According to the U.S. Department of Health and Human Services, there has been a 93% increase in large breaches reported to the HHS Office for Civil Rights, with a 278% increase in large breaches involving ransomware on healthcare companies. Cyber incidents affecting hospitals and health systems have led to extended care disruptions, patient diversions to other facilities, and delayed medical procedures, all putting patient safety at risk.
The most recent example of such attacks involves Change Healthcare. The breach forced UnitedHealth Group, whose Optum subsidiary operates Change, to abruptly disconnect its systems. This brought claims processing to a halt nationwide for the providers, insurers and pharmacies that rely on its network.
Change, which routes claims between parties through payments and revenue cycle management systems, was the victim of an alleged cyberattack by ransomware group BlackCat, disrupting its network and forcing the company to halt payments processing for millions of pharmacies, hospitals, nursing homes and medical practices.
PAN’s Cybersecurity lead Ariel Novak and head of PAN Healthcare Dan Martin put the recent Change attack into wider context to understand how we got here and what brands can do to protect themselves.
What is driving cyberattacks we’re seeing today? Why do you think ransomware groups are targeting healthcare?
Ariel : There’s a big opportunity for ransomware groups in targeting healthcare companies. These organizations have a lot of sensitive patient data, which is attractive to cybercriminals.
Recent research found that on the dark web, medical records sell for twenty times more than credit card information ($60 on average for medical records, compared to $15 for a Social Security number and $3 for a credit card). Additionally, hospitals and health systems are often more apt than other industries to pay ransoms because they can’t afford to have systems down when patients’ lives are on the line.
In the case of Change Healthcare, we’re seeing hospitals and clinics cancel treatment because their claims can’t be processed, and they can’t get reimbursed for procedures. What do you think of this as a bigger risk issue emerging with care services (beyond a financial burden)?
Dan: Cybersecurity experts say ransomware attacks have increased substantially in recent years in the healthcare sector. Cyberattacks, like the one playing out with Change Healthcare, pose big financial ramifications to hospitals, health systems and specialty care facilities. The risk only compounds their challenging economic situation as they continue to rebound from the COVID pandemic and face increased labor costs as they try to counter labor shortages and staff burnout, inflation, and low reimbursements, to name a few. They result in extraordinary reductions in cash flow, threatening providers’ ability to make payroll and to acquire medical supplies.
Additionally, hospitals are unable to process claims and check insurance coverage for care. Without the ability to check for prior authorizations, major medical procedures could be put on hold if there is not enough cash flow to pay staff or acquire the needed supplies. While the financial impact on providers — as well as the loss of sensitive patient data — are critical issues, it is the disruption in care, including the impact on prescriptions, that causes the most immediate threat.
What can healthcare companies do to protect themselves against cyberattacks?
Ariel: The question of whether to pay a ransom is a difficult one, especially in healthcare, where organizations need their systems up and running to provide adequate patient care. Interestingly, law enforcement and cybersecurity experts caution not to pay ransoms since this can only further incentivize bad actors. On top of that, there is no guarantee that ransomware groups will provide access to systems once ransom is paid, or that they won’t ask for more ransom.
Healthcare companies should focus on defenses to prevent these attacks from happening in the first place. We are hearing a lot more chatter this year around security as it relates to protections beyond patient data, networks and the perimeter, as well as additional thoughts around how to further secure non-traditional healthcare assets through 2FA/MFA for points of entry — physical and otherwise.
Can we expect to see more cybersecurity activity in healthcare in part because of Change Healthcare? Perhaps greater investment in tech to protect transactions and patient data, etc?
Dan: The issue of cybersecurity and its importance to protecting patient data and privacy isn’t novel. Ever since the pace at which healthcare digitized and innovated using technology reached a frenzy — we point to the increased use of both AI and mobile connected devices — the issue of safeguarding the mountains of valuable information and data has been on every CIO, CTO, and CISO’s radar.
