The Aftermath Of Change: Two Experts On How Healthcare Organizations Can Prevent The Next Cyberattack

In February, a massive cyberattack at UnitedHealth-owned Change Healthcare shut down many of the financial operations of healthcare organizations.

The industry is still recovering. Providers have had difficulty receiving payments, verifying coverage and sending prior authorization requests. The CMS has released guidance on payment flexibilities to provide assistance to providers affected by the Change outage.

The attack impacted Change’s claims clearinghouses as well as its pharmacy network. In a recent earnings call, UnitedHealth executives said that, although most of Change’s operations have been resumed, the company shouldn’t expect to get back to “expected service levels” until 2025.

Healthcare Dive spoke with two cyber experts — Phil Morris and Chad Peterson, both managing directors at cybersecurity firm NetSPI — about how healthcare organizations can recover from the attack and what they need to do to protect themselves going forward.  

This interview has been edited for clarity and length.

HEALTHCARE DIVE: A survey by the American Hospital Association found that 94% of respondents were financially impacted by the Change attack. Why were so many providers impacted by this breach?

PHIL MORRIS: The cyberattack at Change Healthcare is really like the Francis Scott Key Bridge incident in Baltimore. It’s at the nexus of a very complex ecosystem we call healthcare delivery and payment systems here in the U.S. They handle so many claims, [pharmacy benefit managers], imaging, analytics and revenue management.

It’s really a weak spot in the resiliency of healthcare because we have such a profit-driven healthcare system, that bringing that organization down had a rippling effect across not just hospitals but also network providers, pharmacies and patients. The ripple effects of this will go out across the healthcare system for some time.

CHAD PETERSON: Unfortunately, it’s a case of too many eggs in one basket, and it was the major choke point for a lot of healthcare systems that do their processing through [Change Healthcare]. So what they did is they basically hit the most vulnerable area to have the greatest impact.

What impact will the increasing use of artificial intelligence have on the ability to predict and stop cyber threats in healthcare?

PETERSON: AI is not a magic bullet. We’re not going to go that far. But I think one of the biggest advantages of AI will be the ability to automate some mundane tasks to ensure that the basic blocking and tackling are done. You’re doing everything to proactively identify different issues within your system. Once you know that attack path, utilizing something like AI to re-create that attack path to see if you’re still vulnerable.

MORRIS: AI will be enabling and disruptive. It will help you get your organization’s data more approachable so that you can use it to make better decisions.

There’s a lot of risk in using AI that way. And there’s a lot of risk in building your own large language models to run yourself. And we see clients using AI in both ways and spend a lot of time advising them on how to address risks, no matter which way they’re embracing the AI paradigm.

What are some steps healthcare providers should take to protect themselves following this type of massive cyberattack?

PETERSON: Do basic blocking and tackling, whether it’s account management, multifactor authentication and identifying potential vulnerabilities. Know your attack points and identify what areas in your environment are essentially like Swiss cheese inside. So it’s doing the due diligence to know what you have, what you’re susceptible to, then prioritizing how to correct or at least mitigate a lot of those issues to make yourself less susceptible. It’s basic risk management.

Have that incident response plan not only created but tested. It goes beyond just what do I do while it’s happening or how to identify something; it’s do I have the backup systems or contingency plans in place, whether that’s, unfortunately, going all the way back to paper documentation.

And ensure that your staff is trained, whether it’s from a technical point of view, how they are protecting data, what to click on, what not to click on from a phishing point of view.

MORRIS: This is where this idea of proactive security becomes really important. When something bad happens, are you ready? Not if something bad happens, are you ready? We spend a lot of time advising our clients on those scenarios so they can be better informed on how to be resilient and recover from them.

And how does proactive security apply to healthcare in particular?

PETERSON: I think it’s even more important with healthcare because, unfortunately, in general, the security focus is not as high as far as a budget point of view. You need to be proactive with your overall basic fundamentals of security, and ingrain that into how you do business and make it just a part of your day-to-day activities. And you create that “proactive” [strategy] just by making it the way you conduct business.