The Change Healthcare cyberattack shows how health systems are extremely vulnerable to breaches involving their vendors.
Hospitals and health systems have suffered scores of cyberattacks from ransomware groups, but the Change Healthcare attack illustrates that the biggest threat to providers may come from breaches of their partners.
Change Healthcare processes business and pharmacy operations for a wide swath of the healthcare industry, which is why the attack has been so damaging. The vast majority of hospitals, doctors, and medical groups have endured at least some financial damage, due to delayed payments. Industry analysts say the Change Healthcare ransomware attack is the most damaging cyberattack to ever hit the healthcare industry.
Hospitals rely on hundreds of vendors and third parties for essential services.
John Riggi, the national adviser for cybersecurity and risk for the American Hospital Association, talked about the risks to hospitals from vendors during a hearing before the House Energy & Commerce Committee’s health subcommittee in April.
In reviewing the largest healthcare data breaches of 2023, 95% were related to business associates and other non-hospital healthcare entities, Riggi said.
“Hospitals are not the primary source of cyber risk facing the healthcare sector,” Riggi said at the hearing.
Rick Pollack, president and CEO of the American Hospital Association, warned of the risks coming from attacks aimed at vendors during the Hospital + Healthcare Association of Pennsylvania Leadership Summit in April.
“It’s the people we give information to,” Pollack said. “Change is a perfect example of that.”
UnitedHealth Group, Change Healthcare’s parent company, says it will likely take months before the company determines how many individuals have been affected by the data breach. UnitedHealth said the number of people impacted “could cover a substantial portion of people in America.”
‘It is a big risk’
Hospitals face grave risks from breaches of vendors, both financially and in terms of patient safety.
Cliff Steinhauer, director of information security and engagement at The National Cybersecurity Alliance, says the Change Healthcare cyberattack should serve as a wake-up call for hospitals and other providers about their risks from vendors.
“It is a big risk,” Steinhauer tells Chief Healthcare Executive®. “Part of an information security program for any business is evaluating the risk presented from your third parties.”
Even if the third-party vendor is a firm the size of Change Healthcare, Steinhauer says any healthcare company is vulnerable to a cyberattack.
“There is no such thing as a 100% secure system,” Steinhauer says. “Unfortunately, one of the schools of thought in security is: Assume breach.”
The risk is magnified for larger vendors that work with many systems.
“When you look at an organization like Change Healthcare, they are so interconnected with so many other agencies and businesses … the attack surface is huge,” Steinhauer says. “The number of records they hold, the number of systems they operate, and the number of third parties that they have to interact with. So at each of those junctures you have various risks, and responsibilities to protect against those risks.”
Dan Dodson, the CEO of Fortified Health Security, a cybersecurity firm, says ransomware groups have realized that attacking vendors offers access to many organizations, and enormous amounts of valuable health data. Attacking third parties can produce “a one-to-many impact,” he says.
“If I'm successful in penetrating a third party, I can hit multiple different health systems, potentially getting multiple different data elements from many different systems,” Dodson told Chief Healthcare Executive® in a February interview. “And so from the adversary’s perspective, it's attractive.”
Pose questions to vendors
Hospitals need to be asking vendors and partners about vulnerabilities before signing new contracts, and they should also be posing questions of the vendors they’re using on a daily basis, cybersecurity experts say.
Hospitals need to be “evaluating their vendors and their third-party partners for what their security posture is,” Steinhauer says.
Lee Kim, the senior principal of cybersecurity and privacy at the Healthcare Information and Management Systems Society, said hospitals need to be closely examining their partnerships with vendors.
“I think each and every provider needs to map out its key vendors and exactly what services they provide,” Kim told Chief Healthcare Executive® in a recent interview.
As hospitals identify their critical vendors, they should be asking their partners about protections for private health data, including backup plans and contingencies if there’s a cyberattack or other disruption. Kim said she suspects many providers haven’t taken those deep dives into their relationships with their vendors.
During a Senate Finance Committee hearing on the Change Healthcare cyberattack this week, some lawmakers were astonished when UnitedHealth Group CEO Andrew Witty said that the ransomware group gained access to a server that didn’t require multi-factor authentication for users. Sen. Ron Wyden, D-Oregon, said, “This hack could have been stopped with cybersecurity 101.”
Steinhauer outlines some of the questions hospitals and other providers should be asking vendors, including how they comply with HIPAA regulations.
“How do you recover from a ransomware event? How do you protect our data? How do you provide availability of your system if it were to go down? Do you have a backup site that you could spin up and provide a service if your primary site was to go offline? There's lots of questions you can ask like that,” Steinhauer says.
Health systems and hospitals should also be having regular conversations with their vendors about their cybersecurity preparation and response. Providers should ask how they are responding to new threats and vulnerabilities.
“It isn't just a one-time thing,” Steinhauer says. “You have to constantly monitor your third party, and ask them the right questions to understand what they're doing to keep up with today's security threat environment.”
‘Infinitely more complicated’
Hospitals face other difficulties in their cybersecurity efforts with third parties. Scott MacLean, the board chair for the College of Healthcare Information Management Executives (CHIME) and chief information officer of MedStar Health, testified at the April House subcommittee hearing about some of those challenges.
MacLean said cybersecurity has become “infinitely more complicated with managing third-party risk.” Some vendors aren’t willing to sign HIPAA business associate agreements, and aren’t accepting sufficient liability for the vast amount of private health information they are processing, MacLean said.
Greg Garcia, executive director of the cybersecurity working group for the Healthcare Sector Coordinating Council, has called for more rigorous standards for vendors.
In 2022, more than half of the nation’s 707 health data breaches involved third-party service providers, Garcia told the Senate Homeland Security Committee in March.
Testifying about the implications of the Change Healthcare cyberattack before the House health subcommittee in April, Garcia said the government should hold vendors to higher standards of security in their technology if they are working with critical healthcare infrastructure .
“More than half of all data breaches on health systems are through business associates; many ransomware attacks similarly find their way into enterprise networks through third parties,” Garcia said. “Many medical devices continue to be delivered to the customer with security vulnerabilities, with uneven attention to the security imperative among device manufacturers.”
The federal government has discussed imposing financial penalties for hospitals and health systems for failing to meet cybersecurity standards. Hospitals have objected to the prospect of penalties for breaches, in large part due to the fact that many breaches are occurring through their vendors, they say.
Riggi told lawmakers at the House hearing that the AHA supports voluntary cybersecurity standards, but said penalizing hospitals would be a mistake.
“To make meaningful progress in the war on cybercrime, Congress and the administration should focus on the entire healthcare sector, not just hospitals,” Riggi said.