Change Healthcare Attack Sheds Light on Industry's Weak Points

Axios | By Tina Reed

The expansive impact of the Change Healthcare cyberattack was a wake-up call for a health care system that's now racing to safeguard itself against another industry-rattling hack.

Why it matters: There's recently been increased focused on defending individual health care organizations against bad actors as the vulnerable sector increasingly finds itself under attack.

But the Change Healthcare hack that disrupted payments to providers for weeks revealed the industry's heavy reliance on just a few technology companies to keep day-to-day operations running.
That essentially creates what The Atlantic's Juliette Kayyem recently described as a "single point of failure" — and experts warn Change Healthcare likely isn't the only one.

What they're saying: "Change is the canary in the coal mine," said Nate Lesser, chief information security officer at Children's National Hospital.

"We need to find out where the others are or we're just going to collapse."

Between the lines: Experts who spoke with Axios say there are a number of companies that offer critical infrastructure to pockets of the health care industry, creating major vulnerabilities in the event of an attack.

Companies often create that kind of market share through mergers of smaller companies that later get acquired by bigger companies.
"There are some of these pieces of software that have just been consolidated over and over and over, and it turns out like 50,000 pharmacies, usually within hospitals, use the same piece of software," said Kyle Hanslovan, CEO of cybersecurity firm Huntress.
The way some of those products have been stitched together along the way, potentially pairing old and new technologies, could also introduce weaknesses that are difficult to completely engineer away, he said.

The Change Healthcare hack also showed how contracting practices within the industry even exposed health care providers who didn't have direct relationships with the company and initially didn't expect to be affected.

That was the case for Children's National, which discovered that some insurers it worked with have exclusive relationships with Change Healthcare and wouldn't allow for claims to be submitted through any other vendor.
These sort of opaque agreements can make it hard for providers to know exactly where their data is being shared, said Shawntea Gordon, a member of the Medical Group Management Association's government affairs council.
"It made it very difficult for people to just say 'OK, let me bounce everything through somewhere else,'" Gordon said.

Some experts said the federal government quickly needs to do a sector wide accounting to understand where health care's biggest systemic cyber risks are and address them — before hackers beat them to it.

The Change Healthcare attack "caught us all by surprise and shouldn't have," Lesser said.
He pointed to actions the government took in the aftermath of the 2007-08 financial crisis to designate some banks as "systemically important," making them subject to tougher oversight and standards because their failure would jeopardize the entire banking system.
If nothing else, the industry needs to take its own inventory to understand where catastrophic failure would be most damaging so health systems and smaller providers can better evaluate their risks and create appropriate backup plans, Hanslovan said…

Read Full Article

Quick Links

Join Our Free Email List

Click here to join
Want to hear the latest news on the home care and hospice industries in Colorado and receive information on upcoming events? Please complete this form and you'll be added to our free email list. If you'd like information on membership, please call us at 303-848-2521 or email [email protected].

Upcoming Events

Wed May 15, 20242024 Annual Conference

Category: Annual Conference