On February 21, 2024, Change Healthcare, one of many main pharmacy claims processors in the US, detected a cybersecurity incident and took its techniques offline, inflicting disruptions to pharmacies and medical suppliers throughout the nation. UnitedHealth Group, its proprietor, instantly acknowledged this incident in an 8-Ok submitting to the SEC on Feb. 21. The healthcare ecosystem of payers, suppliers, and processors in healthcare continues to face an unrelenting wave of cyberthreats that end in diminished care experiences for sufferers.
Change Healthcare is a subsidiary of UnitedHealth Group. At current, different UnitedHealth Group techniques appear to be unaffected. UnitedHealth Group launched an announcement attributing the assault to a “suspected” nation-state entity, however aside from that, particulars are mild. The precise nature of the assault remains to be below investigation.
The outage is inflicting numerous disruptions, which embody:
- Delayed prescription processing. Some pharmacies reported points filling prescriptions on account of Change Healthcare’s position in claims processing. Stories point out that pharmacies on navy installations are decreasing entry to prescriptions for navy personnel and their households. That is one more instance of how personal sector corporations hit with cyberattacks have an effect on vital features for civilians and authorities organizations.
- Disrupted healthcare operations. Suppliers counting on Change Healthcare’s companies would possibly face delays in communication and entry to affected person information. As talked about above, the first outage seems to be in claims processing, leaving pharmacies unclear as as to whether a prescription is roofed and what the reimbursement quantities from insurers could also be.
- A possible information breach. The total scope of compromised information is unknown, however affected person confidentiality might be in danger. Given that the majority ransomware breaches in recent times included information exfiltration together with encryption, it’s greatest to imagine that affected person information was additionally compromised because of the adversary exercise, however the investigation is ongoing.
The Prescription: Put together For Catastrophe Earlier than It Strikes
- Test what you are promoting resilience and continuity. The scourge of cyberthreats that proceed to impression clients places renewed emphasis on continuity of operations and testing resilience processes. Whether or not B2B or B2C, testing your agency’s capability to fail over to guide and paper-based techniques remains to be a necessity, even in 2024. And don’t neglect that you simply additionally want to check information reconciliation after you get well, as many buyer companies nonetheless gained’t be totally obtainable till you may have all the client information again in your techniques.
- Enterprise disruption is enterprise disruption, whatever the technique. No matter whether or not this was brought on by a ransomware assault, lots of the aftereffects will parallel these of ransomware disruption. Leverage a few of the identical strategies for ransomware protection and response in your personal group, akin to implementing sturdy passwords and multifactor authentication, in addition to leveraging backup and restoration instruments. Additional, responses to assaults like these require sturdy coordination and consciousness between safety groups and infrastructure and operations to organize, handle, and restore from backups.
- Penalties of third-party threat will not be restricted to cybersecurity. Penalties of a cyberattack on a 3rd get together don’t must impression your cybersecurity to be painful. Change Healthcare’s resolution to disconnect techniques impacted over 100 purposes and severely disrupted pharmacy operations nationwide. For the 67,000 US pharmacies at medical facilities, retailers, and on-line suppliers, in addition to navy pharmacies counting on this well being IT vendor, the impression of this occasion may have operational, monetary, and reputational penalties. When evaluating the dangers of doing enterprise with a third-party entity, cybersecurity threat is only one piece of the method however should additionally account for dangers throughout a number of threat domains. Healthcare organizations particularly have to refocus third-party threat administration efforts on bolstering scientific care, not simply compliance. When the mud settles from this incident, organizations which have ready for the operational penalties of third-party cyberincidents, and never simply the cyberincidents themselves, will fare greatest.
- This can be a disaster — be prepared for the subsequent one. No matter how the incident began, the cascading fallout from the disruption is a really public disaster for all affected events. Along with technical tabletop workouts for ransomware and information exfiltration, executives and boards should run an immersive disaster simulation targeted on extended service disruptions. This train must be led by your exterior counsel and your incident response service supplier. It ought to contain media inquiries, buyer calls and complaints, and regulatory notification. Making ready disaster communications for main enterprise disruptions is vital and never restricted to media statements and 8-Ok filings. Messaging associated to a disruption should be supplied to all customer-facing workers (e.g., name facilities, retail places, social media managers) with updates and suggestions for alternate strategies to acquire wanted services or products.
- Breach notification is a chance, when dealt with appropriately. Whereas there isn’t any direct point out of this on the primary pages of the Change Healthcare, Optum, or UnitedHealth Group web sites, the well timed 8-Ok submitting hyperlinks to an official standing web page about this incident that’s being commonly up to date with timestamps. How a company communicates following a disruptive incident or breach units the tone for response and rebuilding belief. This is applicable throughout public, customer-facing, and inside employee-facing communications. When private information is affected, organizations may even must adjust to breach notification necessities to inform each regulators and people. Transparency and empathy — two of the seven levers of belief — should be cornerstones of those communication and notification efforts. Treating this vital a part of response as an afterthought or a pure compliance checkbox will do extra hurt than good.
Join With Us
Forrester purchasers, you possibly can schedule an inquiry or steerage session with analysts to debate your group’s preparedness for cyberattacks, third-party incidents, and different disasters.