Health care practices must ‘have a playbook’ to prepare for, respond to cyberattacks

Six months after the ransomware attack on Change Healthcare, the far-reaching impacts on medical practices, providers and patients continue to be felt.

So does the fear that similar breaches will become more common — and even more disruptive.

Change Healthcare is a health payment processing company that handles an estimated 15 billion medical claims annually.

A cyberattack — reported Feb. 21 — knocked the UnitedHealth Group subsidiary offline, cutting off billions of dollars in payments to medical practices and jeopardizing sensitive information for millions of patients.

In an interview with NBC News, Rick Pollack, MPA — CEO of American Hospital Association — described the attack as “the most serious incident of its kind leveled against a U.S. health care organization.”

However, it is far from an isolated incident.

“Cybersecurity attacks in health care are a problem and, by the data, they’re getting much worse,” George T. “Buddy” Hickman, C-DHE, CHCIO, LCHiME, FCHiME, LFHIMSS, chief digital and information officer at Roswell Park Comprehensive Cancer Center, told Healio.

HHS statistics on cyberattacks in health care show a 239% increase in large breaches involving hacking and a 27% increase in ransomware over the last 4 years.

An estimated 725 HIPAA data breaches occurred in 2023, according to the Health Sector Coordinating Council Cybersecurity Working Group, a coalition of health care providers, medical technology companies and other entities that work with the government to mitigate cyber threats to the health care system. Another 141 ransomware attacks struck hospitals, with an average ransom of $1.5 million per institution, according to the working group.

The health care sector is ripe for attack because of the amount of money, sensitive data and personal information cybercriminals can steal and exploit, according to experts with whom Healio spoke.

“We have seen it in large health organizations, smaller health systems and in individual practices,” Margaret Lozovatsky, MD, FAMIA, the AMA’s vice president of digital health innovations, said in an interview. “That just speaks to the fact that technology has become such an integral part of care delivery. Every area where we are providing clinical care has the potential to be impacted, and there are a lot of vulnerabilities in those spaces.”

A matter of ‘when,’ not ‘if’

Change Healthcare paid a $22 million ransom to the hacker organization BlackCat — also known as ALPHV — to regain control of its system. However, paying the hackers did not prevent myriad disruptions to providers and patients.

The American Hospital Association surveyed U.S. hospitals about the attack’s impact.

The findings — based on responses from nearly 1,000 hospitals collected March 9-12 — showed 74% of hospitals reported direct impacts on patient care. These included inability to file claims, receive payment for care they continued to provide, confirm patient insurance eligibility, submit electronic prescriptions, process electronic prior authorizations or complete many other administrative tasks.

Almost all respondents (94%) reported financial impacts, with more than half characterizing them as “serious” or “significant.” Nearly 60% of respondents reported the impact to their revenue totaled $1 million or more per day.

The AMA conducted two surveys this past spring to assess the economic harms to practices and the impact on patient care.

The more recent survey — released April 29 — showed most respondents continued to face barriers to claim submission (75%), inability to receive electronic remittance advice (79%) and disruptions in claim payments (85%).

“If you want to understand the severity of this event, consider that it’s summer and we’re not done yet,” Theresa Payton, MS, CEO of Fortalice Solutions, a boutique cyber firm that serves the Fortune 100 and other large privately held firms, told Healio. “We’re still feeling the ramifications, with some hospitals not receiving payments for weeks and others questioning their financial solvency.

“We haven’t even discussed the ongoing damage from records being released,” added Payton, who served as the White House chief information officer from 2006 to 2008. “Depending on what’s in these records, there could be information that could be used for extortion and blackmail.”

According to Hickman, the three largest attacks on the U.S. health care industry prior to this year targeted HCA Healthcare in 2023 (11 million patients affected), Community Health Systems in 2014 (6.1 million affected) and Tricare in 2011 (4.9 million affected).

