Just over a year ago, Change Healthcare was the target of the largest medical data breach in U.S. history. The cyberattack impacted over 190 million people in the U.S. and halted the healthcare technology company’s systems, causing months of outages.
Change Healthcare provides solutions and services to hundreds of thousands of healthcare providers nationwide and processes billions of transactions each year. This attack had a massive ripple effect, preventing transactions, payments, and claims processing. It even led to appointment cancellations as hospitals were left at a standstill. Ultimately, the service provider’s parent company, UnitedHealth Group, was forced to pay a $22 million ransom. After the dust settled, this cyberattack showed healthcare organizations just how big of an impact an attack on a third-party vendor could have and underscored the critical need to strengthen their cybersecurity.
The good news is that this does not have to be the fate of healthcare providers. By learning from the Change Healthcare incident, organizations can prepare for future attacks, ward off threats, and avoid downtime. Here’s how.
Evaluate Third-party Vendors
Organizations across industries rely on third-party vendors for solutions and services, and healthcare providers are no different. Many rely on IT service providers to maintain systems, store and secure patient data, implement telemedicine services, patient-facing mobile apps, and more.
For many healthcare providers, especially smaller organizations, these services would not be possible without the help of a third-party vendor, but any vendor partnership still comes with risks. Healthcare organizations trusting sensitive data with a third-party vendor or relying on their services must conduct thorough evaluations and audits to identify vulnerabilities before working together.
Relying on third-party service providers and vendors widens the surface area for cyberattacks and increases risk, so organizations need to ensure third-party vendors follow appropriate regulations and prioritize security. This partnership in resiliency is not a short-term project but a long-term journey, so healthcare providers should continuously work with their vendors to follow the latest best practices and be prepared for crises.
Develop Business Continuity Plans
As the old saying goes, failing to prepare is preparing for failure. Healthcare providers need to have disaster and recovery plans in place and protocols mapped out in the event of crises. A strong business continuity plan must include testing and validating how to keep operations running if a particular technology or third-party vendor goes offline. This plan is designed to minimize downtime and maintain critical operations running in the face of cyberattacks.
Healthcare providers should communicate processes and hold mock scenarios to prepare for drastic situations, so their staff knows what to do in the face of unfortunate events such as a breach. Because the risk of a cyberattack is ongoing, preparation for crisis events should be continuous. Due to the sensitivity of their data, healthcare providers have some of the most stringent regulations of any industry, which is why business continuity plans must be a priority.
Understand The Risk is Always There
There is no such thing as complete and total security. No matter who a healthcare provider partners with, which vendor they use, and which cybersecurity solutions they implement, there will always be at least a small amount of risk and vulnerability. The idea is to minimize this risk as much as possible. To do this, healthcare organizations need to implement cybersecurity solutions that make sense for their specific environment, train staff on security procedures and protocols, and conduct detailed reviews of third-party vendors.
It is essential for any healthcare organization to consistently maintain a resilient cybersecurity standard. As we learned from the Change Healthcare attack, it only takes one opportunity for a bad actor to levy a major security issue on any organization, large or small. The consequences can include long-lasting financial, operational, and reputational ramifications. It’s been over a year since the attack, but Change Healthcare’s brand name is still synonymous with this incident.
The good news for healthcare organizations is they are not alone as individual entities fighting off cyberthreats. They can work together to overcome security issues by sharing best practices, common challenges and solutions, and lessons learned. This collaborative approach helps build an open dialogue among the healthcare community through a common initiative to protect their organizations and patients.
Gaining insights from outside sources is incredibly valuable, whether it’s a peer in the healthcare provider industry or a trusted expert cybersecurity services partner in the field. The latter option is especially beneficial for smaller healthcare providers who may not have the budget or resources for all the required security solutions and expertise.
Cybersecurity threats are only growing in pace and tenacity, so why healthcare providers must take a proactive approach. As we learned from the Change Healthcare attack, every organization has vulnerabilities, and any organization could be a victim of a breach, so it’s essential to take the right precautionary steps to uphold high security standards.
About Dave Sampson
Dave Sampson is the Vice President of Cyber Risk & Strategy at Thrive. In his role, he heads Thrive’s Consulting Practice, where he and his team of experts join forces with clients to deliver strategic guidance on a range of topics including Cybersecurity, IT Operations, Cloud, Microsoft 365, Compliance, Disaster Recovery planning, and more.
Over the course of his extensive career, Dave has taken up various influential positions in the industry. He served as a Senior Consulting Technical Solution Manager at IBM, held the roles of Executive Vice President and Chief Technology Officer at Itrica, founded and served as CEO of Cloud Provider USA, and held the position of Chief Technology Officer at ColoSpace.
