The Change Healthcare breach represents a pivotal moment in healthcare cybersecurity, with its extensive effects felt across hospitals and health systems nationwide. Orchestrated by the BlackCat/ALPHV gang through a ransomware attack, this incident has inflicted financial strain on healthcare providers and hindered their capacity to deliver essential patient care.
The breach has highlighted the vulnerability of healthcare institutions to cyber threats and emphasized the critical importance of cybersecurity within healthcare operations. Additionally, this breach reinforces the critical role that vendors play in healthcare delivery and the consequences of third-party breaches.
Background on Change Healthcare and the Breach
Change Healthcare holds a pivotal role in the American healthcare system, acting as a key intermediary in the complex web of healthcare information exchange. The company’s technology platform facilitates a wide range of critical services, including the processing of claims and payments, the management of clinical data, and the provision of analytics to improve patient outcomes. As such, Change Healthcare is not just a vendor but an integral part of the healthcare infrastructure, connecting various stakeholders within the ecosystem, from providers to payers and patients.
In February 2024, Change Healthcare fell victim to a sophisticated cyberattack, identified as a ransomware attack carried out by the notorious BlackCat/ALPHV gang. The attackers managed to infiltrate and disrupt the company’s systems, leading to widespread service outages that lasted for more than a week. The immediate effects of this disruption were felt across the healthcare sector, with delays in claims processing, payment issues, and, most concerningly, impacts on patient care and access to services.
The aftermath of the attack has been marked by a scramble to restore services and assess the extent of the data compromise. Two months following the breach, the full scope of the data accessed and potentially exfiltrated by the attackers remains unclear.
The Change Healthcare breach had a profound impact across the healthcare landscape, affecting nearly all hospitals in the United States. An overwhelming 94% of these institutions reported significant financial repercussions, highlighting the breach’s extensive economic toll.
The disruption extended to patient care, with 74% of hospitals experiencing direct impacts. Critical delays in services, such as those involving prior authorization, obstructed patients’ access to necessary medical treatments. Beyond the immediate operational and financial strain on healthcare providers, the breach has stoked fears among millions of patients about the safety of their sensitive personal and medical information.
What is the Longer Term Impact of the Breach?
In the wake of the breach, the Department of Health and Human Services (HHS) has launched a comprehensive investigation into the incident to assess Change Healthcare’s adherence to HIPAA compliance standards. This investigation aims to understand the depth of the breach and whether adequate security measures were in place, serving as a critical examination of the practices that allowed such a significant breach to occur. The outcome of this investigation could have wide-reaching implications for Change Healthcare and the broader healthcare industry, potentially leading to increased regulatory scrutiny and the adoption of more stringent cybersecurity protocols.
Concurrently, a response from the legislative branch is shaping the future of how healthcare entities might recover from such cybersecurity incidents. A bill proposed in Congress, led by Senator Mark Warner, seeks to provide financial relief to hospitals impacted by cyberattacks through expedited payments if they meet certain key cybersecurity standards.
Further bolstering the federal response to cybersecurity in healthcare, President Biden’s 2025 proposed budget includes a significant allocation of $1.4 billion towards enhancing cybersecurity measures within the healthcare industry. This allocation is indicative of a strategic commitment to address the vulnerabilities exposed by incidents like the Change Healthcare breach.
The Change Healthcare Breach Reinforces the Importance of Vendor Risk Management in Healthcare
The modern healthcare system is increasingly dependent on third-party vendors for a broad spectrum of critical services, from electronic health records and billing systems to clinical support tools and data analytics platforms. This reliance is not merely a matter of convenience but a necessity for operational efficiency and patient care optimization. Vendors like Change Healthcare are not just external entities but essential components of healthcare infrastructure, knitting together providers, payers, and patients into a cohesive ecosystem. Their role is fundamental in facilitating healthcare delivery, enhancing patient outcomes, and ensuring the smooth operation of financial transactions within the healthcare landscape.
However, this integral reliance on third-party vendors also exposes healthcare institutions to heightened cybersecurity risks. Hospitals and healthcare providers are common targets for cybercriminals, largely due to the sensitive nature of the data they handle. Medical records, personal identification information, and financial details are all stored within the systems managed by these vendors, making them a treasure trove for attackers. The breach of a single vendor can have cascading effects across the entire healthcare network, affecting countless individuals and entities.
What Can Hospitals Do To More Effectively Manage Vendor Risk?
In response to the growing threats, there are several best practices hospitals can adopt to enhance their vendor risk management:
- Thoroughly vet vendors to evaluate their security measures, data privacy practices, and financial stability.
- Maintain a comprehensive inventory of vendors, categorizing them based on the criticality of their services and the potential risks they pose.
- Conduct regular risk assessments to identify and address vulnerabilities in the vendor’s products or services.
- Implement attack surface monitoring to identify adverse changes to a vendor’s security posture in real-time
- Ensure contracts clearly define the roles, responsibilities, and security expectations for both parties.
- Develop an incident response plan that includes specific protocols for managing security breaches involving third-party vendors.
- Establish escalation and remediation procedures to effectively address and mitigate the impacts of security incidents.
By integrating these practices into their cybersecurity strategy, healthcare providers can significantly enhance their resilience against cyber threats and minimize the impact of future breaches on their operations and patient care.
How ProcessBolt Can Help
ProcessBolt is a leading provider of third-party risk management software. We can help hospitals and other healthcare providers manage their risk so they can focus on caring for patients. Our solution leverages AI to help assess vendor security and attack surface intelligence. Complete the below form to learn more about how ProcessBolt can help you protect your hospital and patients from third-party vendor risk.
