Safeguarding patient data in an era of interconnected health care systems

Jason Hogg, MBA

The ransomware attack on Change Healthcare has served as a wake-up call for everyone in the health care ecosystem. The attacker, known as “Blackcat” or “ALPHV” claimed to have stolen millions of sensitive records, including health and medical insurance data, which they threatened to release unless their demands were met. 

Records were also encrypted, which had the effect of locking out critical information that, due to the vertical and horizontal scope of the integrated ecosystem that was attacked, had a wide-ranging impact. Specifically, electronic pharmacy refills, insurance transactions, prescription processing, patient insurance verification, electronic payments and connectivity to claims network and software systems are all said to have been affected.

As former Global CEO of Aon Cyber Solutions I know that this type of attack is, unfortunately, common across all industries and it’s only getting worse. According to the FBI’s Internet Crime Report 2023, ransomware losses surged 74% over the previous year.

Why is this happening? As we continue to develop lower friction methods for doctors and patients to manage health care journeys, we need ever greater interconnectivity of systems. Patients now have access to their health care information and interact with their provider through their smartphone, manage their communications, prescriptions, and appointments all through apps.

On the back end, those apps make calls out to a multitude of interconnected systems and databases. The overall effect of this is that the more we take friction out of the system for patients by putting more at the patient and provider’s fingertips, the greater the attack surface. Think of each service that gets incorporated into supporting the patient, provider, carrier and pharmacy ecosystem as another entry to the health care house. The more windows and doors, the more entry points that need protecting.

There are myriad steps that providers can take to minimize the likelihood of an attack, or at least minimize the damage if one occurs. To start with a few simple ones: 

Educate your staff: Make sure your staff goes through an online education program so they can recognize phishing attacks or malicious links and attachments.

Backup, backup, backup: Maintain backups of critical patient records, billing information, etc. and store them apart from your main network or the cloud, such as a storage drive or a separate machine. Put a policy in place and assign someone to be responsible for this back-up occurring on a regular basis.

Do your updates: Click “yes” and grab a cup of your favorite beverage. If you perform your recommended updates right when they come out, they tend to be faster than if you wait. These updates often contain patches to known vulnerabilities.

Bring in the pros and get some insurance: There are now cybersecurity services for all sizes of business. Go on your smartphone while you’re waiting for your computer to finish the backlog of updates that you’ve ignored and search for cyber incident response services and cyber insurance. You can find zero-dollar retainers for digital forensic and incident response services and multiple cyber insurance providers. Many of these service providers provide diagnostic tools to help you gauge your vulnerability and state of preparation ow prepared you are if an attack occurs.

This is by no means an exhaustive list, but you need to start somewhere. You can then add additional protections such as multi-factor authentication, knowledge-based authentication and other account opening and account takeover tools.

It’s an amazing time we live in, where technology is greatly enhancing and improving patient care. The key is to start viewing cyber security as part of one’s continuing medical education.

Jason Hogg, MBA, is executive-in-residence at Great Hill Partners and former CEO of Aon Cyber Solutions.