By comparison, one-third of all Americans — or more than 110 million people — could have had their personal data compromised in the Change Healthcare ransomware attack, UnitedHealth CEO Andrew Witty told Congress in May.

It could take “several months” before everyone affected would be notified, Witty added.

The success of the Change Healthcare attack appears to have prompted a new wave of similar threats.

The cybersecurity firm Recorded Future tracked 44 health care attacks — including ransomware — in April, according to a story published in Wired. That is the most the company recorded during a single month in its 4 years of data collection, according to the story.

On May 8, the nonprofit health care organization Ascension experienced a cyberattack that disrupted access to its electronic health records, patient portals, phones, and the systems it uses to order tests, medications and procedures. The attack forced Ascension — which operates 140 hospitals across 19 states — to turn ambulances away from facilities.

“Despite each organization’s best efforts, they will inevitably be a target of cybercriminals," Payton said. "It’s not a matter of 'if' they will get in but 'when.' When they do, what will they get away with, and what kind of mayhem will they create?

“It is vitally important for organizations to prepare for this reality," Payton added. "When impacted by a cybercriminal syndicate — whether they take a system offline, lock files or steal data — organizations must focus on minimizing and mitigating damages. They need to ensure they can continue to function even while dealing with a cyber incident. It’s easier said than done, but it’s the crucial question every health care organization must address.”

The problem is not necessarily isolated to developed countries where digital records are commonplace, according to Eric Ramirez, MSc, MBA, a senior implementation officer at Data.FI, which has helped more than 20 countries strengthen their health information systems, including lower income countries with high incidences of HIV.

“We all want countries to continue to advance their digital transformation journeys. But this is a long-term, ongoing process,” Ramirez wrote. “In the meantime, we must address information security risks as we find them. And while cybersecurity’s focus on all things digital makes an intuitive sense, an overly digital focus is not sufficient to address the challenges faced by international development health projects.”

‘Culture shift’ needed

Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients — a publication released last year by HHS — outlined the top cyber threats for health care as determined by industry leaders and government representatives.

They included social engineering, ransomware, loss or theft of equipment or data, insider accidental or malicious data loss, and attacks against network-connected medical devices.

The National Institute of Standards and Technology (NIST) Cybersecurity Framework uses a 5-point scoring scale to rank how well an organization performs, with 5 being the best, Hickman said.

“Some industries routinely demonstrate an aggregated score of 4 or 5,” Hickman said. “The average score across the health care sector is between 3 and 4.”

Many vulnerabilities can be exploited through insufficient protections or even human error.

For example, email phishing schemes are common, with third parties trying to entice individuals to click a corrupted link or download a dangerous file that could allow hackers access to a single device or broader network.

“[There needs to be] a culture shift from viewing cybersecurity as an IT problem to understanding that cybersecurity is a patient-safety issue,” Lozovatsky said. “[This requires] educating all of our clinicians how to do their part in protecting health care data.”

Systems also can be breached if workers use easily guessed passwords. Payton said she still sees some employees — even administrators — at health care institutions sharing passwords.

“I understand the convenience, but it's time to leave outdated practices behind,” Payton said. “Sharing passwords is a risk that organizations can no longer afford. It’s crucial that system administrators use unique, robust logins that aren’t easily guessed by outsiders.”

In some cases, individuals use the same log-in information at their job as they do for social media platforms. In others, clinicians leave their credentials visible in photos that could be shared online.

“I love seeing social media posts where doctors are engaging with the community, unveiling new research or participating in events," Payton said. "However, it’s vital to ensure that doctors' [log in] credentials are not visible in these posts. Even basic digital information can be exploited for identity theft or tracking on social media. Be very cautious of direct messages asking you to click on links, view pictures or open files. These could be attempts to breach your health care institution through you.”

Vulnerability also can be created when health care workers text patient information to each other, Lozovatsky said.

“That is not a safe way to transfer information,” Lozovatsky said. “That is a very big risk for data breaches, so it is very important to make sure that people are using secure texting platforms.”

