Guide to a Proactive Healthcare Cybersecurity Stance
The following is a guest article by Troy Hawes, Managing Director at Moss Adams
The recent cybersecurity attack against Change Healthcare caused dramatic disruptions to one of the nation’s largest prescription processors.
On the morning of February 21, 2024, a ransom group, BlackCat, directed a cyberattack at Change Healthcare, owned by healthcare conglomerate UnitedHealth. The attack kept Change Healthcare’s systems down for three weeks, even prompting the Department of Health and Human Services (HHS) to deploy accelerated payments and loan programs for healthcare organizations affected by the attack, akin to the support deployed during the pandemic.
The attack sparked a long overdue conversation about how organizations in the healthcare industry are financially impacted by these attacks, what these attacks can look like, and how to be proactive against them.
The Cost of a Cybersecurity Breach
Cybersecurity at its core is a way to protect valuable data and personal identifiable information (PII), such as credit card information, social security numbers, tax records, and more. For a healthcare entity, the data and information are viewed as extremely valuable as it includes PII as well as other health information that can be used for insurance fraud and identity theft.
Consequently, the healthcare industry has a large target on their backs as the data housed by health organizations is extremely valuable for malicious actors. The data is also necessary in order to maintain services to patients, so when a cybercriminal uses ransomware and makes that data unavailable, healthcare entities struggle to provide necessary care for patients.
The cost of allowing a data breach to occur can cause an exponential financial impact on an organization. According to the 2023 Cost of a Data Breach Report from IBM and the Ponemon Institute, the average data breach cost a healthcare organization around $10 million. For a healthcare entity, this number could drastically change, depending on the impact of the attack. A large-scale cyberattack, like the Change Healthcare attack, could cost an organization 10 times more than average. Recent examples include Tenet Healthcare’s cyberattack in 2022, which reportedly cost them over $100 million, and CommonSpirit Health’s 2022 cyberattack that reportedly cost them $160 million.
While we won’t know the total financial impact of the Change Healthcare cyberattack for some time, we can assume that the $22 million ransom payment the healthcare organization apparently made will be a fraction of the financial hit they will take as a result of the attack.
Dissecting a Cyberattack
Unfortunately, malicious actors haven’t had much of a problem attaining access to healthcare systems. As of mid-March, 117 other healthcare organizations have experienced a cybersecurity breach in 2024, potentially affecting around 13 million patients, according to the HHS.
So, why is it easier for healthcare organizations to be breached?
Often, it’s due to the number of entry points into the organization that come from medical devices and other Internet-connected devices, use of outdated systems, a lack of cybersecurity education and awareness, and inadequate security budgets. Malicious actors take advantage of these weaknesses by cycling through different methods to retrieve valuable healthcare data, often using social engineering tactics to manipulate healthcare practitioners into divulging confidential or personal information they can use to break into systems.
With the introduction of artificial intelligence (AI) in cybersecurity, these attacks and tactics are becoming more sophisticated and difficult to mitigate. AI changes the way malicious actors target organizations, drastically shifting the cybersecurity landscape.
AI-powered tools allow attackers, for example, to not only generate phishing emails that more closely resemble real-world scenarios for healthcare workers to fall susceptible to, but the technology allows bad actors to do it more, at scale, better, and faster. As such, AI-generated attacks are harder to identify. Hackers also utilize AI to quickly collect and analyze the data and information they steal, making it easier for them to sort out the datasets and sell them on the black market or hold them for ransom.
Regrettably, AI-based cyberattacks pose a large threat to an already vulnerable healthcare industry. Organizations can, however, leverage AI to fight back.
Building a Proactive Cybersecurity Stance
Part of a renewed strategy to keep organizations protected is through proactive cybersecurity. Too often healthcare organizations use a more reactive cybersecurity stance – choosing to focus more on fixing a breach when it occurs rather than anticipating vulnerable systems and trying to prevent attacks.
Healthcare organizations can better protect themselves by shifting to a more proactive cybersecurity stance – centering efforts on identifying where the biggest weaknesses are, where a breach could occur, and proactively working towards strengthening those gaps. For a healthcare organization, those gaps typically lie within outdated systems and the number of network-connected devices.
To build a proactive stance, it is important for an organization to conduct risk assessments to know where its biggest weaknesses and holes could be. Cybersecurity risk assessments and analysis should be conducted at least annually and it should identify all assets that may process, store, or transmit sensitive data so that they can be secured.
Third-party security assessments and penetration testing can allow experienced security consultants to assess systems to find where potential holes in security exist and provide recommended remediation actions. Tools, such as extended detection and response, and similar solutions, collect and correlate data across all systems and provide proactive alerts and mitigation activities that are essential tools for a proactive response to threats.
Healthcare organizations can also employ their own AI-powered tools, such as predictive analytics, threat detection, and response systems to help proactively protect patient PII. These tools use AI algorithms to detect and identify potential threats before they emerge. As AI algorithms continue to improve over time, AI-powered tools will be able to leverage advanced machine learning techniques to mitigate emerging threats, perform real-time threat intelligence, and quickly respond to cyber threats.
Adopting a more proactive cybersecurity stance and modern mitigation tactics will help healthcare thwart attacks. As the healthcare industry awaits the fallout of the Change Healthcare breach, the ripple effects could be a catalyst for change, providing motivation for healthcare providers to arm themselves with more modern, robust threat protection systems and tactics.
About Troy Hawes
Troy is a managing director with the Cybersecurity Consulting practice at Moss Adams and has been providing IT consulting services since 2001. Troy serves clients in a variety of industries including communications and media, technology, health care, and higher education. He is adept at working with the specialty IT compliance and security needs of hospitals and providers, private businesses, government and tribal entities. Troy is a frequent speaker and highly published thought leader on IT compliance and cybersecurity topics.
Get Fresh Healthcare & IT Stories Delivered Daily
Join thousands of your healthcare & HealthIT peers who subscribe to our daily newsletter.