On February 21, 2024, the ransomware group Blackcat attacked Change Healthcare. This massive cyberattack disrupted healthcare operations and pharmacies nationwide. The hacking group stole six terabytes of data, including medical and insurance records and payment information.
UnitedHealthGroup, Change Healthcare’s parent company, disclosed the cybersecurity breach in a filing with the Securities and Exchange Commission. The filing revealed that upon detecting the threat, UnitedHealth promptly isolated and disconnected the affected systems.
The results of this attack? Doctors couldn’t check patient eligibility for treatment or electronically fill prescriptions. Insurers couldn’t reimburse providers — so health systems’ revenue cycles ground to a halt. Small or mid-sized medical practices reliant on reimbursements to keep their cash flows moving felt significantly squeezed.
Imagine not having enough money to cover operations. No patient visit reimbursements mean no money for payroll, medical supplies, or switching to a new platform. What’s worse, the patients suffer the most. Imagine running an oncology practice but lacking the funds needed to purchase the chemotherapy drugs your patients need. Imagine running a small neighborhood pharmacy and lacking the money to pay your pharmacists and technicians — or stock the medicines your clients depend on.
This wasn’t Blackcat’s first attack, either. In December, the U.S. Department of Justice issued a press release detailing the ransomware group’s criminal activities, which targeted organizations’ computer networks worldwide and caused hundreds of millions of dollars in damage.
If the healthcare system can’t find ways to defend itself against such attacks, many providers operating on razor-thin margins will be in trouble. Some may have to close their doors permanently. Cyberattacks have resulted in hospitals, clinics, and other healthcare organizations feeling a real financial strain, and it’s affecting patient care.
The Numbers Are Scary
In the wake of the Change Healthcare cyberattack, the American Hospital Association contacted hospitals nationwide for their insight into its far-reaching impact. Nearly 1,000 hospitals responded to the survey, which was live between March 9 and March 12, 2024. The results are stark:
- 94% of hospitals said they felt a financial impact from this one specific cyberattack.
- 82% reported issues with their cash flow.
- Nearly 60% said the impact on revenues hit or exceeded $1 million daily.
- Over 1 in 3 respondents said the attack impacted over half of their revenues.
- 44% anticipated the negative impact to last between two and four months.
- 74% said the attack interfered with patient care.
- 40% reported delays in obtaining approval from payers prior to treatment, among other delays in fulfilling health plan requirements.
While most hospitals were implementing workarounds, 67% reported challenges switching clearinghouses, 81% found only moderate success, and 11% reported zero success. A Kodiak Solutions report estimated the disruption delayed $6.3 billion in payments or reimbursements to hospitals.
Meanwhile, ransomware attacks have risen by over 260% since 2018. In December, the U.S. Department of Health & Human Services said over 100 million people were affected by cyberattacks in 2023, with the average breach affecting over 200,000 people.
A Wakeup Call for Healthcare Cybersecurity
The Change Healthcare cyberattack was just one of many attacks that happened recently. But its far-reaching reverberations show why health systems absolutely must prioritize:
- Planning for cyberattacks — they’re inevitable.
- Evaluating risks to finances and operations.
- Creating a robust backup plan.
Risk Analysis and Redundancy Are Key
Healthcare systems are increasingly reliant on third-party vendors for critical services. But outages within those vendors’ systems can significantly impact operations and finances. Here’s what healthcare systems can do to reduce their risk.
Conduct a thorough risk analysis to:
- Identify where patient data is stored within your systems and third-party platforms.
- Assess potential threats and vulnerabilities in your own systems as well as those of your vendors.
- Evaluate the controls already in place to safeguard data and prevent intrusions.
- Determine the likelihood of an attack on your (or your vendor’s) systems.
- Analyze the potential financial and operational impact of an outage on your organization.
Then, evaluate third-party cybersecurity protocols. Don’t just rely on your own security measures. Assess your vendors’ cybersecurity protocols. Identify weaknesses that could increase your risk. Develop mitigation strategies based on vendor risk. If you deem your vendor’s security practices insufficient, you can:
- Negotiate with the vendor to implement stronger security measures.
- Explore alternative vendors with more robust cybersecurity protocols.
- Develop a backup plan to bypass the vendor’s system in case of an attack or outage.
Diversify your vendor portfolio. Having multiple vendors for critical operations provides redundancy and reduces risk. The Change Healthcare outage disproportionately impacted smaller providers who relied solely on their platform, for example. Larger, geographically dispersed organizations working with multiple claims clearinghouses suffered far less financial strain.
The financial impact of a vendor outage underscores the importance of business continuity planning. Develop a plan to maintain operations and minimize financial losses in the event of a vendor outage.
Key Takeaways
The Change Healthcare cyberattack exposes a critical vulnerability in the American healthcare system, similar to the impact of the Dali hitting the Francis Scott Key Bridge in Baltimore. Change Healthcare acts as a central hub for a complex web of healthcare delivery and payment systems. The company manages a vast array of functions, including claims processing, data analysis, medical imaging, pharmacy benefits management, and revenue management.
The profit-driven nature of the U.S. healthcare system has led to a reliance on single points of failure like this company. The attack didn’t just cripple hospitals. It radiated out to network providers, pharmacies, and patients. The attackers strategically targeted this critical vulnerability to maximize their impact.
So, what about AI? Can it help mitigate future attacks? The short answer is probably not. While some might view it as a cure-all for cybersecurity woes, most cyber experts believe its true value lies in automating routine tasks and improving data analysis. AI can continuously scan healthcare systems for vulnerabilities, mimicking potential attack paths to identify weaknesses. This proactive approach strengthens defenses against cyber threats.
However, AI adoption poses its own c challenges. Organizations must carefully consider the risks involved in using AI for security purposes, such as introducing potential unconscious biases into algorithms or the vulnerabilities inherent in building large language models (LLMs) in-house. Security experts play a crucial role in advising healthcare providers on navigating these risks and maximizing the benefits of AI for their cybersecurity strategy.
Proactive security has become even more critical in healthcare compared ot other industries. Yet healthcare organizations often face budgetary constraints limiting their investment in cybersecurity — a fact that underscores the need for a proactive approach.
By prioritizing basic security fundamentals and integrating them into daily operations, healthcare providers can establish a strong cybersecurity foundation. This ingrained focus on security becomes the standard approach to doing business, fostering a proactive security culture.
Are you a commercial real estate investor looking for solutions to improve the cybersecurity posture of your healthcare business? We invite you to talk to the professionals at CREA United, an organization of CRE professionals from 92 firms representing all disciplines within the CRE industry, from brokers to subcontractors, financial services to security systems, interior designers to architects, movers to IT, and more. Scott Kuperman of TeamLogicIT can recommend appropriate cybersecurity protocols to ensure your business is protected from attack.