A New ‘Call to Action’ Strategic Plan to Improve Health Care Cybersecurity

On February 27, just 6 days after Change Healthcare experienced the most significant cyberattack on the health care system in US history, the Healthcare and Public Health Sector Coordinating Council Cybersecurity Working Group (CWG) published the “Health Industry Cybersecurity Strategic Plan” (HIC-SP). The HIC-SP “is a call to action for organizations throughout the healthcare ecosystem to implement foundational cybersecurity programs that address the operational, technological, and governance challenges posed by significant healthcare industry trends over the next five years.”

This [Change Healthcare] attack and many previous ransomware attacks on health systems and their supply chain can have and have had a direct impact on care delivery and patient safety,” said CWG Executive Director Greg Garcia.

The HIC-SP recognizes that cybersecurity for the health sector is a shared responsibility, including medical device manufacturers, pharmaceuticals, health care delivery organizations, health plans, payers, and government policymakers. The new plan also applies to third-party technology and service providers.

“Cybersecurity needs to be an enterprise risk management habit and investment line item. It needs to be recognized as a shared responsibility within organizations and with other stakeholders in our interconnected ecosystem,” Garcia said.

The HIC-SP was developed over 18 months by a large cross section of the CWG membership and government partners. It was structured to prepare for broad industry trends over the next 5 years with high level cybersecurity goals. It is hoped that through a series of upgrades, the condition of health care cybersecurity will be upgraded from “critical” to “stable condition” by 2029, Garcia said.

The plan calls for a cyber safety net that promotes cyber equity among under-resourced health organizations across the ecosystem. The new plan is part of the second phase of this program, which is designed to develop a set of measurable outcomes and appropriate metrics for success. The CWG intends to release those measures by the end of 2024.

The CWG is composed of nearly 1000 individuals representing 450 industry and government organizations. Its members are collaborating to develop strategies that address emerging and ongoing cybersecurity challenges to the health sector. “While many organizations are investing in protective measures, many more either are not committing the resources or simply can’t protect against sophisticated surprise attacks,” Garcia said. “Others are not doing what they should. So, we are not staying ahead of the cyber adversaries, some of which are cyber gangs and some of which are nation states.”

Meanwhile, Change Healthcare, a subsidiary of UnitedHealth Group, “continues to make progress in mitigating the impact to consumers and care providers of the unprecedented cyberattack on the U.S. health system and the Change Healthcare services, while continuing to expand financial assistance to affected providers,” according to a March 18 press release.

UnitedHealth Group said it restored 99% of Change Healthcare’s pharmacy network services on March 7 and restored its electronic payments platform on March 15. “We continue to make significant progress in restoring the services impacted by this cyberattack,” UnitedHealth Group CEO Andrew Witty said in the release.

The cyber-takedown of Change Healthcare forced medical practices to go without revenue for many days, prompting the American Medical Association (AMA) to urge US Department of Health and Human Services (HHS) Secretary Xavier Becerra for help. The AMA sent a letter to Secretary Becerra outlining ongoing concerns of physicians amid the cybersecurity incident that has resulted in unprecedented disruptions that have severely hampered physicians’ ability to care for patients.

“This massive breach and its wide-ranging repercussions have hit physician practices across the country, risking patients’ access to their doctors and straining viability of medical practices themselves,” AMA President Jesse M. Ehrenfeld, MD, MPH, said in a press release. “Against the backdrop of persistent Medicare cuts, rising practice costs and spiraling regulatory burdens, this unparalleled cyberattack and disruption threatens the viability of many practices, particularly small practices and those in rural and underserved areas. This is an immense crisis demanding immediate attention.”

The Change Healthcare’s downed systems hampered health care providers’ ability to verify patients’ health insurance coverage and process claims. It also stopped exchanges with many payers, and prevented clinicians from sharing clinical records with other providers. The staggering loss of revenue may mean that some hospitals and health systems may be unable to pay salaries for clinicians and other members of the care team in a timely manner.

On its website, Change Healthcare acknowledged it experienced a cybersecurity issue perpetrated by a cybercrime actor that has represented itself as ALPHV/Blackcat. Change Healthcare said its experts are working closely with law enforcement and leading third-party consultants, such as Mandiant and Palo Alto Networks. This past December, the US Justice Department announced a disruption campaign against the Blackcat ransomware group. The criminals had targeted the computer networks of more than 1000 victims and caused harm around the world since its inception, including networks that support US critical infrastructure.

Over the past 2 years, ALPHV/Blackcat had emerged as the second-most prolific ransomware-as-a-service variant in the world based on the hundreds of millions of dollars in ransoms paid by victims around the world, according to the Justice Department.