What We Need to Learn from the Change Healthcare Cyberattack

Attacks on third-party vendors can disrupt the entire health care sector

February 29, 2024

During recent years, cyberattacks targeting health care organizations have become increasingly prevalent, highlighting the critical need for more resilient cybersecurity measures within the industry.

The cyberattack on Change Healthcare, a leading health care technology company, serves as the clearest reminder of the potential risks for all health care organizations—both large and small—at any time. We are still uncovering the details about what happened, but this incident is another reminder of an uncomfortable truth in emergency preparedness.

Cyberattacks in health care are becoming the norm, and it’s on all of us to prepare accordingly.

Background: Change Healthcare Cyberattack

Change Healthcare, a provider of health care technology solutions and services, experienced a cyberattack that compromised multiple health care applications and products that hospitals, pharmacies, and other health care organizations use daily.

The organization first became aware of the cybersecurity incident on February 21 and few details have been released about the cybersecurity issue, but it is believed to be the work of a foreign nation-state-associated cybersecurity threat actor. 

The incident has raised concerns about the cyber posture of health care organizations and underscored the importance of proactive cybersecurity measures.

6 takeaways from emergency preparedness

As emergency managers, we must process these incidents in real time and understand their potential toll on our organizations. Among the key takeaways thus far:

1. Importance of cyber resilience:  The Change Healthcare cyberattack highlights the importance of cyber resilience in safeguarding health care data and systems. Organizations must adopt a proactive approach to cybersecurity, including regular risk assessments, vulnerability management, and incident response planning.
2. Need for business continuity/disaster recovery plans:  The incident underscores the need for health care organizations to implement robust plans to protect against cyber threats and other threats that could potentially close the doors to a health care facility. This includes developing workarounds and downtime procedures to assist with minimizing the backlog of data that will need to be restored once operations return to normal.
3. Vulnerability of third-party entities:  The cyberattack on Change Healthcare shows the vulnerability of third-party vendors in the health care supply chain. Health care organizations must vet and monitor their vendors' cybersecurity practices to ensure the security of shared data and resources.
4. Importance of working with community partners:  Effective incident response and working with community partners including the FBI, CISA, HHS, and the American Hospital Association (AHA) is essential for mitigating the impact of cyberattacks and minimizing disruption to operations. Health care organizations should develop partnerships with these organizations as they could potentially lead to a quicker solution to your cybersecurity event.
5. Further employee training and awareness:  Human error remains a major factor in cybersecurity incidents. It is best that health care organizations invest in comprehensive employee training and awareness programs to educate staff about cybersecurity best practices, phishing awareness, and data handling procedures.
6. Communications and transparency:  Transparent communication is critical in the aftermath of a cyberattack. Health care organizations must notify the affected individuals, regulators, and other stakeholders about data breaches and take appropriate actions to mitigate harm, rebuild trust, and rebuild their reputation.

A call to action

The cyberattack on Change Healthcare serves as a call to action for the health care industry, showing the urgent need for strengthened cybersecurity measures and communications among all parties. By learning from this incident and implementing proactive cybersecurity strategies and business continuity plans, health care organizations can protect patient data, preserve trust, and ensure the continuity of critical health care services in an increasingly digital world. As we face more sophisticated threats, we all must prioritize cybersecurity as a fundamental aspect of patient care and organizational resilience.

For questions about health care cybersecurity, contact Jason Tomashunas, MS, CHEP, manager, emergency management. Members of the AHA also are encouraged to contact John Riggi, the AHA’s national advisor for cybersecurity and risk for more information.