Time flies when you’re having fun developing stricter cybersecurity protocols in response to a historic breach.
It’s been a year since the Change Healthcare cyberattack shut down pharmacies across the US, blocked hospitals and providers from accessing patients’ health insurance, and forced at least one nursing home to suddenly close.
Cybersecurity experts told Healthcare Brew that, in the time since, both industry and federal regulators have focused on developing stricter security rules, investing more money into cyber safety, and assessing where the next attack may come from.
“The attack had significant care delivery and financial consequences for patients, providers, and communities, endangering patients and threatening the solvency of US healthcare providers,” the American Hospital Association (AHA) said in a Feb. 19 statement. “Every hospital in the country felt the impact, either directly or indirectly.”
How the industry changed
Health system C-suites are now more aware of how important cybersecurity is, and are more willing “to spend money to put the right protections in place,” Mike Nelson, VP of digital trust at cybersecurity firm DigiCert, told Healthcare Brew.
“When breaches like Change happen, it gets the attention of the top executives in every company,” Nelson said. “Companies can no longer tolerate disruptions like that, where systems go offline, patients can’t receive care, you don’t have access to records.”
Execs have also learned that “security doesn’t happen overnight,” he added. It takes time and investment to be able to successfully implement stronger security protocols that use data protection techniques like cryptography, which obfuscates sensitive information so it can’t be seen by anyone who doesn’t have authorization.
Erik Pupo, director of commercial health IT advisory at consulting firm Guidehouse, said his company now spends a lot more time simulating cyberattacks in tabletop exercises to see how well their hospital and health system clients can respond to them.
The Change attack “definitely created a lot more work for us,” Pupo said. “It’s a lot more work for our customers, and they also tend to want to invest a lot more in the cybersecurity space.”
Regulatory adjustments
Regulators have also made some changes.
Investigators determined last May that the cause of the attack was that UnitedHealth, Change’s parent company, wasn’t using multi-factor authentication (MFA) for Citrix, its cloud computing platform, according to the House Committee on Energy and Commerce.
Navigate the healthcare industry
Healthcare Brew covers pharmaceutical developments, health startups, the latest tech, and how it impacts hospitals and providers to keep administrators and providers informed.
In October 2024, the New York State Department of Health published new cybersecurity rules requiring all hospitals use MFA. “That’s a direct cause and effect,” of the Change attack, according to George Pappas, CEO of healthcare cybersecurity compliance company Intraprise Health.
The US Department of Health and Human Services also proposed updates to the Health Insurance Portability and Accountability Act (HIPAA) in January that would strengthen the cybersecurity protocols hospitals are required to follow, including mandating the use of MFA.
“The timing of that clearly correlates with what happened with the Change attack,” Nelson said. “I think regulators are seeing that they need more prescriptive and strong guidance for organizations to protect patient data and protect the systems that are facilitating that.”
Lessons to take forward
The cyberattack highlighted the need for hospitals and other healthcare companies to put more energy into risk management, Pappas said. That means finding vulnerabilities in a hospital or health system’s information databases in order to see where more stringent security protocols may be needed.
These steps will be important in the future as artificial intelligence (AI) can make cyberattacks more advanced, the experts agreed.
“You’re also seeing artificial intelligence now adding a layer of complexity, especially for underresourced and rural health and critical access hospitals,” Pupo said. “That’s definitely a concern with AI becoming more prolific in terms of what you can do.”
The AHA said in a February report the attack showed that third-party cyber risk—meaning there could be cyberattacks against a third-party company that has a contract with a hospital such as Change Healthcare—is the “most significant and disruptive cyber threat to healthcare.”
Getting prepared for potential attacks in the future will require collaboration between health systems and government healthcare agencies like the Centers for Medicare and Medicaid Services, according to the AHA.
“The AHA strongly urges government partners to use all their capabilities—including military and intelligence offensive cyber capabilities—to prevent attacks as well as assist when attacks occur,” the AHA wrote in the report. “Recognizing that defense is critical but insufficient, the federal government and allied nations must increase the risk and consequences for cyber adversaries.”