply chain attack.
Cybersecurity is only being addressed now because breaches in the industry are becoming increasingly common and devastating. Companies can’t afford to ignore the risk. In addition to the Change Healthcare and London Drugs breaches, nearly 3 million patients were affected when Cerebral, a virtual mental health platform, announced that they may have disclosed patient information through its pixel tracking technology without having obtained HIPAA-required assurances. Similarly, the DOJ and Federal Trade Commission imposed a $1.5 million penalty on telemedicine and prescription drug discount provider GoodRx last year for their misuse of third-party tracking pixels.And Ascension Via Christi hospitals in Wichita had to pause elective surgeries after experiencing a cyberattack that disabled many of their electronic systems.
Despite the rapid digitization of the healthcare industry and the introduction of new technology to hospitals and healthcare facilities, the Department of Health and Human Services (HHS) has been slow to update HIPAA guidelines on cybersecurity, data security, and privacy guidance.
Much like any other industry, healthcare executives are focused on growing profits. Compliance with federal regulations, including HIPAA, gets in the way of that. So executives haven’t gone out of their way to invest in expensive cybersecurity initiatives that aren’t federally mandated. They’re taking advantage of the fact that regulation hasn’t caught up to digital environments. But, as we saw in prior examples, companies are paying the price by leaving themselves open to financial risks in which regulatory penalties would be the least of their problems. The cost of reputational damage, lost productivity, ransoms paid, remediation fees, as well as potential fines and legal fees, easily add up to multiple millions of dollars from a single attack. This is far less than the price of setting up and maintaining a cybersecurity program.
HHS has started to develop guidance on cybersecurity, but many healthcare organizations are playing catch up because they haven’t prioritized a proactive approach. They don’t have the security leaders or teams in place to adequately build robust security programs. According to the 2023 HIMSS Healthcare Cybersecurity Survey, almost 75% of respondents said recruiting qualified cybersecurity professionals was a significant workforce challenge. Nearly 43% of respondents felt that insufficient budgets were another of the biggest challenges healthcare cybersecurity teams face, with organizations spending, on average, 7+% of their IT budgets on cybersecurity.
With limited resources, healthcare security teams are struggling to protect their digital infrastructure and supply chain while also responding to new regulations and industry shifts.
There’s hope that the Change Healthcare breach will finally make healthcare companies aware that cybersecurity is no longer something they can ignore. IBM’s 2023 Cost of a Data Breach Report claimed the healthcare industry faces the highest average data breach cost at $10.93 million. This seems high until it’s compared to $6B paid to providers in need by UnitedHealthcare as a result of the Change attack. And that’s on top of the $22 million ransom Change paid to BlackCat, the group responsible for the attack!
Executives can no longer view cyberattacks as a cost of doing business or a bump in the road to digitization. These attacks are becoming too costly – far more expensive than standing up a security program. To remain compliant, avoid lawsuits, and win over customers and patients, businesses and organizations in the healthcare industry need to make security a top priority.
With the talent gap issue expected to remain in place for the foreseeable future, organizations need to become cyber resilient by teaming up with an outside partner. Managed security service partners help healthcare organizations of all sizes assess security gaps and institute security tools and programs that meet HIPAA requirements and protect the organization from the threat of a costly breach. One of the most important benefits is that an effective managed security partner can establish the program for an organization, meaning risk is mitigated in weeks rather than months.
SolCyber is the first-of-its-kind fully managed human-led security program. With our 24/7 detection and response services and Foundational Coverage, businesses of all sizes in the healthcare industry can beef up their security posture in weeks.
Ready to get started? Reach out to the experts at SolCyber today!