News
Expert comment on US lawmakers’ criticism of Change Healthcare ransomware attack
April 2024 by Matt Aldridge, Principal Solutions Consultant at OpenText Security Solutions
After the US lawmakers’ criticism of UnitedHealth Group for their role in and response to a ransomware attack on its subsidiary Change Healthcare that crippled parts of the U.S. healthcare system. The Department of Health and Human Services announced an investigation into whether the payment processor and its parent company were in compliance with federal health data privacy laws.
Matt Aldridge, Principal Solutions Consultant, Opentext Cybersecurity says, " A nationwide disruption to the US’ largest healthcare infrastructure that processes 15 billion medical claims, raises serious concerns about the resilience of healthcare IT systems.
It has further demonstrated why cybersecurity has to be an immediate priority and a cornerstone of risk mitigation and prevention strategies for any business. Without it, businesses will not be able to survive the current climate of rapidly rising ransomware attacks.
As medical facilities’ services are essential and often cannot be disrupted without severe risk to patients, the industry is very much in the spotlight and therefore must put in place strong cyber resilience strategies to limit outages and keep continuity of patients care at the forefront.
In this case, there is a strong debate around whether consolidation in the healthcare industry is responsible for making such organisations vulnerable to breaches. This is not necessarily the case, as acquisitions can be done well and can provide a checkpoint for security process validation if done correctly, however, if they are done on too tight a budget or too tight a timescale, problems can be encountered as we see here. Two years is not a long time in terms of consolidation of a huge acquired asset such as Change Healthcare – it is likely that much progress was made during the interim period, but it is correct that these activities should be put in the spotlight.
When nations become totally dependent upon private healthcare, it is crucial that their underlying critical infrastructure is extremely highly regulated. Service providers, if left to their own devices, and subject only to commercial forces, may not make decisions in the best interests of patients and of independent healthcare providers who depend upon such infrastructure. As we have seen, this can have disastrous results for patient care.
In general, all organisations must securely back up and regularly verify their data, so systems can be quickly restored – and in healthcare this is paramount. Other best practices include implementing advanced cybersecurity technology and processes such as email filtering, anti-virus protection, and sensible password policies. Continuous monitoring of anomalies is also key in larger environments, to contain insider threats and to ensure that attackers have not bypassed primary defences. Security awareness training should also be implemented for staff from day one, ensuring they are vigilant in scrutinising the types of emails, messages and phone calls they receive.
It is incredibly important to adopt a multi-layered approach when it comes to a defence strategy. In fact, we found in our 2023 OpenText Cybersecurity Threat Report that doing so is core to cybersecurity and cyber resilience. Ultimately, the broader the coverage of processes, tools, and systems an organisation has in place to protect and recover data, the less likely an attack will succeed."
