A Wake-Up Call for Cybersecurity in Healthcare

Look at the person to your left. Look at the person to your right. Now look in the mirror. One of you might have fallen victim to the ongoing Change Healthcare data breach.

Alternatively, you or one of your friends could have been affected by last week’s cyberattack on the Ascension health system. This attack has caused significant disruptions: Ascension, the fourth-largest healthcare provider in the U.S., had to divert ambulances and cancel procedures due to its inability to access patient records across its 140 hospitals in 19 states. Ascension has yet to provide a timeline for system restoration, and the attack remains under investigation. The Health Information Sharing and Analysis Center (Health-ISAC) issued an advisory noting that the Black Basta ransomware group has intensified its attacks on healthcare organizations.

These incidents highlight the critical need for discussions about your IT

• Do you believe they are too small to be targeted?
• Do you think fines are rare and unlikely to affect them?
• Do you prefer to take chances with your cybersecurity?

The Ripple Effect of Security Breaches

Change Healthcare, a healthcare payment processor owned by United Healthcare Group, faced significant consequences when its systems went down. United Healthcare’s CEO, Andrew Witty, revealed during a Senate hearing that the breach compromised information for up to one-third of the U.S. population.

The fallout was extensive. Payments to healthcare providers and pharmacies were delayed, and many were bound by exclusive agreements with Change Healthcare. A nursing home closed due to cash flow issues, and one client struggled to get his daughter's medicine approved at the pharmacy, with no assurance of reimbursement if he paid out of pocket.

Facing the Music

The CEO of Change Healthcare was called before the U.S. Senate to explain why they had not implemented multifactor authentication (MFA) for external systems, despite company policy requiring it. Witty admitted to paying a $22 million ransom and missed the HIPAA reporting deadline for notifying breach victims. The attack occurred on February 21, and by May, victims still had not been informed, violating HIPAA’s requirement for notification within 60 days. Some states have even shorter deadlines, such as New York and Florida with 30 days, and California with 15 days. Anticipate substantial fines and class-action lawsuits.

United Healthcare acquired Change Healthcare in 2022 and was still upgrading its systems when the attack happened in early 2024. Over 60 days later, some systems were still offline.

Expect Stricter Regulations and Cyber Insurance Requirements

In response to the Change Healthcare breach, new federal laws and regulations for healthcare providers, including small ones, are likely. The scope of both the Change Healthcare and Ascension breaches suggests that stricter federal and state regulations, tougher contract terms, and more stringent cyber insurance requirements are on the horizon.

Witty’s testimony indicated that the company’s cyber insurance application likely claimed compliance with MFA policies, which may lead to a denied claim for expenses, fines, and lawsuits. In hindsight, investors may regret not investing more in upgrading systems and cybersecurity.

New federal regulations are being developed that will require organizations to report incidents to the federal government within 72 hours and ransomware payments within 24 hours. Many states already have shorter reporting periods, and business-to-business contracts and cyber insurance policies are following suit.

Many medical practices would not survive an attack like this, not to mention the fines and lawsuits going forward.  Contact us today to schedule a FREE NETWORK ASSESSMENT to see how protect your practice is.  865 909 7606.  This is a call you can not afford not to make.