According to TechTarget, 2023 saw record-breaking data breaches with more than 540 organizations and 112 million individuals being implicated in such incidences. Additionally, the HHS’ Office for Civil Rights found a 278% spike in breaches involving ransomware between 2018 and 2022.
Healthcare organizations need to continue to advance strategies that help keep them ahead of increasingly complex and sophisticated attacks. VC funding will play a critical role in ensuring the technology outpaces the threats. Cybersecurity Ventures predicts the global healthcare cybersecurity market will reach $125 billion by 2025 and like the rest of the healthcare IT industry – which saw a slow funding year as a whole – the amount of venture capital allotted to cybersecurity vendors also declined in 2023. However, the number of rounds increased, suggesting that VCs aren’t so much souring on the industry as they are tightening investment levels to minimize potential losses. Furthermore, IDC expects global security spending to grow to nearly $300 billion by 2026.
The recent incident impacting Change has really put the safety and security of healthcare data front and center in the industry. Just this past week at HIMSS, for example, the breach put even greater emphasis on the topic of cybersecurity. We found brands to be a bit guarded when directly asked to discuss the attack on the show floor, but for the most part our team on the ground reported chatter throughout the conference and an overall feeling that executives are becoming more interested in cyber protection to help prevent future attacks.
I also suspect this will only intensify both from the standpoint of adoption and investment, as healthcare organizations may face increased regulatory pressure to help limit data breaches.
What are some of PAN’s clients saying about ransomware’s “breach” into healthcare? Specifically, what healthcare companies can do to protect themselves?
Ariel: I recently connected with one of our cybersecurity clients, Vercara, about the BlackCat attack on Change. The company’s Field CTO, Michael Smith, had this to share:
“Ransomware gangs historically avoided healthcare out of a sense of ethics. But that’s changed in the last year. Healthcare has been hit extremely hard because the industry has a very compelling need to get their systems back up – saving lives. Healthcare runs a lot of legacy equipment such as medical IoT and legacy applications that need older operating systems to support them. If those systems can’t run anti-malware software, then the network needs to provide protections through network segmentation, protective DNS, and very restrictive firewall rules.”
How are you seeing the market shift — if at all — in terms of cybersecurity becoming an even stronger vertical push among technology companies?
Dan: A wide array of both healthcare-specific security companies and large technology companies — take IBM, Cisco, etc. – have long addressed the problem of cybersecurity and have delivered solutions to protect patient data and privacy. So while that entry point may not necessarily be new, interestingly enough we are starting to see these larger technology companies emerge within the healthcare eco-system.
For example, we saw many of these companies sponsoring and exhibiting at ViVE ‘24 as they make an even stronger vertical push into the market. I don’t doubt this investment is driven in large part by the increase of attacks within healthcare. It’s something I feel will only continue given the need and market opportunity.
We are also seeing traditional CISO titles merge with CMIOs (chief medical information officers) as this category continues to grow and incident rates increase, with patient safety and security at the heart of the challenge.
PAN has a robust set of experience in cybersecurity. What can healthcare brands learn from our PR and marketing work over the years?
Ariel: The cybersecurity space is evolving very quickly with attackers and cybersecurity companies in a constant game of cat and mouse. Our cybersecurity teams similarly move quickly to keep pace with the rapid shifts in the industry. We gather real-time data to stay on top of trending news cycles. This approach fuels a strong rapid-response engine where we can react to these trends (i.e., breaking news of attacks) to offer insightful commentary to educate the market.
Our approach to monitoring and reacting to the cybersecurity landscape to tell meaningful and data-driven stories can be applied across industries. Check out PAN’s CyberPulse Dashboard to learn more about our approach to monitoring the cybersecurity industry conversation to ensure our clients’ brand stories make a real impact.
Learn more about PAN’s cybersecurity experience as part of the agency’s B2B tech practice.
Read more about PAN healthcare and download our latest HealthPulse: The Conversations that Moved 2023.