Cybercriminals aiming to target a health care institution have options beyond employees. Larger medical centers, for example, may have non-employees who have user accounts on the system.

“They may not always log in, so they may not notice strange behavior and activity on their accounts,” Payton said. “There may not be an easy baseline to show anomalous behavior.”

Cybercriminals also can capitalize on outdated technology to infiltrate systems. Payton referred to this as “technical debt.”

“Technical debt can manifest in various challenging ways,” she said. “It might involve being tied to a vendor platform with outdated technology and no viable alternatives. Or, consider a multifactor authentication program you implemented years ago — while it was cutting-edge at the time and required substantial investment and training, it may now be obsolete. Updating or replacing it can be complex and disruptive.”

The post-pandemic increase in remote working also can be a weakness.

“It’s up to all of us to ensure that we’re using these technologies in the safest way possible,” Lozovatsky said.

Risk assessment: Find your deficiencies

The Change Healthcare attack occurred in part due to the compromised server not having multifactor authentication, Witty told Congress.

Multifactor authentication forces users to input multiple pieces of information to gain access to an account, such as a password and a separate unique code to verify the user’s identity.

UnitedHealth Group acquired Change Healthcare in 2022, and the server lacked the security protocol.

“It’s hard to know, in retrospect, if multifactor authentication would have successfully thwarted this, but a lot of studies have shown [some] cybercriminals are using as their only attack vector credential stuffing, which is the reuse, manipulation and adjustment of past IDs and passwords. You’re just playing around with different sequences and combinations,” Payton said. “According to a report by Microsoft, multifactor authentication has been found to be successful warding off 90% of credential stuffing attacks. Had the cybercriminal syndicate been one of those where that’s the only thing they do, maybe we wouldn’t be talking about this.”

However, many cybercriminals are persistent, Hickman said. They can spend more than a year studying an institution, waiting for the perfect moment to strike.

This reinforces the need for health care practices to be diligent about cybersecurity protocols.

Multifactor authentication is critical, but it is far from the only safeguard.

Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients listed 10 practices to improve cybersecurity. These strategies include email protection systems, endpoint protection systems, access management, data protection and loss prevention, asset management, network management, vulnerability management, incident response, network-connected medical device security, and cybersecurity oversight and governance.

Software and systems must be updated and patched regularly, and replaced if needed, though Payton acknowledged this can be time consuming and expensive.

“There’s a continual balancing act,” Payton said. “How do we ensure that all doctors, nurses and staff are fully trained on the technology? How do we guarantee comprehensive training for the back office while maintaining security? And, crucially, how do we keep systems operational, knowing that every minute counts in saving lives?”

Risk assessments can be performed to find deficiencies in each institution or practice’s system.

Payton identified several key questions to address, including: How do things work? How do you check people in? How do you follow up with them? Where does technology play a role?

“Any of those human interactions where technology plays an enabler, those are potential places that you need to do a risk assessment and understand if a cybercriminal were to get in between the doctor, the nurse, the front office and the patient, what kind of information could be at risk?” Payton said. “Is there anything different we can be doing that is cost-effective? You don’t want to take money and resources away from patient care, but you do want to protect the patient-doctor relationship.”

‘Good cyber hygiene’

It is important for institutions to invest in people, Hickman said — specifically those trained to protect the enterprise and its patients.

Large centers should have a chief information security officer — which some industries and states require — along with cybersecurity employees and IT professionals, Hickman said.

“And then you need the investment of a leadership governance process that assures that all things technology have a ‘cyber due diligence’ review before acquisition or before deployment,” Hickman added. “This assurance adds up to real money.”

Hickman acknowledged not every center or practice has the necessary funds to do everything. In those cases, they must get creative rather than foregoing investment, he said.

For example, institutions can ask their hospital association for guidance. They also can explore state or federal aid sources.

