Let Healthcare Dive’s free newsletter keep you informed, straight from your inbox.
Providers should form a cyber strategy involving incident response plans, testing, multifactor authentication and automating tasks, according to managing directors at NetSPI.
In February, a massive cyberattack at UnitedHealth-owned Change Healthcare shut down many of the financial operations of healthcare organizations.
The industry is still recovering. Providers have had difficulty receiving payments, verifying coverage and sending prior authorization requests. The CMS has released guidance on payment flexibilities to provide assistance to providers affected by the Change outage.
The attack impacted Change’s claims clearinghouses as well as its pharmacy network. In a recent earnings call, UnitedHealth executives said that, although most of Change’s operations have been resumed, the company shouldn’t expect to get back to “expected service levels” until 2025.
Healthcare Dive spoke with two cyber experts — Phil Morris and Chad Peterson, both managing directors at cybersecurity firm NetSPI — about how healthcare organizations can recover from the attack and what they need to do to protect themselves going forward.
This interview has been edited for clarity and length.
PHIL MORRIS: The cyberattack at Change Healthcare is really like the Francis Scott Key Bridge incident in Baltimore. It’s at the nexus of a very complex ecosystem we call healthcare delivery and payment systems here in the U.S. They handle so many claims, [pharmacy benefit managers], imaging, analytics and revenue management.
It’s really a weak spot in the resiliency of healthcare because we have such a profit-driven healthcare system, that bringing that organization down had a rippling effect across not just hospitals but also network providers, pharmacies and patients. The ripple effects of this will go out across the healthcare system for some time.
CHAD PETERSON: Unfortunately, it’s a case of too many eggs in one basket, and it was the major choke point for a lot of healthcare systems that do their processing through [Change Healthcare]. So what they did is they basically hit the most vulnerable area to have the greatest impact.
PETERSON: AI is not a magic bullet. We’re not going to go that far. But I think one of the biggest advantages of AI will be the ability to automate some mundane tasks to ensure that the basic blocking and tackling are done. You’re doing everything to proactively identify different issues within your system. Once you know that attack path, utilizing something like AI to re-create that attack path to see if you’re still vulnerable.
MORRIS: AI will be enabling and disruptive. It will help you get your organization’s data more approachable so that you can use it to make better decisions.
There’s a lot of risk in using AI that way. And there’s a lot of risk in building your own large language models to run yourself. And we see clients using AI in both ways and spend a lot of time advising them on how to address risks, no matter which way they’re embracing the AI paradigm.
PETERSON: Do basic blocking and tackling, whether it’s account management, multifactor authentication and identifying potential vulnerabilities. Know your attack points and identify what areas in your environment are essentially like Swiss cheese inside. So it’s doing the due diligence to know what you have, what you’re susceptible to, then prioritizing how to correct or at least mitigate a lot of those issues to make yourself less susceptible. It’s basic risk management.
Have that incident response plan not only created but tested. It goes beyond just what do I do while it’s happening or how to identify something; it’s do I have the backup systems or contingency plans in place, whether that’s, unfortunately, going all the way back to paper documentation.
And ensure that your staff is trained, whether it’s from a technical point of view, how they are protecting data, what to click on, what not to click on from a phishing point of view.
MORRIS: This is where this idea of proactive security becomes really important. When something bad happens, are you ready? Not if something bad happens, are you ready? We spend a lot of time advising our clients on those scenarios so they can be better informed on how to be resilient and recover from them.
PETERSON: I think it’s even more important with healthcare because, unfortunately, in general, the security focus is not as high as far as a budget point of view. You need to be proactive with your overall basic fundamentals of security, and ingrain that into how you do business and make it just a part of your day-to-day activities. And you create that “proactive” [strategy] just by making it the way you conduct business.
Get the free daily newsletter read by industry experts
There’s a complication: No one solution to the U.S.’ patchy physician licensing infrastructure has universal buy-in.
The rural emergency hospital designation is expected to help prevent facility closures and maintain access to crucial healthcare services.
Keep up with the story. Subscribe to the Healthcare Dive free daily newsletter
Subscribe to Healthcare Dive for top news, trends & analysis
Get the free daily newsletter read by industry experts
Cases ranged from improper psychiatric treatment to providing false Medicare claims and illegal kickback schemes.
The pandemic has prompted nurses and residents in the state to rethink working conditions and what they will endure. Some have walked off the job, demanding better contracts, and some residents organized for the first time.
The free newsletter covering the top industry headlines