Here we go again. The US health system is in a desperate cybersecurity state of affairs. Another healthcare cyberattack has made the news and it’s a big one. UnitedHealth Group’s technology unit, Change Healthcare, is currently facing an ongoing ransomware attack which has reverberated through healthcare systems and affected prescription deliveries. This should raise red flags for all healthcare organizations regardless of their size, but particularly for smaller organizations with limited budgets. After all, if companies as massive as Change Healthcare, who undoubtedly had advanced cybersecurity measures in place, can be breached then what makes your business immune?
The attack, attributed to the Blackcat ransomware gang—also known as ALPHV—underscores the critical importance of proactive measures to mitigate the risks posed by sophisticated cyber threats. Although the attack vector in the Change Healthcare breach has not been identified as of this writing, the same group was responsible for the massive MGM Resorts hack in September 2023 which started on LinkedIn with a social engineering-driven exploit.
Businesses should be compelled to reassess their own cybersecurity preparedness to ensure they have layers of protection from endpoints to email to comprehensive user training in place.
Lessons learned and actions to take
While a hugely devastating incident, this is not a random act. For example, throughout 2023 about one in three Americans were affected by health-related data breaches. The number of attacks continues to surge. They’ve typically been carried out by organized hackers, often operating overseas, who target the computer systems of health providers and the vendors and companies that serve them. Most of the largest hacks targeted vendors who bill, mail, or provide other services for hospitals, doctors, and other health providers.
Throughout the last year more than 133 million health records were exposed in data breaches mainly carried out by hackers who’ve attacked health providers and their vendors, infiltrated computer systems, and demanded ransom or other payments. That’s a record-breaking number of individuals affected. An average of two health data hacks or thefts of at least 500 records were carried out daily last year in the United States, according to an analysis by The HIPAA Journal.
A foremost lesson from this and other such incidents is the necessity of creating organizational awareness throughout healthcare organizations and deploying advanced endpoint detection and response (EDR) solutions to ensure real-time continuous monitoring of endpoint activities. The EDR approach is effective in detecting and responding to anomalous behavior indicative of a potential breach.
While larger enterprises may have the resources to deploy comprehensive cybersecurity infrastructure, smaller organizations must also take steps to prioritize strategic investments to bolster their defenses against evolving threats. After all, any healthcare-related business or associated vendor could be the next Change Healthcare.
Risk mitigation is critical
Beyond business disruption, cyber attacks can also leave a business open to legal repercussions. For example, in the case of the HCA Healthcare breach in 2023, one of the largest of the year that impacted more than 11 million patient records, the legal issues stemming from that breach are unrelenting for the health system. Attorneys for more than a dozen patient victims said that they “seek to hold HCA responsible” for the data hack “due to its impermissibly inadequate data security measures.” One patient’s attorney told USA Today, “If you’re going to be in the business of collecting (personal) data, you better take care of it.”
Moreover, these incidents highlight the pivotal role of employee training in mitigating cyber risks. Phishing attacks, a common vector for ransomware infections, often exploit human vulnerabilities through deceptive emails and other communications. Therefore, healthcare organizations of all sizes must provide comprehensive security training to employees, educating them on how to identify phishing attempts, exercise caution when interacting with email content, and promptly report suspicious activity to the IT department. Regular security awareness training must be conducted and sessions should cover broader cybersecurity topics to instill a culture of vigilance and proactive risk management for those working in and across the organization.
In addition to technological and human-centric defenses, organizations must prioritize the establishment of robust access controls and password policies. Implementing multi-factor authentication (MFA) and enforcing strong password hygiene practices can significantly reduce the likelihood of unauthorized access to critical systems and sensitive data. Furthermore, health systems must develop, implement, and regularly test backup and disaster recovery plans to ensure the timely restoration of operations and data in the event of a ransomware attack or other cybersecurity incident.
Not to be overlooked, every health organization should implement proactive engagement practices to minimize the impact of cybersecurity incidents. Developing comprehensive incident response protocols, including procedures for threat identification, containment, investigation, and recovery, enables these organizations to mount a coordinated and effective response to security breaches, thereby mitigating potential damages and minimizing disruption to operations.
Lastly, regulatory compliance should not be overlooked, particularly in industries subject to stringent cybersecurity regulations such as healthcare. Ensuring compliance with relevant standards and frameworks, such as HIPAA, provides a foundational framework for implementing effective cybersecurity measures and safeguarding sensitive data against unauthorized access or disclosure, but more, at a minimum, must be done to protect against attack.
The cybersecurity problem is not dissipating
Healthcare continues to be a prime target for cybercriminals seeking to exploit vulnerabilities in digital systems for financial gain and even smaller practices and groups are at risk. While larger healthcare organizations often make headlines for data breaches and ransomware attacks, the reality is that smaller health practices are equally susceptible to these threats, yet may lack the resources or awareness to adequately defend against them. For every Change Healthcare or HCA, there are thousands of smaller shops with troves of data waiting to be mined.
The daily reminders and the headlines serve as a stark reminder of the urgent need for healthcare organizations of all sizes to prioritize cybersecurity investments and initiatives.
For many small health practices, the concept of cybersecurity may seem distant or abstract, overshadowed by the daily demands of patient care and administrative tasks. However, the consequences of neglecting cybersecurity can be devastating. Ransomware attacks, in particular, have the potential to disrupt operations, compromise patient data, and inflict financial harm on practices ill-prepared to respond.
While the healthcare industry is pockmarked by persistent, continual, and evolving threats that challenge organizations daily, businesses do not have to stand unprotected from the assault. Even though smaller organizations may lack the extensive resources available to larger enterprises, strategic investments in next-gen, Ai-driven threat detection technology, managed solutions through IT partners, employee training, access controls, incident response planning, and regulatory compliance can significantly enhance their cybersecurity preparedness.
Health organizations must adopt proactive and holistic approaches to protecting their data from breaches and other threats. Businesses must safeguard the operations, for patient safety sake, and be ever vigilant with security measures.
Echoing the thoughts of industry insiders, this was no small attack, nor was it a one-time thing. Expect a non-stop cadence of such activity ahead. And these won’t be restricted to just the big organizations forever.
About Usman Choudhary
As the general manager for VIPRE Security Group, Usman Choudhary is responsible for executing the company’s product vision and strategy for advanced threat defense solutions. With contributions to several patented innovations in the early stages of the security space, he was instrumental in influencing the evolution of mission-critical cyber defense programs for the U.S. Navy (PROMETHEUS) and other government agencies, as well as security programs at Microsoft and other large enterprises. Before joining VIPRE, Usman held several product leadership roles to develop identity and security businesses at NetIQ, Novell, and eSecurity. He previously served ten years in technology innovation for the global brokerage industry. Usman received his bachelor’s degree in computer engineering from Rutgers University School of Engineering, and executive leadership education from Harvard Business School. In his personal time, Usman regularly contributes to several non-profit service initiatives nationally and was the recipient of the distinguished U.S. President’s Call to Service Award in 2013.