In response to the 2024 major cyberattack on Change Healthcare, healthcare industry leaders are forming a united front to pinpoint and avert similar high-risk, destructive cyber threats. The Health Sector Coordinating Council Cybersecurity Working Group, a significant public-private partnership incorporating numerous entities like hospitals and health systems, has embarked on identifying potential industry choke points that could be exploited by hackers. This endeavor aims to avert significant disruptions in healthcare organizations.
The primary objective is to evaluate potential cyber threats: Who is responsible for countering these threats, and what is the relative risk posed to our workflow by these service providers? Factors taken into consideration include whether the service has low levels of redundancy, or whether the company providing the service is based in a country that could be potentially hostile to the United States.
The Change Healthcare incident in 2024 was a massive ransomware attack that considerably delayed claims and prescription processing throughout the country. Notably, this less-known company processed one-third of all healthcare transactions. The cyberattack exposed the healthcare data of an approximate 190 million Americans, demonstrating the critical need for robust cybersecurity measures.
The working group is meticulously mapping out vital functions across the industry such as pharmacy operations, payments, medical imaging, blood supply, and distribution, aiming to recognize areas where concentrated risks exist among third-party vendors. A proactive approach of formulating back-up plans, system redundancies, and incident response capabilities is priority.
Moreover, the working group aims to prevent attacks against vendors identified as risky. For instance, group purchasing organizations might mandate minimum cybersecurity standards for companies seeking to sell to hospitals and healthcare organizations. By leveraging economic incentives, the group is striving to spur third-party providers towards enhanced cybersecurity measures.
The group intends to release the mapped data to council members by summer. Although specific at-risk companies will not be named, the report will enable health systems to independently research their vendors and identify potential bottlenecks. The government could then conduct its own assessment of service providers, and take requisite measures to ensure minimum security and resilience levels for crucial supporting infrastructure.
It is essential to remember that a large market share doesn’t necessitate a poor cybersecurity position and vulnerability doesn’t equate to negligence but indicates the possibility of vulnerability and a potential failure point.