Cyberattacks often attack healthcare organizations, including businesses and vendors they associate with, primarily due to how lucrative they can be. One particularly nasty hack is just one of the many organizations which have been featured in headlines due to their inability to protect against security threats. Let’s explore this new situation with UnitedHealth Group and see if there is anything you can learn from it.
One of the major functions of medical organizations is that they need to communicate with insurance providers to obtain authorization and payment for various medical services. They might use intermediary businesses to handle this task, and as is the case with most healthcare-related companies, there are regulations in place to keep patient data safe throughout this process. Historically, there have been many challenges associated with this process.
Software has allowed these intermediaries to more effectively do their jobs, but digitizing any process inevitably puts it at risk of cyberattacks. The increasingly digitized world exemplifies this, as the greater level of cyberattacks in general has shown that even small businesses are at risk of potential breaches, let alone larger targets like hospitals and insurance providers.
As one of the aforementioned intermediaries, Change Healthcare processes 15 billion transactions per year between UnitedHealth Group and its affiliates. Naturally, this makes it a massive target. The ransomware group BlackCat/ALPHAV, known for targeting the healthcare industry, allegedly targeted Change Healthcare. The organization immediately took their systems down once the threat was detected, and as of this writing, their systems still in operation have passed cybersecurity firm evaluations.
Despite these efforts, however, six terabytes of Change Healthcare source codes and data about healthcare, insurance providers, and pharmacies were stolen.
The group has declined to comment further on the matter, as well as whether or not they paid the ransom, but the ransomware group insists that they were paid $22 million, citing an unknown blockchain transaction as evidence of their accusation. Whether or not it’s the truth, UHN stock fell by $30 billion in cap market value, making the consequences of this incident even more significant.
Throughout this, many doctors, hospitals, and pharmacies suffered billing challenges, and UnitedHealth Group has made many attempts to quickly address the problem with Change Healthcare. Even the United States Department of Health and Human Services has issued a recommendation that they adopt measures like waiving prior authorizations and accepting paper bills to help address these operational issues. It’s gotten so bad that many providers have been advised to go with a different clearinghouse if they are dealing with limited cash flow.
This service outage impacted a lot of healthcare organizations, but not in the same ways. Large organizations that had the ability to make difficult decisions on the fly had an easier time adjusting, whereas smaller companies that relied on the services had a more difficult experience. With fewer options and resources at their disposal, it’s no wonder small companies have a harder time keeping up.
At the heart of your organization’s efforts should be redundancy and continuity. If something doesn’t work the way it’s supposed to, then you’ll want to have a backup plan ready to go at a moment’s notice. This is not a problem exclusive to large businesses, and a limited budget is not an excuse to forego these critical components.
Ultimately, one of the most important things that your organization must maintain is interconnectivity and collaboration. If at any point there is an issue with this, your operations could be impacted—particularly for smaller businesses that don’t have as many failsafes. If you rely on an external provider, you should thoroughly vet them and their security measures to ensure they are up to the task of helping your business.
Similarly, businesses must take cybersecurity seriously, as failing to do so could lead to expensive issues that are not easily solved—even with deep pockets. Your cybersecurity department or outsourced IT team should be able to detect and prevent security breaches through preventative measures and proactive monitoring.
This philosophy is at the heart of the services we at Quercus IT offer. To learn more about what we can do to protect your organization, be sure to call us today at (780) 409-8180.