In February 2024, Change Healthcare was the target of a massive ransomware attack that is now known as the most significant data breach in American history.
Thousands of healthcare providers across the country rely on Change Healthcare’s solutions and services, including the exchange of healthcare data and financial transactions between healthcare providers, insurers, and patients. The fallout from the attack led to months of outages for these organizations, and healthcare providers had to turn away patients and cancel appointments until they could recoup their systems. Eventually, United Health Group, the parent company of Change Healthcare, was forced to pay the attackers a $22 million ransom to prevent patient data from leaking.
The Change Healthcare data breach demonstrated how much an indirect attack can impact an organization and the critical need for having the right cybersecurity protocols in place. Organizations both in and outside of healthcare rely on third-party vendors, opening new vulnerabilities that could have an immense impact on operations if not addressed. Luckily, every company can learn from the Change Healthcare attack and use those lessons to build more substantial and secure operations.
Carefully Assess Third-Party Vendors
Healthcare providers often rely on third-party vendors for various services, including patient-facing applications, telemedicine services, billing, and secure data processing. Smaller organizations, especially, would not be able to offer these services without the help of a third-party provider, which makes these vendors, like Change Healthcare, a necessity to get patients what they need and keep operations running.
However, despite their benefits, going into business with another entity always presents risks. Because these partners become integrated into systems, they also have access to sensitive patient data and the healthcare organization’s financial transactions. Giving another organization access to this data requires extra security measures.
This is not unique to healthcare—other industries that consumers rely on every day use third-party vendors for different services as well. This makes it imperative for organizations to evaluate potential third-party vendors and partners before engaging with them. Undergoing an evaluation ensures that third-party organizations can be trusted to keep sensitive data safe and are relied on for continuous operations. Organizations should know that their vendor can be trusted with their data, their services are reliable, and the organization follows their industry’s regulatory requirements.
To ensure they cover their bases before entering an agreement with a partner vendor, organizations must take the appropriate steps to check that this third party has experience working in their industry and meets a security standard that aligns with theirs. These preemptive steps should also include auditing security practices, identifying vulnerabilities, and having proper measures and protocols in place for times of crisis. This type of business relationship should be viewed as a long-term, continuous effort to keep data and operations safe and secure from rising threats.
Keys to a Successful Security Audit
Security audits assess an organization’s cybersecurity strengths and weaknesses. Using this information, organizations can change security policies, address vulnerabilities, and decide whether to work with a third-party organization.
Businesses should have defined objectives when conducting a third-party audit. These goals focus the audit on specific areas of the organization, whether that’s critical business applications that handle sensitive information or security-related processes. The employees performing the audit should be well-versed in the areas under review, whether it’s staff members or external consultants. They should review system activity logs and security documents and interview staff members before documenting all information gathered on systems, processes, and technical assessments.
The audit team should use the information to assess risk, identify vulnerabilities, and forecast the impact a potential cybersecurity attack could have. Once information gathering and assessments are complete, the team should identify problems and evaluate whether the third-party organization meets regulatory and security standards to a sufficient level and whether improvements should be made through solutions or new processes.
Business Continuity Plans Are Critical
No cybersecurity solution or vendor can guarantee that there will never be a breach, and no solution or environment is completely secure. This is why organizations should treat attacks as an eventuality. Having this mindset will help them prepare for the worst-case scenario and build the right plans to address a crisis swiftly.
Disaster recovery and business continuity plans help organizations be resilient and navigate tough waters. Every company should have a business continuity plan in place before a crisis occurs. This plan should be highly structured, approved by senior management, and prioritize critical operations during a crisis. Organizations should map out critical processes to continue productivity and fast recovery during downtime. Can an organization schedule appointments, process transactions, or retrieve patient information? If not, what can they do instead to operate? Assessing the impact disruptions can have on service delivery will help determine how long business processes can continue without them.
It’s imperative for all employees involved to be on the same page by detailing and documenting workaround plans. They must know what to do and how their roles may change during a breach. Organizations should hold mock scenarios during training sessions of critical systems going down and have staff members practice what to do in accordance with their business continuity plan playbook. Then, organizations can improve and adjust their processes even further based on these mock scenarios.
Always Be Aware of Risk
Change Healthcare fully displayed the lasting damage just one attack can have on an entire industry. There are longstanding consequences, including financial and reputational damage. Not only did this attack immediately impact productivity and the organization’s bottom line, but it also made the brand name synonymous with data breaches, even today. Any organization, large or small, could be the next Change Healthcare and be impacted by a severe attack.
But organizations, including healthcare providers, are not on an island fighting off cyberthreats. There is a community within the industry to help each other learn from past challenges, communicate trends and best practices, and prepare for the future. Collaboration and dialogue among industry peers toward a common goal and shared cause will help organizations of any industry stay safe. As cybersecurity threats continue to grow in tenacity and volume, it’s more important than ever for organizations to stay prepared and continuously work on cybersecurity standards.
Michael Gray has been a strong technology leader at Thrive over the past decade, contributing to consulting, network engineering, and managed services and product development groups while continually being promoted up the ladder. Michael has a degree in Business Administration from Northeastern University, and he also maintains multiple technical certifications, including Fortinet, Sonicwall, Microsoft, ITIL, and Kaseya, and maintains his Certified Information Systems Security Professional (CISSP).
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.