Change Healthcare Breach: Compliance and Cybersecurity Lessons Learned 

Facebook
Twitter
LinkedIn

By now, you’ve probably heard the news of the Change Healthcare Breach. And, while the impacts of this breach are far-reaching, it isn’t necessarily a shock—healthcare is the number one breached industry, with health records serving as some of the most valuable data on the dark web. 

But when you see a major breach like this hit the news, it should serve as a warning.  After all, healthcare delivery relies on technology. Even small organizations cannot operate during a ransomware attack or major tech outage. 

That’s why it’s key to learn from the Change Healthcare breach, because no healthcare organization is immune to the risks of a breach. By prioritizing both prevention and preparation, however, you can avoid the headlines—and patient impacts—exemplified by Change Healthcare in recent weeks. 

Ready to learn more about what happened and how you can avoid a similar scenario at your organization? Let’s dive in. 

What happened in the Change Healthcare Cybersecurity Incident?  

On Feb 21, Change Healthcare, part of health tech company Optum, which is owned by healthcare giant UnitedHealth Group, reported a “network interruption” due to cyberattack, with the company disconnecting systems to “prevent further impact.” 

Near-immediate consequences included pharmacies across the country being delayed or unable to process prescriptions, and some pharmacies were unable to process prescriptions through insurance for weeks. 

Various systems and services experienced weeks of downtime, causing domino effects as cash flow to providers across the country was impacted. Some small organizations were even forced to close their doors, like a care home in Pennsylvania which closed abruptly on March 1 after employees walked out due to not getting paid. 

On March 10, the Office for Civil Rights (OCR) announced an investigation into whether protected health information (PHI) was compromised in the cyberattack.  

The hackers behind the attack apparently received a $22 million payment, though Change Healthcare did not confirm payment of the ransom, the data has not been released, and it appears that the data may be subject to a secondary breach at this time. 

The entire story continues to develop, and you probably are keeping up with it not only in industry publications, but in the mainstream media as well. This was a big one, and the public is certainly showing a newfound interest in compliance. 

What does the Change Healthcare Breach Mean for Other Healthcare Organizations?  

Of course, most compliance officers see the news and want to ask… “What does this mean for me?” The impacts of the Change Healthcare breach will probably continue to develop over years, with the ability to truly change healthcare forever. But the lesson for your organization can be swift: now is the time to focus on compliance and cybersecurity. 

This breach has shown us just how fragile our healthcare organizations truly are.  

What we are all learning from this incident is that compliance is not just about preventing a breach—it is about responding and reacting to one. It’s not just about protecting privacy, but as Change Healthcare showed us, protecting access to care. 

As you learn from Change Healthcare and refocus your efforts on breach planning and prevention, it is critical to understand the threat of ransomware to your patient data and everyday operations. 

Healthcare and Cybersecurity 

Cybersecurity is a critical concern in the world of healthcare, and for good reason. Healthcare is the number one breached industry, with HHS reporting over 739 healthcare breaches in 2023—that’s nearly two healthcare data breaches occuring every single day of the year.  

Not only that, but 80% of those breaches in 2023 were due to hacking or IT Incidents like ransomware attacks. This is truly a crisis in the world of healthcare, as hackers realize the potential value of patient data held for ransom and learn to find openings through both tech vulnerabilities and social engineering tricks.  

Healthcare as an industry has not done well defending against cyber threats, as we see hacking incidents and the number of individuals impacted both rise every year.   

 Just aswe have seen in the case of the Change Healthcare breach, the impacts of a breach can be significant, long lasting, and far reaching. Imagine having your electronic systems down for even a week—no EHR, no ability to send bills or receive reimbursements, the backlog of paper orders, inability to transfer patient charts, and more. Just imagine how much time and money this could cost your organization. 

Industry wide, there are some safeguards in place like the HIPAA Security Rule, which will be updated soon, but we are certainly not keeping up with the hackers as threats change in response to each new protection we put in place. Today, the threat is primarily ransomware, often delivered through phishing attacks.  

Whether you are a compliance officer, a leader at a healthcare organization, or an IT professional in healthcare, it is critical to understand the value of the data you are protecting.  

Not only can a complete medical record be worth hundreds of dollars on the dark web (versus a social security number which may only be worth a few dollars), but that record can be used to steal someone’s identity and ruin someone financially.  

Plus, these ransomware attacks have the power to slow or even stop patient care. More than simply protecting data, cybersecurity truly has the power to protect patients. 

Should Small Hospitals Worry About Data Breaches?

Though small organizations may be tempted to look at the Change Healthcare breach and see something much larger than they would ever have to deal with, that doesn’t mean it’s time to relax.  

With two healthcare breaches occurring each day, the odds are simply not on your side when it comes to data breaches and cybersecurity attacks. In fact, there is mounting evidence that small and rural healthcare organizations are being targeted, even though the news is focused on larger breaches. 

In fact, there is an additional reason to be concerned about data breaches as a small hospital: cost. Data breaches are extremely expensive, between the lost revenue, costs of mitigation, consultant and lawyers’ fees, increased cyber insurance premiums, and even reputational costs as the news of a breach can impact patient choices. On some occasions, data breaches have even been the last straw for small organizations being forced to close their doors. 

