The Change Healthcare cyberattack: lessons for data security

©maxsim-stock.adobe.com

The effects of the Change Healthcare cyberattack have rippled through the health care sector over the past few months, leading to outages, payment delays, and even cancellation of patient appointments. Hospitals and other health care organizations are learning, sometimes the hard way, that their cyber resiliency needs to be improved.

The increasing complexities of modern health care make keeping critical IT systems up and running more crucial than ever. Considering the growing dependence of health systems on connected technology, coupled with the wide-ranging impact of cyber intrusions, health care must take cybersecurity seriously. Care for patients and critical functions and operations increasingly depend on interconnected IT systems.

In the health care sector, the damages of a cyberattack can go well beyond financial issues or disruptions in operations. They could affect patient safety, compromise private medical information, and chip away at trust in the treatment provided and the health care system. With tightly integrated IT systems at work today, focusing on cybersecurity is essential in protecting patient care and the integrity of the practice or organization.

Assessing third-party vendor risks: a critical imperative for health care organizations

One lesson from the Change Healthcare breach is that organizations must carefully monitor and mitigate third-party vendor risks. Because health care organizations might need more financial or technological means to develop and maintain systems in-house to store and access such data effectively, they often turn to third-party vendors for many of their most essential services and solutions such as:

• Electronic health record systems
• Telemedicine platforms
• Diagnostic medical devices
• Identifying fake health apps
• Medical-grade facial recognition systems

Of course, these partnerships can bring significant benefits in helping hospitals and clinics operate more efficiently and effectively, not to mention aiding advances in medical research, treatment, and diagnoses. But they can also create new opportunities for hackers. Health care leaders must screen their vendors, depict the opportunities for malign actors when health care organizations work with third-party vendors, and build more resilient cybersecurity protocols to protect people against flawed technologies.

Ensuring operational resilience in the face of cyber attacks

All health care systems should develop business continuity plans to ensure operational resilience in the face of cyber incidents. These plans can set out response and recovery processes to be followed after a cyber incident and should be tested and validated regularly.

This can have defined scenarios simulated continuously to ensure the organization is optimally prepared for a future cyberattack or another issue. Health care leaders must accept that the risk of cyber attacks is persistent regardless of any amount of brand association or scale of operations. As an industry with some of the most sensitive data, health care is an ideal target for cybercriminals, and the most common attack will occur with only one unpatched vulnerability. This puts individual organizations at risk and can jeopardize the entire sector.

How managed security services can help fortify cyber resilience

Given these obstacles, health care organizations must make cybersecurity one of their essential operating functions. That means anticipating and preparing for threats, using advanced tools and best practices to detect, prevent and respond to them, and taking immediate action to ensure that patients can stay safe and receive quality care in a system where their data is secure.

Managed security services providers need to be prepared against the ever-evolving threats to their cyber resiliency because their services rely on the integrity of their information systems to offer care where no one else can or to provide valuable information that materially impacts health outcomes for patients.

Collaboration is not an option but a must in the fast-evolving health care cybersecurity field. As we see the impact of recent cyberattacks on health care, such as the Change Healthcare incident, it is more evident than ever that the health care sector must engage with peers, industry leaders, regulators, and the cybersecurity community to improve cyber resilience, mitigate threats, and forge a future of health care cybersecurity. Another way to collaborate is by sharing lessons learned and best practices.

For instance, a collaborative platform such as an information sharing and analysis center (ISAC) or industry consortium could assist health care organizations by providing collective market and threat intelligence to enable earlier detection of threats and trends. This helps organizations close the gap on their known, unknown, and potential vulnerabilities, and address them before they occur.

The health care sector can help create the regulatory environment for cybersecurity. Health care organizations can engage with regulators and agencies to develop a shared understanding of cybersecurity. Regulators could look towards a group of health care companies to establish compliance standards and set governance regulations, creating coordinated regulatory specifications. Regulatory alignment with the health care sector will bring consistency and make health care cybersecurity a core requirement for the market.

Michael Gray is CTO of Thrive