April 23, 2024

Change Healthcare Cyber Attack: Cybersecurity Lessons Learned

Cyber

5 min read

Allen Blount, National Cyber & Technology Product Leader

Change Healthcare Cyber Attack: Cybersecurity Challenges and Lessons

Change Healthcare's recent cyber attack sparked a crucial discussion on cybersecurity, business continuity, and contingent liability insurance within the healthcare sector. Cyber attacks in healthcare have been increasing in severity, with far-reaching consequences for businesses, physicians, and insurers alike. Here are key observations and tips for protecting your organization.

Analyze the broad impacts of the Change Healthcare cyber attack

The Change Healthcare attack did more than compromise patient data. This breach halted operations and affected multiple sectors. It disrupted billing for physicians and pharmacies, threatening their financial stability. Three takeaways:

The event highlighted the interconnected nature of our digital world, showing how finance, technology, and retail sectors are vulnerable, too. All organizations can gain insights from studying this cyber attack.
The situation demonstrated how third-party vendors can pose unintentional cyber risks. It’s worth taking a second look at your vendor cybersecurity. Could you benefit from additional technical and contractual safeguards?
The Change Healthcare situation underscores the importance of strong business continuity planning (BCP). A swift, decisive response to a cyber attack helps protect sensitive information, preserve customer trust, and maintain organizational resilience against catastrophic outcomes.

Assess vendor management and oversight

Effective vendor management involves assessing and mitigating risks throughout the vendor lifecycle, from selection and onboarding to continuous monitoring and management. Businesses need to:

Conduct thorough due diligence and risk assessments before engaging with any vendor to understand their cybersecurity posture and risk exposure.
Include specific cybersecurity requirements and obligations in vendor contracts. Ensure clear definitions of roles and responsibilities in the event of a data breach or cyber incident.
Implement continuous monitoring of vendor security practices. Evaluate compliance with contractual obligations to identify and address vulnerabilities promptly.
Ensure vendors have robust incident response plans that align with your organization’s response strategies. How will you coordinate efforts in the event of a cyber attack?
Establish a comprehensive vendor risk management program that incorporates regular reviews, audits, and updates to security requirements based on evolving threats.

Key takeaway:
Conduct regular risk assessments to evaluate your cyber risk exposure. Carefully review third-party vendors and integrated systems.

Implement business continuity planning best practices

Strengthen your organization's resilience with strategic Business Continuity Planning (BCP) essentials. These best practices are key to navigating and recovering from disruptions effectively. BCP also helps avoid financial losses and reputational damage:

Understand which business functions are vital to your operation’s survival and identify dependencies, including third-party vendors, which support these functions.
Develop alternative solutions and manual processes to keep necessary functions running if primary systems become compromised.
Create a comprehensive communications plan that outlines how to communicate with internal stakeholders, vendors, customers, and regulators after an incident.
Conduct regular tests of the BCP, including tabletop exercises that simulate various disruption scenarios. Training for all relevant staff is important to ensure they are familiar with their roles during an incident.
Review and update the BCP continuously in response to new threats, changes in the business environment, or lessons learned from incidents.

Key takeaway:
Develop and regularly update incident response plans to ensure preparedness for timely and effective action in a cyber attack.

Revisit cyber liability insurance and business interruption coverage

The Change Healthcare cyber attack illustrates the complexities of contingent business interruption claims, a major financial strain for affected parties. Cyber liability insurance policies differentiate between direct losses from cyber incidents and contingent business interruptions. This creates a maze of requirements for proving a claim.

The role of companies like Change Healthcare is under debate. Are they IT or data management suppliers within UnitedHealth Group? This distinction affects contingent business interruption claims directly. As a result, healthcare providers and other stakeholders face difficulties in securing timely reimbursements, complicating the recovery process.

Here are three tactical best practices to consider when navigating cyber liability insurance claims after a breach:

Keep detailed records of all disruptions and expenses incurred due to the cyber incident. Documentation is key in substantiating claims for lost income versus lost revenue and deciphering between direct and contingent business interruptions.
Review your cyber liability insurance policy thoroughly to understand the coverage scope, including breach response and contingent business interruption coverage. This understanding is key for identifying potential gaps and ensuring that claims fall within the policy’s parameters.
Engage with your insurance carrier early and maintain open lines of communication throughout the claims process. Providing updates and being responsive to inquiries can facilitate a smoother claims process and help in advocating for your coverage rights.

Key takeaway:
Seek cyber liability insurance that covers contingent business interruption and vendor management risks.

Reinforce cybersecurity through ownership, adaptation, and learning

Cyber risk management transcends simple checklists. Today's cyber threat landscape demands forward-looking, comprehensive strategies. You need in-depth controls, policies, and procedures, covering all departments — marketing, HR, IT, financial management, etc.

Take ownership, collaborate with your team, and continuously adapt. Learn from incidents like the Change Healthcare cyber attack and the 23andMe data breach. A holistic cybersecurity framework, which prioritizes robust risk management, business continuity planning, and strong vendor oversight, protects your organization and customers.

Want to learn more?

Find Allen Blount on LinkedIn.
Connect with Risk Strategies Cyber Risk team at cyber@risk-strategies.com.

About the author

Allen Blount leads the Cyber Team at Risk Strategies, where he guides organizations on cyber liability insurance, cyber risk management, and analyzing incidents like the Change Healthcare cyber attack. Before his insurance career, he practiced law.

The contents of this article are for general informational purposes only and Risk Strategies Company makes no representation or warranty of any kind, express or implied, regarding the accuracy or completeness of any information contained herein. Any recommendations contained herein are intended to provide insight based on currently available information for consideration and should be vetted against applicable legal and business needs before application to a specific client.