While all organizations are prone to cyber threats, healthcare remains particularly vulnerable due to the amount of personally identifiable information and patient data hospitals and clinics store. One study noted that breaches and attacks affected about 106 million individuals in 2023
At the same time, the healthcare industry needs to catch up when it comes to attracting enough cyber talent and making investments to keep up with cyber concerns.
Over the last month, the difficulties of protecting healthcare organizations have been vividly displayed following a ransomware attack that targeted UnitedHealth Group’s Change Healthcare subsidiary. The company processes about 15 billion U.S. healthcare transactions annually – making it involved in one in every three patient records – including for hospitals, pharmacies, laboratories and individual doctors, according to the federal government.
Following the attack, Change Healthcare disabled about 100 systems, leaving it unable to process claims across its primary platforms. In turn, some healthcare organizations and doctor’s offices have reported a lack of cash and are struggling to keep clinics open.
The attack has sparked at least one federal investigation by the U.S. Department of Health and Human Services to determine if Health Insurance Portability and Accountability Act (HIPAA) laws were violated. UnitedHealth and Change Healthcare have not reported yet how many patient records are affected or whether they paid off the ransomware gang responsible.
As with other large-scale cyber incidents affecting an organization and its tech infrastructure – as well as the larger public – the attack against Change Healthcare holds valuable lessons for tech and security pros, especially those interested in a career path within the large healthcare industry.
Experts noted that these attacks demonstrate where cyber defenses are most vulnerable and what skills are needed to improve them.
“Healthcare providers stand to experience some of the worst consequences of cyberattacks and data breaches, as they manage immense amounts of sensitive personal and health information about staff, members and patients. Companies that are the custodians of this critical information require a much higher bar for security and monitoring than other types of organizations,” Darren Guccione, CEO and co-founder at Keeper Security, recently told Dice.
“This [Change Healthcare] incident highlights the need for healthcare organizations large and small to prioritize strengthening their cybersecurity posture,” Guccione added. “While not every attack can be prevented, steps can be taken to mitigate the access of cybercriminals and minimize impacts on systems, data and operations.”
As the story unfolds over the coming weeks, here is a look at four significant lessons from the Change Healthcare attack and what tech pros should know.
Improving Defense and Incorporating Zero Trust
In the wake of these incidents, tech pros and security teams must rethink their organization’s defenses. For security experts, this evaluation includes working toward a zero trust model, which reduces access to data and helps better identify those accessing applications and other resources within a network.
By shifting to a zero trust model, organizations stand a better chance of mitigating incidents such as ransomware.
“The challenge for most ordinary doctor’s offices is that sensitive information must be shared to protect human lives… This information has historically been stored almost everywhere, and most, lack zero trust capabilities to enforce better authentication before giving access to medical records,” Claude Mandy, chief evangelist for data security at Symmetry Systems, told Dice. “As a result, they have historically had no visibility of this information, and limited ability to control data access. This has required multiple tools to get some semblance of security, rather than leveraging modern data security capabilities to instantly and accurately identify and inventory all of your data and identities.”
Organizations must understand that while zero trust cannot stop an attack, having tech and security teams that know the concept and implementing security features such as multifactor authentication (MFA) can help minimize damage to infrastructure and protect customer and company data, Guccione added.
“While not every attack can be prevented, steps can be taken to mitigate the access of cybercriminals and minimize impacts on systems, data and operations,” Guccione said. “The most effective method for minimizing sprawl if an attack does occur is by investing in prevention with a zero-trust and zero-knowledge cybersecurity architecture that will limit if not altogether prevent, a bad actor’s access.”
Hone in on Threat Intelligence
What many organizations lack, especially in the healthcare field, is threat intelligence to better understand the cyber landscape and what exploits and vulnerabilities attackers are targeting.
The Change Healthcare attack and other incidents highlight an urgent need for hiring a more robust pool of skilled cyber professionals. At the same time, tech pros must bolster their skills to match these needs.
“These experts play a pivotal role in bridging the gap between defensive cybersecurity teams – blue teams – and organizational stakeholders. Integrating seasoned threat intelligence is not just an enhancement but a necessity for proactive security,” Ngoc Bui, cybersecurity expert at Menlo Security, told Dice. “This incident underscores the importance of evolving cybersecurity strategies, especially in high-risk sectors like healthcare, where data protection is paramount. The healthcare sector’s continued trend of being a high-value target for cyberattacks is directly related to the vast amounts of sensitive data it processes. Advancing threat intelligence capabilities within this sector is not just beneficial but essential for safeguarding against future breaches.”
By utilizing threat intelligence, healthcare organizations can better understand how groups such as ALPHV/BlackCat – the ransomware-as-a-service group believed responsible for the Change Healthcare attack – are taking advantage of vulnerabilities within their targets, said Steve Benton, vice president for threat research at Anomali.
“Using this plus the intelligence of their malware, ransomware, affiliate tactics, techniques and procedures in breaching organizations and deploying ransomware, and previous campaigns, gives security teams and business leaders a clarifying lens against which to prepare their resilience and sensitize themselves to the threats,” Benton told Dice. “If you are not already bonding threat intelligence to your security operations you are falling behind.”
Focus on Resilience
Benton also believes that healthcare, other critical enterprises, and tech pros must focus more on building resilience in their cybersecurity plans.
When attacks occur, organizations must be able to “anticipate, withstand, recover from, and adapt to adverse conditions, stresses, and compromises on systems – including hostile and increasingly destructive cyber-attacks from nation-states, criminal gangs, and disgruntled individuals,” according to a definition provided by the U.S. National Institute of Standards and Technology.
When it comes to data, resilience includes deploying encryption and providing backups across critical systems with Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs), Benton noted.
Organizations are also advised to build resilience within their operational systems to minimize disruptions and ensure operations continue. Finally, there’s resilience within data theft and how to respond to ransomware and other attacks.
“Have you thought about how you will determine what data has been affected and how you will support potential victims – customers, employees, etc. – to reestablish their safety and security? And recognize that payments to the criminals only stoke the market and offer no guarantees that the data taken will be ‘returned’ and not traded onwards or later exploited,” Benton added.
Look for Ways to Collaborate
While ransomware attacks affect infrastructure and data, these incidents also have an impact on an organization’s bottom line and public reputation.
Tech pros who understand how to manage risk and can communicate these ideas across the organizations – whether up through the C-suite or down to individual employees – are in a good position to show their value. At the same time, the entire healthcare industry needs skilled workers who share intelligence and best practices.
“By working together, sharing intelligence, and implementing robust security measures, there's a stronger chance to protect critical infrastructure and sensitive data against the complex and evolving threats posed by cybercriminal syndicates,” Callie Guenther, senior manager for cyber threat research at Critical Start, told Dice. “The Change Healthcare incident serves as a stark reminder of the challenges in the cybersecurity realm and the need for vigilance and cooperation to counteract these threats effectively.”