“Tune into what the cybersecurity firms and vendors in our industry have available,” said Hickman, citing virtual chief information security officers as one example. “This person or persons from a cybersecurity assurance firm is able to manage the cybersecurity portfolio work and guide it across several organizations. Therefore, there is a scaled economy versus trying to hire a person for one’s self. That aspect of business is continuing to increase.”

Training employees is vital, too, as is creating awareness of potential problems.

The AMA has an educational hub on its website that features Cybersecurity for the Clinician, an eight-part video training series that explains what clinicians and trainees need to know about how cyberattacks can affect clinical operations and patient safety, as well as the actions they can take to protect systems and data.

Payton said she likes training that is “stackable” and “snackable.”

“Consider implementing a ‘topic of the week’ or ‘topic of the month,’” she said. “Focus on one subject at a time, making it both engaging and informative. This approach ensures that the topic seamlessly integrates into their daily routine and thinking.”

Health care employees can take simple steps to boost security, such as creating longer passwords, changing passwords for each platform, and making sure all communication is delivered via encrypted channels.

They also should be instructed never to click on questionable links or attachments. If something looks convincing but an employee wants to err on the side of caution, Payton recommended the website virustotal.com. The site analyzes files, domains and URLs to detect malware or other breaches.

“It’s not foolproof, but it scans over 70 different sources of information, and it can come back and tell you in a moment,” Payton said. “That can be a really easy, cost-effective way for doctors to protect the work that they’re doing.”

These practices can extend beyond the professional setting.

“Good cyber hygiene is critical in health care research settings, and good cybersecurity hygiene at work becomes good cybersecurity hygiene at home,” Hickman said. “Your home and family need all those same cybersecurity protections and behaviors that we practice at work.”

‘Have a playbook’

Even if all safety measures are implemented, health care institutions of all sizes remain at risk. Consequently, they must be prepared to respond if their system is breached.

“Have a playbook,” Payton said. “Assume your worst day happens, and have the whole organization exercise that nightmare scenario to learn where you have gaps, either in technology, visibility, insurance or response. Who do you call? What’s the ‘call tree’ look like? Rehearse that exercise to make sure you have the best playbook possible.”

If medical centers or health care practices do not have this type of detailed response plan, there are ways to get started.

Payton suggested contacting the nonprofit Health Information Sharing and Analysis Center or local FBI offices.

“They have a vertical around health care organizations, and they can be a great resource to tap into to do threat briefings for your doctors, nurses and front office,” Payton said. “They won’t name victims, but they’ll tell you the different types of attacks they’re seeing hit.”

Another option is to tap into the experience of other institutions or practices.

“Start by leveraging existing resources rather than reinventing the wheel,” Payton said. “Begin with what you have and feel free to make adjustments. Then, hire a skilled facilitator who can guide the process, keep discussions on track and provide objective feedback. After running through the exercise, the facilitator can highlight areas of confusion and offer targeted advice for improvement. Aim to conduct these exercises at least once a year to continuously enhance your approach.”

Another way to improve cybersecurity across health care is to educate professionals at earlier ages.

“All technology training from the medical perspective is still early in its iteration because, when many of the practicing physicians trained, these technologies were not there,” Lozovatsky said. “Integrating this from the beginning in medical education — in medical training — is going to be really important, and that has not necessarily kept up with the speed of change of technology.”

Some medical schools are putting clinical technology and cybersecurity into the curriculum, but more must be done, Lozovatsky said.

If she could design a curriculum, she would focus on case-based learning and clinical scenarios about how to protect data.

“Culture change doesn’t happen overnight,” Lozovatsky said. “It has become more and more important for us to continue to bring this to the forefront of everyone’s mind.”

Addressing ‘unchecked consolidation’

Beyond vigilance at the individual or institutional levels, calls are intensifying for broader actions across the private sector and federal government to combat the rise in — and impacts of — cyberattacks in the health care industry.

