The Change Healthcare ransomware attack and the indelible impact on healthcare delivery organizations across the U.S. has pushed into its third week, spotlighting the fragile U.S. healthcare ecosystem that its stakeholders have long warned against.
The hack has been attributed to the ransomware group known as ALPHV or BlackCat, which reportedly claims Change Health paid the attackers a $22 million ransom to recover data stolen during the breach. The transaction has not been confirmed by Change Health officials.
As it stands, many of the Change Health systems still remain offline, and officials say that the downed systems should be up and running by March 15. The company has offered temporary payment solutions to bridge the gaps, and the Centers for Medicaid and Medicare Services (CMS) have also offered support. However, the stopgap solutions aren’t enough to stymy the cashflow issues, nor will it cover all of the losses.
The latest estimates show the outage could cost Change Healthcare billions of dollars in lost revenue and clients, as provider organizations seek out alternative payment options to keep their organizations afloat. But it’s the providers, particularly small practices, rural groups, and others that typically operate with razor-thin margins that are most at-risk for losing their practices altogether.
Industry conversations paint a bleak picture, with providers considering taking out loans to pay their staff, while others have borrowed against their mortgages to make payroll.
The current fallout, while alarming, represents just the tip of the iceberg. It will take years to recover the losses and many small clinics, hospitals, and providers, will not recover at all without government support. The incident may have started as a cyberattack, but the Change Health outage has become so massive that it’s just a crisis – particularly a financial crisis that will continue into the near future.
In a March 10 letter, the Department of Health and Human Services (HHS) urged United Health Group, which owns Change Healthcare, to take immediate action to mitigate the attack impacts, including improving communications, providing Medicaid agencies with a list of impacted entities, and other risk reduction actions that could reduce the dire consequences.
The exact repercussions of the attack on Change Healthcare remains unclear. What’s more, the incident is merely the latest in an ongoing onslaught of targeted attacks against the healthcare industry as a whole. Industry stakeholder groups are urging Congress to step in to help the organizations affected by these disruptions.
A series of unfortunate, predicted events
In healthcare, third-, fourth-, and nth-party risk represents just one layer of the visibility challenges facing its entities. Visibility into a vendor’s cyber practices has been an unsolved issue for many years, exacerbated by the rapid adoption of digital technologies, as well as mergers and acquisitions, outsourcing of business partners, and the push to bring care outside of the hospital.
The Biden administration includes healthcare among the 16 critical infrastructure sectors identified by the federal government. However, there are challenges unique to healthcare that require a different type of intervention because it not only impacts supply chain and critical business operations, but it also puts patient lives at risk. Take, for example, if a small hospital must close because of the Change Healthcare outage. It may be the only provider available within 100 miles of a community – and some patients may not have the means to travel that far. With critical illnesses such as strokes or heart attacks, a reduction in care quality can happen every minute care gets delayed.
While the public and possibly Congress are just now understanding the unstable state of healthcare cybersecurity, the Change Healthcare outage amplified a systemic issue that has persisted since ransomware actors discovered the value of health data and just how easy it was to gain a foothold onto health networks.
A similar cyberattack in 2022 against payroll vendor Kronos disrupted payroll for providers across the country, with employees not being paid while the systems were down. Some health systems were sued for nonpayment because of pay discrepancies caused by reliance on paper processes during the outage.
Emsisoft data shows 42 hospital systems were impacted by ransomware attacks in 2023. These attacks affected the victimized organization, and research confirms neighboring hospitals also see a reduction in care quality, an increase in patient volumes, and very long wait times.
With the recent takedowns of some of the major players in the "ransomware industry," remaining groups have vowed to take the gloves off and are now launching attacks on healthcare's critical infrastructure. In addition to the critical attack on Change Healthcare, this current version of malicious actors have also stooped to new low in healthcare attacks, opting to leak actual patient records.
Malwaretips reported last year that in a double extortion ransomware attack, the actors opted to leak cancer patient data and photos to blackmail the healthcare organization into submission. These ramped-up attacks are achieving success not by attacking the hospitals directly, but through their business associates and supply chain partners, primarily in what’s being called a “fourth-party” level attack.
The Change Health situation reminds us how technology can impact clinical and business operations. As Congress considers the federal budget and an $800 million request to help high-need hospitals cover the costs of implementing essential cyber practices, as well as another $500 million to help providers invest in advanced cyber tools, the public and healthcare leaders must continue to raise the alarm.
We can’t think of the Change Healthcare attack as an isolated incident. It’s actually an indictment on the tenuous state of healthcare cybersecurity and the need for federal support. The public – and especially Congress – must understand that now and into the future, good cybersecurity keeps patients safe.
Toby Gouker, chief security officer, First Health Advisory
