Apr 8, 2024 - Health

Change Healthcare attack sheds light on industry's weak points

Illustration of hands emerging from zeroes in binary code.

Illustration: Shoshana Gordon/Axios

The expansive impact of the Change Healthcare cyberattack was a wake-up call for a health care system that's now racing to safeguard itself against another industry-rattling hack.

Why it matters: There's recently been increased focused on defending individual health care organizations against bad actors as the vulnerable sector increasingly finds itself under attack.

  • But the Change Healthcare hack that disrupted payments to providers for weeks revealed the industry's heavy reliance on just a few technology companies to keep day-to-day operations running.
  • That essentially creates what The Atlantic's Juliette Kayyem recently described as a "single point of failure" — and experts warn Change Healthcare likely isn't the only one.

What they're saying: "Change is the canary in the coal mine," said Nate Lesser, chief information security officer at Children's National Hospital.

  • "We need to find out where the others are or we're just going to collapse."

Between the lines: Experts who spoke with Axios say there are a number of companies that offer critical infrastructure to pockets of the health care industry, creating major vulnerabilities in the event of an attack.

  • Companies often create that kind of market share through mergers of smaller companies that later get acquired by bigger companies.
  • "There are some of these pieces of software that have just been consolidated over and over and over, and it turns out like 50,000 pharmacies, usually within hospitals, use the same piece of software," said Kyle Hanslovan, CEO of cybersecurity firm Huntress.
  • The way some of those products have been stitched together along the way, potentially pairing old and new technologies, could also introduce weaknesses that are difficult to completely engineer away, he said.

The Change Healthcare hack also showed how contracting practices within the industry even exposed health care providers who didn't have direct relationships with the company and initially didn't expect to be affected.

  • That was the case for Children's National, which discovered that some insurers it worked with have exclusive relationships with Change Healthcare and wouldn't allow for claims to be submitted through any other vendor.
  • These sort of opaque agreements can make it hard for providers to know exactly where their data is being shared, said Shawntea Gordon, a member of the Medical Group Management Association's government affairs council.
  • "It made it very difficult for people to just say 'OK, let me bounce everything through somewhere else,'" Gordon said.

Some experts said the federal government quickly needs to do a sectorwide accounting to understand where health care's biggest systemic cyber risks are and address them — before hackers beat them to it.

  • The Change Healthcare attack "caught us all by surprise and shouldn't have," Lesser said.
  • He pointed to actions the government took in the aftermath of the 2007-08 financial crisis to designate some banks as "systemically important," making them subject to tougher oversight and standards because their failure would jeopardize the entire banking system.
  • If nothing else, the industry needs to take its own inventory to understand where catastrophic failure would be most damaging so health systems and smaller providers can better evaluate their risks and create appropriate backup plans, Hanslovan said.
  • "I think the word that I'm using most frequently is network resiliency," said Russ Thomas, the CEO of Availity, a clearinghouse that took on Change Healthcare clients after the attack. "A resilient network has very, very high information, security standards and protocols. But it assumes that is going to get attacked at some point, and so you have redundancy and [disaster recovery] plans."

What to watch: While Congress is still mulling a response to the Change Healthcare attack, among the ideas offered so far is legislation from Sen. Mark Warner (D-Va.) that would require providers and vendors to meet minimum security standards to qualify for accelerated payments in the event of a cyberattack.

  • This attack has made clear, particularly with payment clearinghouses, clear backup plans need to be designed into the system in case of future attacks, said Terry Cunningham, an American Hospital Association expert on claims processing.
  • "What we should take from this is: "What do we do moving forward so that this can't happen again?"
Go deeper