Have you noticed that the latest cyberattacks are threatening the very existence of many smaller medical clinics and their doctor's ability to deliver care? The recent cyberattack that took offline the largest US billing and electronic payment system operated by Change Healthcare (https://www.changehealthcare.com), a significant division of UnitedHealth Group, is only the latest, but maybe the current great example.
See: https://redskyalliance.org/redshorts2023/15-healthcare-cyber-security
The attack has left hundreds, if not thousands, of providers all over the US without the ability to get insurance approval for services ranging from a drug prescription to a lifesaving operation. Or to be paid for caring for patients, which has left them with piles of unpaid claims and almost no money in their bank accounts. The doctors and their teams feel like they are battling a considerable threat they cannot see or understand. It is keeping them from doing their most important work. Currently, there are no viable workarounds.[1]
This situation is forcing tough choices between closing their clinics or using their own money. Many pharmacies have been unable to give patients medicine due to insurance verification failures. Our modern healthcare system is deeply dependent on computers and data networks. At this point, due to the disruptions from this cyberattack, healthcare providers, in aggregate, are losing up to $1 billion a day.
Though the most significant health systems can likely survive this assault, Moody's Ratings warned, "even large providers with thin margins and weak liquidity are not immune and will eventually" struggle to keep their doors open. UnitedHealth Group (parent of Change Healthcare) has already been named in at least six class action lawsuits. They are being accused of failing to protect millions of people's data from last month's hack of Change Healthcare.
If Change Healthcare could have remained operational in the face of its cyber-attack, it might not have lost hundreds of thousands of customers to competitors. After the hack, a competitor named ‘Availity’ https://www.avality.com set up a stripped-down claims-processing service that medical providers can use for six months at no cost. The company has set up around 300,000 new medical providers and has a backlog of at least 50 health systems waiting to start using the platform. Availity has processed over $5 billion in claims that could not be submitted through Change's systems.
Since the government cannot stop these cyberattacks and cannot deliver relief, we have to accept the fact that we are on our own to protect ourselves and recover from cyber failure. Culture changes because everyone has to take up a role-appropriate set of responsibilities to protect and recover from cyber failure. This is not only the IT department’s problem.
Despite the financial pain of the attacks and the harm to patients, including deaths, the head of the American Hospital Association (AHA) recently wrote a letter to the Senate Finance Committee saying that his trade group "cannot support proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault for the success of hackers in perpetrating a crime." Hospitals and healthcare entities have invested enormous sums into cybersecurity, the AHA said in its letter. They added that most attacks are carried out via third-party technology or other vendors, and because of that fact, it would be unfair to hold cash-strapped hospitals accountable. It is doubtful the Federal Trade Commission (FTC), which enforces reasonable cybersecurity standards in the US markets, would side with the AHA.
What can all organizations do about this? "Improve your cyber hygiene:
- Restricting administrative privileges
- Perform regular data backups
- Require multi-factor authentication
- Patch applications
- Patch operating systems
- Implement application control
- Restrict Microsoft Office macros
- Make user applications attack-resistant
Cyberresilient organizations minimize the effects of cyberattacks. That means all of the above: operational disruption, reduced revenue, lost customers, lawsuits, interactions with regulators, potential loss of life, and damaged reputation(s).
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://www.secureworld.io/industry-news/prescription-cyber-resilience-healthcare
Comments