The Change Healthcare cyberattack demonstrated not only the potential frailty of the healthcare sector, but also how a successful intrusion against the right entity in the healthcare ecosystem can ripple to thousands of healthcare delivery organizations.
The ransomware attack—reported on Feb. 21—against Change Healthcare, which is one of the largest hubs for healthcare payment processing and connectivity between providers and payers, took down critical reimbursement services for pharmacies, HDOs, and others in the industry.
The short term impacts were clear: claims couldn’t be processed, eligibility couldn’t be determined, payments weren’t being made. Long-term impacts remain to be seen, but numerous systemic weaknesses in the healthcare industry bubbled to the surface, and are bound to inspire a deeper look from regulators and the U.S. government.
In this episode of the Claroty Nexus podcast, Greg Garcia, the executive director of the Healthcare and Public Health Sector Coordinating Council’s Cybersecurity Working Group, joins to discuss the attack, in particular where the industry stands in terms of recovery, and what can be done from a policy perspective to minimize the impact of such attacks in the future.
Garcia, who was the first presidentially appointed Assistant Secretary for Cybersecurity at the Department of Homeland Security, hopes that the HSCC’s recently published five-year strategic plan will be the signpost for HDOs and others in the sector that will guide them to better security and patient care.
“So there's pretty strong consensus about how this is laid out and what is being asked of the industry,” Garcia said of the plan, which is structured by laying out key healthcare industry trends, a list of goals and objectives to strive for, and measurable outcomes.
“What has surprised me is how several organizations have already said, ‘Yep, we're doing it; we are already working on say goal No. 10.’ I've just talked with an organization who just said ‘We are beginning to put that in place at a national scale. And that to me is music to my ears. It means they are taking it seriously,” Garcia said.
Garcia said the 10 goals in the plan are written in a present state as if it’s 2029—as an end state.
“It's a fairly elegant, not complicated, and certainly digestible strategic plan that can be applied at the micro level on an enterprise,” Garcia said. “And at the macro level, at a national scale.
As for the attack and how well recovery efforts are going, Garcia points out that dusty business continuity plans were put to the test, in particular those around third-party risk management. He expect the Biden administration to prompt providers to think about new technology as being secure by design, while existing tech in the wild be secure by default.
“I think this administration is going to double down on its seriousness about the need for all the technology and software providers to sort of rethink secure-by-design and secure-by-default in everything they do,” he said. “It is hard to have a single software program that is going to interoperate cleanly and uniformly across all unique critical infrastructure applications. It's very difficult and we should never underestimate that.
“But there does need to be a stronger culture of security,” Garcia said. We have seen from this administration the imperative that we take this seriously whether it's the security of internet of things devices in one of the executive orders or the National Cyber Strategy that came from the office of the national cyber director a couple of years ago which really pushes on on that notion that users of technology whether whether they're providers or pharmaceuticals, the burden of security should not be so heavily laid at their doorstep.”
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.