OCR Investigates Change Healthcare After Major Cyber Incident
In an unusual move signifying the severity of the huge cyberattack on Change Healthcare, a unit of UnitedHealth Group breach, the Office of Civil Rights (OCR) is formally investigating the incident. The cyberattack is one of the largest ever against the U.S. healthcare system, disrupting healthcare services and billing across the country.
(OCR’s “Dear Colleague” letter announcing the investigation is available online at https://bit.ly/3WAcXV0. United Health Group’s update on the attack is available online at https://bit.ly/3JPCkuM.)
The wide impact of the attack and the seemingly slow response of Change Healthcare apparently prompted the OCR investigation, says John F. Howard, JD, senior attorney with the Clark Hill law firm in Scottsdale, AZ.
“What I think is pretty telling is how long it took them to respond and recover, which is essentially, I think, what also got OCR’s attention. This is shutting everybody down, and it took them two weeks to get fixes in place that would allow the health system in which they are a huge player to start to function again,” he says. “So that’s a huge red flag.”
Being able to recover from any known vulnerability or potential attack is required under the rule, Howard says, which means having plans in place and testing them to make sure that you are able to implement them effectively.
“Everything we’re seeing coming from Change Healthcare screams that didn’t occur,” he says. “It really comes to call the need for everyone to take a good look at their third-party risk management programs and make sure that they’re actually doing due diligence, not just kind of checking the box.”
Wake-up Call for Covered Entities
OCR investigating Change Healthcare compliance with HIPAA should be a wake-up call to healthcare companies of all sizes, says Nicholas Kathmann, chief information security officer at LogicGate, a governance, risk management and compliance solutions provider based in Chicago. Due to complex systems and interdependencies, whether you work in a regional health center or at a national chain, healthcare entities are a juicy target for bad actors, he says.
“Security within healthcare is a complicated problem. You have to balance speed and ease of use with security, as forcing an anesthesiologist to log in with a hardware token when a patient is redlining would be the exact antithesis of the mission of providing expert medical care,” he says. “The focus should be on how to limit cybersecurity incidents’ impact as much as possible.”
OCR’s “Dear Colleague” letter and the impending investigation hopefully will bring awareness to the importance of cybersecurity practices, specifically the ramifications of not having a mature and thorough program, he says.
Kathmann offers these tips for healthcare cybersecurity:
- Focus on resilience. Map out all critical functions, such as payment cycle management in the Change Healthcare example, and perform risk assessments on each component, process, and dependency.
- Do not just assess the risk of the third party, but of the operational risk if/when there is an incident with that component (be it third-party or internally managed).
- Build out separately distinct and segregated solutions to have options and redundancy for critical processes and assess their ability to scale rapidly should you have to switch 100% to one due to another being down.
- Build a strong security architecture team and enable them. Everyone builds trust boundaries to protect the inside from the internet, but cybersecurity professionals also should focus heavily on protecting internal systems from users (and vice versa), as well as internal systems from each other. For example, a compromise of the application delivery subsystem for Epic should not be able to talk to or even network to the Cerner system in another facility.
“There’s no reason your ITSM (information technology service management) system and end node management solution need to talk to the Epic cache systems,” he says. “Build multiple boundaries a malicious actor needs to traverse to limit the ‘blast radius’ of an incident to the smallest form factor possible.”
- Focus on the basics. “All too often in security, we’re distracted by the new shiny vendor object or feature and let the basics fall to the wayside. Vulnerability management, application security, supply chain, incident response, security operations center detection, threat hunting, risk management, controls management, identity management: these are all things that aren’t the most exciting areas of cybersecurity, but are easily the most important,” Kathmann says.
- Foster a culture of security within your organization. Build a culture where people feel safe to bring up security weaknesses and have safety in fessing up to infractions. If the culture is always to pin the remediation on the reporter or chastise a staff member for reporting an incident they may have allowed to happen, employees hide their mistakes. The longer they lie in the shadows, the longer bad actors have to find and exploit them or maintain a foothold.
- Understand that governance, risk, and compliance — especially security — is a team sport. Build a great team and clearly define roles and responsibilities across teams and departments. All too often, there is a tendency for operations teams to look at all security initiatives as “that’s the security team’s responsibility.”
“Good operations is good security, and the security team is a tiny fraction of the larger operations/applications team,” Kathmann says. “Just like the neighborhood watch doesn’t show up to your house to lock your door when you leave for work, security isn’t going to show up to make sure you configured that server with the proper hardening protocols or didn’t forget to add the authorization decorator on that new function you just wrote. Clear lines of communication reduce disagreements and missed steps — which all too often lead to security incidents.”
Sources
- John F. Howard, JD, Senior Attorney, Clark Hill, Scottsdale, AZ. Telephone: (480) 684-1133. Email: [email protected].
- Nicholas Kathmann, Chief Information Security Officer, LogicGate, Chicago. Telephone: (312) 279-2775.
In an unusual move signifying the severity of the huge cyberattack on Change Healthcare, a unit of UnitedHealth Group breach, the Office of Civil Rights is formally investigating the incident.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.