SecureWorld News

What's the Prescription for Cyber Resilience in Healthcare?

Written by Kip Boyle | Tue | Apr 9, 2024 | 12:12 PM Z

Have you noticed that the latest cyberattacks are threatening the very existence of lots of smaller medical clinics and their doctors' ability to deliver care?

You might not have because this fact is wildly underreported in the U.S. national mainstream news.

Think urgent care centers, cancer treatment, and primary care doctors.

And the government is almost powerless to stop these cybercriminals.

The recent cyberattack that took offline the largest U.S. billing and electronic payment system operated by Change Healthcare, a big division of UnitedHealth Group, is only the latest, but maybe greatest, example.

[RELATED: Hospitals Seek Federal Help as Change Healthcare Ransomware Attack Disrupts Payments]

The attack has left hundreds, if not thousands, of providers all over the U.S. without the ability to get insurance approval for services ranging from a drug prescription to a life saving operation. Or to be paid for taking care of patients, which has left them with piles of unpaid claims and almost no money in their bank accounts.

We appear to be watching the collapse of a major segment of the healthcare financial ecosystem.

To the doctors and their teams, it feels like they're battling a huge threat they can't see nor understand. It's keeping them from doing their most important work. And there's no one offering any viable work-arounds.

This situation is forcing tough choices between closing their clinic or using their own money, sometimes putting their family homes up as collateral for loans, to stay open.

But it's not just doctors.

Many pharmacies have been unable to give patients medicine due to insurance verification failures.

Our modern healthcare system is deeply dependent on computers and data networks. Yet, we pretend it's not true until something awful happens. Like this situation we're in right now.

At this point, due to the disruptions from this cyberattack, healthcare providers in aggregate are losing up to $1 billion a day.

Though the largest health systems can likely survive this assault, Moody's Ratings warned "even large providers with thin margins and weak liquidity are not immune and will eventually" struggle to keep their doors open.

Worse yet, UnitedHealth Group (parent of Change Healthcare) has already been named in at least six class action lawsuits. They're being accused of failing to protect millions of people's personal data from last month's hack of Change Healthcare. It's likely more lawsuits are coming.

Can it get any worse? Yes.

If Change Healthcare could have remained operational in the face of its cyberattack, it might not have lost hundreds of thousands of customers to competitors.

After the hack, a competitor named "Availity" set up a stripped-down claims-processing service that medical providers can use for six months at no cost.

The company has set up around 300,000 new medical providers so far and has a backlog of at least 50 health systems waiting to start using the platform.

In total, Availity has processed more than $5 billion in claims that couldn't be submitted through Change's systems.

Just like in 2017, when thousands of customers defected from small package delivery company TNT Express (now owned by FedEx) to DHL in the aftermath of the $10 billion NotPetya cyberattack, it's likely most of them will not return to Change.

The lesson for us? Cyber resilience is a long-term competitive advantage.

Since government can't stop these cyberattacks, and can't deliver relief, we have to accept the fact that we're on our own to protect ourselves and recover from cyber failure.

This requires more than better cyber hygiene; it means culture change and a shift in the way we see ourselves.

Culture change because everyone has to take up a role-appropriate set of responsibilities to protect and recover from cyber failure. This isn’t just IT's problem to deal with.

Listen: "How to Really Make Sure that Cybersecurity Is Everyone's Job" https://cr-map.com/podcast/88

And, we need to get past this identity crisis: We're not just doctors; we're technologists who happen to know a lot about keeping people healthy.

Listen: "Easy Target due to Corporate Identity Crisis" https://cr-map.com/podcast/104

To be clear, the above applies to all industries, not just healthcare.

But, despite the financial pain of the attacks, and the harm to patients, including deaths, the head of the American Hospital Association (AHA) recently wrote a letter to the Senate Finance Committee saying that his trade group "cannot support proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault for the success of hackers in perpetrating a crime."

Hospitals and healthcare entities have invested enormous sums into cybersecurity, the AHA said in its letter. They added that most attacks are carried out via third-party technology or other vendors, and because of that fact, it would be unfair to hold cash-strapped hospitals accountable.

Talk about tone deaf.

I'm doubtful the Federal Trade Commission (FTC), which enforces the reasonable cybersecurity standard in the U.S. markets, would side with the AHA.

You know there's no "easy button" that can fix this for us, right?

We have to accept that the world has changed, and we have to change with it.

If you already agree with me, share the information above with your senior decision makers and get busy implementing the "Essential Eight" cyber hygiene practices:

•  Perform regular data backups
•  Restrict administrative privileges
•  Require multi-factor authentication
•  Patch applications
•  Patch operating systems
•  Implement application control
•  Restrict Microsoft Office macros
•  Make user applications attack resistant

Listen: "Quick look at the “Essential Eight” mitigations" https://cr-map.com/podcast/63

Oh, and just to pile on: The U.S. Department of Health has launched a formal inquiry into UnitedHealth over its Change Healthcare hack.

Cyber resilient organizations minimize the effects of cyberattacks. That means all of the above: operational disruption; reduced revenue; lost customers; lawsuits; interactions with regulators; and the biggest hit of all, damaged reputation.

If you want to learn about an organization that did a masterful job of showing the world how cyber resilient it was, check out Norsk Hydro's December 2018 response.

I want you to choose one thing you're going to do to become more cyber resilient. Then make it happen.

Reach out to me on LinkedIn if you'd like to discuss: www.linkedin.com/in/kipboyle

To learn more and connect with cybersecurity leaders across the healthcare and medical sectors, attend the SecureWorld Healthcare virtual conference on May 1, 2024. See the agenda and register for free here