The data breach that woke up the healthcare industry

The suspected ransomware attack on Change Healthcare proves there’s no room in healthcare for risk and vulnerability.

In the news

On February 21, Change Healthcare announced some of its applications were unavailable. Later that day, the company, recently purchased by UnitedHealth Group, described the issue as a “cybersecurity problem.”

Since then, it’s been a bumpy ride for Change and indeed for the US healthcare system. It is widely suspected (though unconfirmed by Change Healthcare itself) that the company was hit by Blackcat, the notorious ransomware gang, for $22 million. Additional information continues to come to light every day.

Change Healthcare’s business, as everybody in the industry (and now much of the general public) knows, has been described as “maintaining healthcare's pipelines—payments, requests for insurers to authorize care, and much more.” The company supports more than 14 billion clinical, financial and operational transactions each year; it plays a crucial behind-the-scenes role in keeping the US healthcare system running smoothly.

The attack has had far-ranging consequences for the sector. Prescriptions have gone unfilled; hospitals have gone unpaid. The US federal government has gotten involved, with Congress and the White House expressing concern and Medicare releasing emergency funds to plug payment holes.  

The Cognizant take

The overwhelming sentiment in the sector is sympathy for Change Healthcare, says Patricia Hunter-Dennehy, Senior Vice President in Cognizant’s Healthcare Provider/Payer Business Unit. “We feel for them, and we are doing everything we can to quickly help payers and providers resume processing of healthcare transactions.”

At the same time, it’s a wakeup call for the industry, she adds. “We’re advising our clients that the best way to reduce risk is to move to the cloud if they’re not there already and double down on cybersecurity.”

Pawan Kumar Gupta, who’s part of Cognizant’s healthcare cybersecurity team, says that while it’s unknown exactly how Blackcat first accessed Change Healthcare’s network, access control is a major issue in healthcare, where so many parties require access to one another’s data. “There’s so much third-party interaction going on,” he points out. “The first thing we tell clients is that you need to know who has access to your apps.”

Another recommendation is to implement a zero-trust architecture. “That’s a first principle in today’s environment,” Gupta says.

Since the breach occurred, clients that rely on Change Healthcare have been turning elsewhere for clearinghouse solutions. “Providers have been seeking alternatives so they can get transactions flowing again,” Hunter-Dennehy notes.

As the smoke clears and the industry regains its footing, Gupta believes that in addition to performing rigorous security self-assessments, providers and payers will consider options to reduce their risk, such as spreading transactions among multiple clearinghouses. “After all,” he says, “we know these bad actors aren’t going away; it’s up to us, and to the entire industry, to tighten up the security profile.”