On February 21, 2024 Change Healthcare, a technology platform used in practices across the nation to process medical claims, experienced a cyberattack that took their systems offline. The attack brought claims payments to a halt, and many hospitals and healthcare providers experienced cash flow problems as they scrambled to continue treating patients. Patient information was also leaked in the attack, compromising the privacy of millions of Americans and ramping up the urgency for stronger healthcare cybersecurity measures.

As of early May, the platform is back online, but the fallout from the outage is still affecting practices and patients. As healthcare leaders, technology specialists, and government committees look for ways to prevent similar issues in the future, the question remains: What can individual practices do at the ground level to protect their networks and keep patient data safe?

Let’s start by taking a quick look at how the attack occurred.

What Happened?

Change Healthcare was the victim of a social engineering attack, which is an attack targeted at individuals to gain access to a password or other sensitive information. Using compromised credentials, the group of attackers gained access through a remote portal that did not have multi-factor authentication (MFA) in place. Once inside, they transferred data out of the system and launched a ransomware attack that brought the platform to a halt. 

With the system down, providers did not have an accessible way to verify patient eligibility for claims, submit claims electronically, or receive claim payments. As a result, these providers faced serious financial disruptions that threatened the viability of their practices.

3 Takeaways for Healthcare Cybersecurity

Cybersecurity attacks like the one experienced by Change Healthcare are an increasingly present reality in today’s healthcare environment. As more data is stored and managed digitally, healthcare providers have become prime targets for threat actors.

Here’s what practices can do to improve security and reduce the risk of a data breach:

1. Take security protocols seriously.

The Change Healthcare outage happened because the company did not use multi-factor authentication (MFA). MFA, which is a standard security recommendation, simply means that users must have another identifier in addition to their password in order to log in. Failure to implement this security measure can have disastrous results, as we have seen.

Other security measures to consider include:

  • Privileged access management (PAM) – PAM removes administrative rights from standard user accounts and automates admin requests. This removes the danger of an attacker accessing your network through a privileged account.
  • Password managers – The majority of data breaches happen because of compromised credentials. A password manager locks down your accounts, enables safe access and credential sharing within the organization, and enforces adherence to password best practices.
  • Role-based permissions – Attaching access permissions to an individual’s role ensures that departing employees don’t retain access, either intentionally or by mistake.
  • Cyber insurance – Cyber insurance provides financial coverage for any losses that may occur as the result of a data breach. To qualify, you will need to meet the insurer’s security requirements which may include MFA, privileged access management, an incident response plan, access controls, and employee training

2. Pay attention to the security of your third-party providers.

Data security is of the utmost importance in the healthcare industry. If third-party providers don’t have sufficient security in place, they can compromise your information and put your patients’ privacy at risk. Before partnering with any external provider, ask them what steps they have taken to protect client data. Look for things like:

  • Business Associate Agreement (BAA) – A BAA is a legal contract that ensures any third-party providers have protections in place to meet HIPAA requirements.
  • HITRUST Certification – HITRUST certification is a security framework designed for the healthcare industry. It is designed to meet the requirements of the HITECH (Health Information Technology for Economic and Clinical Health) Act, and verifies that the organization is compliant with HIPAA security requirements.
  • Standard Security Protocols – Standard security measures like MFA, identity access management, and password management should always be in place for organizations handling sensitive information. Ask the provider what their security measures are and be sure they meet standard recommendations.

3. Train employees to recognize threats.

Essentially, the Change Healthcare outage was the result of a successful phishing attack. Phishing attacks and social engineering threats have become more sophisticated and can be difficult to detect. Employees need to know what they are looking for and how to avoid becoming a victim.

Here’s what to look for, according to the Cybersecurity & Infrastructure Security Agency (CISA):

  • Unsolicited phone calls or emails that ask for personal information
  • Requests for financial information or security credentials by email
  • Suspicious sender addresses that are not associated with the company the requester claims to be working for
  • Links that do not match the anchor text
  • Unsolicited requests to open an attachment or download a file

How HealthXL Keeps Your Data Safe

At HealthXL, we take healthcare cybersecurity seriously. Our platform is fully HIPAA-compliant, and we have received an A+ HIPAA rating from an external auditor for 6 consecutive years. We protect your data and that of your patients with: 

  • Annual third-party compliance audit and risk assessments
  • Monthly internal auditing and scanning
  • Controlled access and personnel screening
  • Annual HIPAA training for every employee
  • Business associate vetting and accountability including BAA agreements
  • Threat detection tools and response plan

We are dedicated to maintaining the trust of our clients by protecting the private medical data of the people we serve. With robust auditing and risk assessment structures in place, we follow all regulatory obligations regarding Protected Health Information (PHI) access.

Questions about our security measures or how we can serve your patients with CCM and RPM services? Schedule a call to start the conversation!