The Big Story: ‘Nightmare’: Pharmacies, hospitals reel from Change Healthcare outage – Modern Healthcare
“In the wake of the attack, providers nationwide have been walking a fine line between their commitment to patient care and their financial needs. The outage crippled independent pharmacies, chain drugstores, hospitals, nursing homes and other providers…”
Three Lessons for the Next Attack
By David Jarrard and David Shifrin
4-minute read
BlackCat? Your patients will never know the mysterious hacker. And Change Healthcare? It’s just some distant, third-party utility connecting one underground healthcare pipe to another. UnitedHealth? Big. Faceless.
But you? Patients know you.
You are the face of healthcare. You – your healthcare organization, your caregivers, your buildings – are the immediate, physical, tangible embodiment of the U.S. healthcare system, for all its great good and terrible ills.
When bad things happen anywhere along the winding roads that lead to actual patient care, it’s you who often bear the emotional and political cost.
For many providers, the last few weeks have been costly. The February 21 cyberattack of Change Healthcare by ransomware hacker BlackCat continues to be a ‘nightmare’ for providers across the U.S., disrupting care and the funding for it.
The impact is massive. For good reason, the AHA calls it “the most significant and consequential incident of its kind against the U.S. health care system in history.”
“The outage crippled independent pharmacies, chain drugstores, hospitals, nursing homes and other providers,” says Modern Healthcare. “In the wake of the cyberattack, providers nationwide have been walking a fine line between their commitment to patient care and their financial needs.”
That’s the “fine line” tightrope that healthcare providers walk every day, the highwire act of balancing the cost of care and the quality delivery of it.
The attack spotlights how tenuous our healthcare system is and how vulnerable you – and the people who count on your care – are.
After all, BlackCat is only the latest hacker to target healthcare, not the last. A week before the Change Healthcare hack, the Associated Press reported that cyberattacks on healthcare had nearly doubled from 2022 to 2023. The headline: “Cyberattacks on Hospitals Are Likely to Increase, Putting Lives at Risk, Experts Warn.”
Lessons to learn? At least three things.
Healthcare is frighteningly fragile
It feels as if the entire healthcare house of cards can be toppled by a puff of clever code.
More than 100 million people were affected by healthcare breaches in 2023, up from 44 million the year before. The FBI warned in December that Russia-allied BlackCat and other hackers were targeting healthcare in general and hospitals especially.
Every healthcare organization should assume it will be a target of an attack, likely to be focused on its most mission-critical and consequential systems.
Case in point? Before the attack, Change Healthcare was handling 15 billion transactions a year with the capability to process 500 transactions per second. The AHA quotes the company as saying it “touches one in three patient records,” which comes out to around $1.5 trillion in claims.
It makes sense, says Angela Rivera, CISM, co-leader of the Chartis cyber practice and a board member of Association for Executives in Healthcare Information Security.
“Bad actors are working a lot smarter. They’re going after companies that have touchpoints into many organizations. They’re asking, ‘Instead of hitting a small hospital, why don’t I hit a vendor and get into multiple hospitals?’ We saw this approach last year, and this time they got one of the biggest.”
If the supply chain collapse during the pandemic wasn’t lesson enough, this paralyzing attack on a lynchpin of our healthcare infrastructure “highlights the fragility of our health care system,” says The New York Times.
Be ready
When is the best time to be prepared? Well, yesterday, of course. But, what to do now?
“Whatever you planned to spend to improve cybersecurity, double it,” one health system CIO told the Times.
What else? Rivera says it’s time to drill. “If an organization isn’t testing incident response plans every six months or so, it’s very difficult to have an effective response when the time does come – especially on something this big,” she said.
Every six months. As with your other crisis protocols, stress test your plan, drill to it and build those operational reflexes so your leadership teams have muscle memory to call on when the attack comes.
You know the elements: You’ll need a crack IT team, of course, and a backup mirror of your IT system and data to speed your recovery and, just maybe, you can avoid the need for a ransom-funded key to unlock it. You’ll want to have identified and vetted legal and law enforcement numbers to dial.
Speaking of dialing, you’ll want an alternative system for communicating to every colleague, affiliate and your patients, too, if you can. Be prepared with an employee communications platform with a mobile app (Firstup is just one example) or another third-party system that can reach your key actors. A crisis Teams or Slack channel about which everyone knows? Regularly backed up systems with ping-ready contact data.
It’s all the command-center, crisis planning work you already do, and that is table-stakes of being a provider – with a big twist. The digital systems on which you rely may be utterly unreliable just when you need them.
And consider this: If your system goes down, so might easy access to your well-wrought cyberattack crisis plan. Make sure to have it at the ready elsewhere.
This prep and defense is expensive and time-consuming. But compare that to the costs of lost patient care, lost patient revenue, internal chaos, reputational repair and the actual ransom itself?
It’s reported that Change paid $22 million in Bitcoin in ransom to its hackers. That’s a fraction of the cost of this incident to them.
See the opportunity in the crisis
You know this: Be the first to tell your story.
As with any good crisis response, be first to frame the message, assert your authority and communicate confidence, even if your first message is, “It happened and we’re on it.”
The rumors will fly fast, they won’t be positive and will grow to dominance in your silence. The adage is true: It’s often not the event that damages your reputation, it’s your response to it.
Even if you’re not directly impacted by the BlackCat attack, it may be on the minds of your colleagues and patients. “Your patients are watching the national news and wondering, ‘Is this happening to me, is it affecting me?’” Rivera said. Do your frontline colleagues know what to say?
Consider this opportunity as well: While the public reports deep trust for healthcare providers, they, the media and lawmakers are increasingly skeptical of your motivations. Nearly 70 percent say providers put profits over patients, an upward trend since 2022.
Modern Healthcare’s fine line that providers walk – between financial stability and patient care – is an ever present not just with providers, but in the minds of your patients and others, too. The BlackCat attack may offer an unexpected opportunity to “talk the walk,” if you will.
Late last week UnitedHealth Group announced that Change Healthcare is expected to be fully back online this week. So, everything will be back to normal. What could go wrong?
—-
For more practical, operational insight on how leadership teams can up their IT risk management, review Rivera’s three-part series on questions every CEO should ask their CISO. This series will help you identify what’s at risk, secure a continuous risk management program and ensure your organization’s resiliency.
Contributors: Emily Shirden, Kevin Phillips, Emme Nelson Baxter
Image Credit: Shannon Threadgill
