Managing Healthcare Security As Cyber Attacks Intensify

It seems almost yearly now that a major cyber attack on various parts of the healthcare industry serves as a wake up call to healthcare providers regarding their security and the importance of mitigating risks. In February of this year, a major healthcare technology provider was attacked and its data held for ransom by the cyber criminals. Sadly, it also seems almost yearly that, in the wake of even a major security incident, we will likely nod back to sleep until the next attack kicks us back into healthcare security high gear.

Unfortunately, the impact of this recent attack has sent a tsunami impacting critical components of digital healthcare delivery from billing, verification of insurance and payments to ePrescribing.

Quick Links:

• The Change Healthcare Cyber Attack
• Does Your Practice Understand Healthcare Security Risks?
• Healthcare Security Matters

The Change Healthcare Cyber Attack

The Change Healthcare attack of 2024 sent shockwaves through the healthcare industry, highlighting the vulnerability of sensitive patient data and the critical need for robust cybersecurity measures. As one of the largest healthcare technology companies in the United States, Change Healthcare serves a vast network of providers, payers, and pharmacies, making it clear that malicious actors seek to exploit weaknesses in digital infrastructure.

The attack involved unauthorized access to a significant amount of sensitive data, including patient records, financial information, and administrative data. This breach not only jeopardizes the privacy and security of millions of individuals but also poses significant challenges for healthcare organizations reliant on Change Healthcare's services for the smooth operation of their own operations.

More specifically, on February 21, 2024, Change notified customers of “enterprise-wide connectivity issues” which were impacting every level of its services, forcing them to disconnect over 100 systems. By the end of the day, it was referred to as a cybersecurity issue and had already begun impacting healthcare billing payment systems and pharmacies who were unable to process patient prescriptions.

By February 22, 2024, it was clear that Change Healthcare was hit by a ransomware attack. It’s estimated that they help process over 15 billion prescriptions a year. In addition to the significant impact on healthcare providers who were unable to process payments, even more patients were unable to get medically necessary and, in some cases, life-saving drugs.

In response to the breach, UnitedHealth Group, the parent company of Change Healthcare, swiftly initiated a comprehensive, and costly, investigation to assess the extent of the damage and identify the vulnerabilities that allowed the attack to occur. Simultaneously, they collaborated closely with law enforcement agencies, cybersecurity experts, and affected stakeholders to mitigate the impact and prevent similar healthcare security incidents in the future.

Despite these efforts, the impacts of this attack are still significant and costly. On March 29th, UnitedHealth Group confirmed that data was stolen in the attack and said they are determining how many individuals have been affected and the types of data involved.

The Change Healthcare attack serves as a stark reminder of the persistent threats facing healthcare and the imperative for continuous vigilance and investment in healthcare security infrastructure.

You may think cyber criminals only attack the big organizations, but that’s not true. Attacks can happen on any sized business. As healthcare providers, it’s a reminder that healthcare security and reliability are a chain, only as strong as the security mechanisms of the most vulnerable link  of that chain.  

Healthcare organizations and practices of all sizes need to implement proactive measures to ensure continuity of patient care and better protect patient data and trust.

Does Your Practice Understand Healthcare Security Risks?

As with any attack mitigation efforts, understanding the key vulnerabilities and strategies to mitigate them is the first step:

1. Unauthorized Access

• Risk: Unauthorized users gaining access to sensitive patient information or modifying records.

• Mitigation: Implement measures such as multi-factor authentication and role-based access control to limit system access only to authorized personnel.

2. Data Breaches

• Risk: Patient data breaches can lead to compromised confidentiality and privacy, along with the risk of crippling fines and reputation loss.
• Mitigation: Data security is vital. Encrypt data both at rest and in transit to prevent unauthorized access with, for example, fully HIPAA compliant email. Configure “ransomware resistant” backup to enable a quick recovery in the event of an attack. Regularly update security protocols and conduct vulnerability assessments to identify and address potential weaknesses. Employ Business Associate Agreements (BAA) with third party vendors and organizations to ensure their security measures are HIPAA compliant.

3. Phishing Attacks

• Risk: Phishing emails targeting healthcare staff to obtain login credentials or sensitive information. Phishing attacks have grown increasingly more sophisticated over the past few years with more than 90% of cyber attacks starting with a malicious email.
• Mitigation: Educate employees about recognizing and avoiding phishing attempts through regular training sessions. Implement email filtering systems or secure HIPAA compliant email to detect and block suspicious emails before they even reach the inbox.

4. Software Vulnerabilities

• Risk: Exploitation of software vulnerabilities by malicious actors to gain access or disrupt operations. 
• Mitigation: Keep software up to date with the latest patches and security updates. Conduct regular healthcare security audits and penetration testing to identify and address potential vulnerabilities proactively. 

5. Insider Threats

• Risk: Malicious actions or unintentional errors by authorized personnel resulting in data breaches or system compromises. Nearly 90% of data breaches are the result of human error or negligence.
• Mitigation: HIPAA compliance requires the use of auditable user activity monitoring and logs to detect suspicious behavior. Enforce least privilege principles to limit access to sensitive data and functionalities based on job roles.

  6. Third-Party Risks

• Risk: As noted above, your security is only as strong as the security of your partners. Healthcare security vulnerabilities in third-party components or services integrated with ePrescribing software present a potential risk.
• Mitigation: Conduct thorough due diligence when selecting third-party vendors and regularly assess their security practices. Establish clear contractual agreements, BAAs, outlining healthcare security requirements and responsibilities.

Healthcare Security Matters

Further, the importance of contingency planning and response protocols must be underscored. In the event of a cyber attack, healthcare organizations must have comprehensive disaster recovery and attack mitigation plans in place to limit damage, minimize downtime, and ensure continuity of care and services.

And, perhaps most importantly, the Change Healthcare cyberattack highlights the interconnected nature of digital healthcare systems. An attack on one component can have far-reaching consequences across an entire healthcare network, disrupting operations and compromising patient safety. Beyond HIPAA compliance, safeguarding patient data and maintaining the trust of patients and stakeholders is paramount and that means keeping all healthcare workflow software secure.

There are a lot of measures you can take to ensure the safety and security of your dental practice’s IT infrastructure and the sensitive data contained within. While no measure is foolproof, implementing risk mitigation efforts is required not just by law, but through your commitment to your patients, your team, and your practice.

It’s worth noting that healthcare providers who use iCoreRx, the ePrescribing software from endorsed partner iCoreConnect, were not impacted by the attack on Change Healthcare.

The iCoreConnect team of experts is prepared to review, revise, and advise, to help you ensure HIPAA compliance and healthcare security are fortified in all business facets of your practice.

If you’re ready to talk about how we can help you provide the level of security and care your patient’s need and deserve, reach out to our team or book a demo today.