Clearly, preventing and preparing for a data breach should be top-of-mind for compliance officers, IT directors, and leadership at healthcare organizations of all kinds, but perhaps most of all at smaller, vulnerable organizations. 

The Role of Compliance and Cybersecurity: Prevention and Preparation  

Ultimately, this is a moment of reckoning when it comes to compliance and cybersecurity. The stakes involved have never been clearer—and for compliance and IT alike, it is critical to capitalize on this moment to not only prevent but prepare for a cybersecurity incident that could potentially impact your data. 

Though they may initially sound like the same thing, prevention and preparation are two distinct but critical levels to breach planning.  

Prevention is the valuable foundation that helps you keep data breaches from happening at your organization.  

Preparation, on the other hand, is the process of truly considering what would happen if a major data breach did occur. What are the processes and procedures in the case of a data breach? How would the organization ensure continuity of care? 

While the HIPAA regulations and cybersecurity generally focus primarily on prevention of a cybersecurity breach, the Change Healthcare breach showcases the importance of not only preventing but preparing for a breach.  

Proper preparation ensures that systems are in place to continue business as usual in the face of a ransomware attack, hacking, or other breach event.  

Preventing a Data Breach at Your Organization 

Prevention is the foundation of your cybersecurity compliance, ensuring that the basic safeguards are in place to protect your organization from hacking. That’s why the absolute best place to start is with a Security Risk Analysis (SRA).  

Your SRA is required periodically under HIPAA and should be completed at least every other year, or when any major changes, like implementing a new EMR system, take place. The SRA forms a foundational roadmap to both HIPAA compliance and cybersecurity, assessing not only your technical safeguards, but even your physical environment for possible data risks.  

An SRA may be used to identify diverse organizational risks, from Wi-Fi network security to physical building security, training gaps to policy reviews. That’s why the SRA is the first step in breach prevention—because it outlines precisely the risks that must be addressed to shore up data security across the organization. 

Additional steps to prevent a data breach at your organization include technical safeguards like firewalls and vulnerability scans; sending security reminders to your team to refresh training; and even phishing simulations to test staff preparedness. Each of these steps come together to help prevent breaches from ever happening to your team. 

Beyond Prevention: How to Prepare for a Data Breach 

Once you’ve completed your SRA and other prevention steps, it’s time to begin preparing for a breach. We all like to think the breach won’t happen to us, but ultimately, we need to be prepared when it does. That’s why planning should be a top priority when it comes to compliance. 

Some of this work should already be outlined in the first level of breach preparation: policies and procedures. This is yet another reason why your policies should be more than a recitation of HIPAA regulations—they have a real opportunity to outline proper processes that should be followed in the event of a breach.  

Additionally, forming a compliance committee, with board-level involvement, is a good step toward preparing for a breach at your organization. This committee should include stakeholders from across the organization (think of those who would be involved in responding to a major data breach) because compliance should be an organization-wide effort. 

The best way to prepare for a data breach, though, is to test your breach response. You can do this through a tabletop exercise, or through our new Breach Preparedness Assessment from the consulting team here at HIPAAtrek. As with an SRA, having an outside evaluator is the best way to get a clear picture of where your organization stands, and the potential risks you are up against.  

In the Breach Preparedness Assessment, our consulting team facilitates an in-depth one-day meeting with critical stakeholders from across the organization. This team is presented with scenarios testing a range of security procedures, incident responses, and disaster planning, and assessed based on their responses. In the end, we provide an analysis of your preparedness for each scenario, as well as a roadmap for improvement.  

No matter how you choose to assess your breach preparedness, it is critical to use this tool to honestly examine the way your team would handle a breach, and to practically plan for the worst. By preparing in advance, you can help ensure a swift response in the event of a future breach. 

Learning from the Change Healthcare Breach 

As more details come out about the Change Healthcare data breach, and the OCR eventually completes its investigation, more and more compliance and cybersecurity lessons will no doubt come to light. Even less than two months after the initial breach, however, we have already seen impacts that will change healthcare forever.  

Never has the role of compliance in protecting patients been laid out so clearly, and this is a true moment of reckoning in both compliance and cybersecurity. Ultimately, this data breach is a learning opportunity, highlighting the importance of both preventing and preparing for a breach at every healthcare organization, large and small.  

If this breach has left you questioning your compliance program, or you’re just ready to finally feel confident in your compliance, book a demo now to learn how HIPAAtrek can help. 

Ready to finally feel confident in your HIPAA compliance?

See how HIPAAtrek can work for your organization.

Request A HIPAAtrek Demo

HIPAAtrek User
Compliance is complicated. Your compliance software doesn’t have to be. Schedule your demo today!

You Might Also Like

Double Extortion: What It Is, and How You Can Prevent It

If organizations refuse to pay their ransom, attackers are threatening to release the data publicly. This will of course include sensitive information and PHI. Before Double Extortion, we assumed that hackers could not actually access our data and were only with-holding it from victims to disrupt the ability to continue their work. Now we know they can extract this information and publish it online, breaching our patient’s security.

Read More »

Cybersecurity During COVID-19

Watch out for COVID-19 cyber scams Sarah Badahman, CHPSE, Founder/CEO, HIPAAtrek Bethany Baty, Digital Marketing Director, HIPAAtrek Margaret Scavotto, JD, CHC, President, MPA The Department

Read More »