"As a first step, cybersecurity insurance should be more accessible and affordable — especially for small, physician-owned practices," Steven P. Furr, MD, FAAFP, president of the American Academy of Family Physicians (AAFP), told Healio. "Although cyber insurance is available to protect small businesses against losses stemming from a cyberattack, our members reported burdensome requirements to access coverage."

The Change Healthcare attack was so devastating because of a lack of oversight on industry consolidation, Furr added.

“Much of the nation’s health care system —including large and small physician practices — is reliant on the services from a small number of companies, such as Change Healthcare. That’s why the AAFP urged Congress to closely examine how unchecked consolidation impacts the overall health system from the perspective of patients and the physicians who care for them,” Furr said.

The AAFP shared recommendations with the House Energy and Commerce Subcommittee, with Furr emphasizing there is no hospital system or medical office “too big or too small” to avoid cyber threats.

“As a first step, we need wide-scale national health care interoperability, which would enable organizations to seamlessly shift systems if one platform or technology was unavailable due to a cyberattack,” Furr said. “This lack of interoperability, coupled with consolidation, has resulted in a health care system that is not resilient and vulnerable to future cyberattacks.

“Additionally, work is needed to fortify the resiliency of our nation’s health care infrastructure,” he added. “For other companies vulnerable to similar attacks, it is necessary to understand what contingencies are in place among payers and vendors if cyberattacks of similar scale and scope of Change [Healthcare] are realized in the future.” – by Josh Friedman

For more information:

George T. “Buddy” Hickman, C-DHE, CHCIO, LCHiME, FCHiME, LFHIMSS, can be reached at askroswell@roswellpark.org.

Steven P. Furr, MD, FAAFP, can be reached at aafp@aafp.org.

Margaret Lozovatsky, MD, FAMIA, can be reached at margaret.lozovatsky@ama-assn.org.

Theresa Payton can be reached at fortalice@society22pr.com.

References:

• American Hospital Association. AHA survey: Change Healthcare cyberattack significantly disrupts patient care, hospitals’ finances. Available at: https://www.aha.org/2024-03-15-aha-survey-change-healthcare-cyberattack-significantly-disrupts-patient-care-hospitals-finances. Published March 15, 2024. Accessed Aug. 19, 2024.
• AMA. Cybersecurity for the clinician. Available at: https://edhub.ama-assn.org/hscc-education/video-player/18875913. Accessed Aug. 19, 2014.
• AMA. Change Healthcare cyberattack. Available at: https://www.ama-assn.org/practice-management/sustainability/change-healthcare-cyberattack. Published May 20, 2024. Accessed Aug. 19, 2024.
• Health Sector Coordinating Council Cybersecurity Working Group. Healthcare cybersecurity is in critical condition. Available at: https://healthsectorcouncil.org. Accessed Aug. 19, 2024.
• HHS. What’s new in the HICP 2023 edition. Available at: https://405d.hhs.gov/Documents/405d-hicp-highlight.pdf. Accessed Aug. 19, 2024.
• NBC News. Ransomware attack on U.S. health care payment processor ‘most serious incident of its kind.’ Available at: https://www.nbcnews.com/tech/security/ransomware-attack-us-health-care-payment-processor-serious-incident-ki-rcna141322. Published March 1, 2024. Accessed Aug. 19, 2024.
• Neprash HT, et al. JAMA Health Forum. 2022;doi:10.1001/jamahealthforum.2022.4873.
• Ramirez E. Cybersecurity and health records: Leaving no one behind globally. Infectious Diseases Society of America. Sept. 8, 2023. Accessed July 29, 2024.
• U.S. News & World Report. Explainer: What to know about the Change Healthcare cyberattack. Available at: https://www.usnews.com/news/health-news/articles/2024-03-04/explainer-what-to-know-about-the-change-healthcare-cyberattack. Published March 14, 2024. Accessed Aug. 19, 2024.
• Wired. Ransomware is ‘more brutal’ than ever in 2024. Available at: https://www.wired.com/story/state-of-ransomware-2024/. Published June 18, 2024. Accessed Aug. 19, 2024.