As reported in The Washington Post and other major news outlets, on February 21, 2024, there was a catastrophic attack on the nation’s largest medical claims clearinghouse, Change Healthcare, which is owned by UnitedHealthcare Group. Change Healthcare was infiltrated and taken down by cybercriminals affiliated with hacker collective AlphV. Some of the same AlphV attackers are credited with the 2021 attack on the Colonial gas pipeline system. Such a serious breach has dangerous implications for the healthcare industry and has reinvigorated conversations in the private sector and government on how to best protect sensitive medical information.
UnitedHealthcare Group is the nation’s largest private health insurer and largest employer of physicians. For decades, UnitedHealth’s staggering growth attracted relatively little Washington scrutiny, but the recent hack changed all that. According to The Washington Post, “Change Healthcare is a juggernaut in the health-care world, processing 15 billion claims totaling more than $1.5 trillion a year. It operates the largest electronic “clearinghouse” in the business, acting as a pipeline that connects health-care providers with insurance companies who pay for their services and determine what patients owe.
According to Jeff Goldsmith, an industry analyst, “It does not make sense to have a third of the health system’s payments going through one company’s pipes, as that becomes a national security problem.” Goldsmith estimates that more than 5 percent of U.S. gross domestic product flows through the company’s systems. In this case, hackers “used compromised credentials” to access Change Healthcare on Feb. 12 and reportedly spent the next nine days moving within Change Healthcare’s systems and stealing sensitive data linked to tens of millions of patients nationwide. Analysts estimated that doctors, hospitals and other providers were collectively losing as much as $1 billion a day.
Health care hacks are costly and potentially deadly. Studies have shown that hospital mortality rises in the aftermath of an attack. According to Steve Cagle, chief executive of Clearwater, a health care compliance firm, “Cybersecurity has become a patient safety issue.” As noted in the same NY Times article, attacks have cascading effects. For example, doctors are unable to look up past medical care, communicate notes to colleagues or check patient allergies and specific prescription protocols. Scheduled surgeries are canceled, and ambulances are sometimes rerouted to other hospitals even in emergencies because the cyberattack has disrupted electronic communications, medical records, and other systems. Research suggests that hacks have other cascading effects, lowering the quality of care at nearby hospitals forced to take on additional patients.
The cyberattack on Change Healthcare revealed the growing vulnerabilities that exist within the U.S. health care system. The massive ransom paid to retrieve the information, in addition to the leak of patient records, has alerted industry leaders and policymakers about the urgent need for better digital security. Hospitals, health insurers, physician clinics and others in the industry have increasingly been the targets of significant hacks, which is expensive and dangerous. Multiple media sources have reported that UnitedHealth paid $22 million in the form of bitcoin.
Cybercriminals target healthcare systems because it’s easy, valuable, and the data and information have real, long-standing value with the potential to disrupt and even destroy lives. For example, medical records can command multiple times the amount of money that a stolen credit card does. Unlike a credit card, which can be quickly canceled, a person’s medical information cannot be changed. Speaking to the NY Times, John Riggi, national advisor for cybersecurity and risk for the American Hospital Association, a trade group, said, “We can’t cancel your diagnosis and send you a new one.” But he also said the records had value “because it’s easy to commit health care fraud.” Health insurers, unlike banks, often don’t employ elaborate methods to detect fraud, making it easy to submit false claims.
According to Geetha Thamilarasu, an associate professor of computing and software systems at the University of Washington, Bothell, patients’ health information is worth a lot of money to hackers. Once someone gets hold of a stolen medical record, they can buy fake prescriptions, file bogus insurance claims, participate in identity theft and sell it online, among other things, she said. “There is a huge underground market on the dark web,” said Thamilarasu, who specializes in health care security. “Research shows that if a compromised credit card sells for about $1 to $5 each, a compromised medical record can sell anywhere from $400 to $500 — sometimes even $1,000.”
According to Thamilarasu and other industry analysts, health care organizations, like many others, have spent the last decade moving toward total digitization, creating some new risks. “Health records are no longer paper,” Thamilarasu said. “While having digital technologies is often great and provides more convenience, it also opens them up to these security vulnerabilities. I think this is becoming more of a problem in health care than any other institution.”
Last year (2023), HHS reported the highest number ever of major health data hacks: 725, and people impacted by those hacks: 133 million. Those numbers eclipsed the previous record in 2015 when hackers targeted the health insurance giant Anthem.
Cybersecurity consultants and government officials have consistently identified health care as the sector of the U.S. economy most susceptible to attacks, and as much a part of the nation’s critical infrastructure as energy and water.
Experts say applying minimum cybersecurity standards to the health care industry is possible, but complicated. The regulatory framework for healthcare is also old and fragmented. Even as attacks on health care facilities have exploded in recent years, it can be hard for small and medium-sized health care entities to spend significant sums on cybersecurity. Costs for personnel and equipment, along with day-to-day expenses, can limit investments in cybersecurity. Some have argued for a new regulatory entity to enforce standards for health technology stakeholders or financial support to invest in cybersecurity personnel and technology.
Alarmed by the scope and depth of the recent UnitedHealthcare attack, lawmakers and regulators are beginning to frame UnitedHealth’s sweeping operations as an economic and national security concern. The incident has reinvigorated conversations among policymakers in Washington about how to improve the health care sector’s security posture.
A bill proposed by Sen. Mark Warner, D-VA, co-chair of the Senate Cybersecurity Caucus, would allow health care providers who suffer cyberattacks to qualify for advanced and accelerated payments through government programs so long as they and their vendors met minimum cybersecurity standards. Under Warner’s bill, health care providers could be eligible for advanced payments through the Centers for Medicare & Medicaid Services (CMS) if they met so-far undetermined minimum cybersecurity standards established by the secretary of the Department of Health and Human Services. If a provider’s intermediary was the target of the incident, that intermediary would also have to have met those standards, according to the legislation.
The safety of medical information is top of mind for everyone in the cybersecurity industry, but the industry has been slow to adopt strict cybersecurity standards. However, recent cyberattacks have sparked a renewed push among many health care organizations to bolster protections.
It’s clear that minimum requirements and best practices will become more and more incorporated into the healthcare environment. However, all solutions will need training as a central element to recovery. Training or lack of it will have consequences. Government, education, industry, basically all parties to the situation can become part of the solution.
At CYRIN we continue to work with our industry partners to address major challenges including incident response, ransomware, and phishing and set up realistic scenarios that allow them to train their teams and prepare new hires for the threats they will face. Government agencies have been using CYRIN for years, training their front-line specialists on the real threats faced on their ever-expanding risk surface. For educators, we consistently work with colleges and universities both large and small to create realistic training to meet the environment students will encounter when they graduate and enter the workforce.
In an increasingly digitized world, training, and experiential training is critical. Unless you get the “hands-on” feel for the tools and attacks and train on incident response in real world scenarios, you just won’t be prepared for when the inevitable happens. A full-blown cyberattack is not something you can prepare for after it hits. The best time to plan and prepare is before the attack.
Our training platform teaches fundamental solutions that integrate actual cyber tools from CYRIN’s labs that allow you to practice 24/7, in the cloud, no special software required. Cyber is a team effort; to see what our team can do for you take a look at our course catalog, or better yet, contact us for further information and your personalized demonstration of CYRIN. Take a test drive and see for yourself!