Look at the person to your left. Look at the person to your right. Now look in the mirror. One of you just became the victim of the Change Healthcare data breach, which is still rearing its ugly head.
Or maybe last week’s cyberattack on the Ascension health system impacted you or your clients. As a result of the attack, Ascension, the fourth largest healthcare provider in the U.S., was diverting ambulances and cancelling procedures because it couldn’t access patient records at its 140 hospitals across 19 states. Ascension has not disclosed a timeline for getting its systems restored. The attack remains under investigation. However, the Health Information Sharing and Analysis Center (Health-ISAC), did publish an advisory warning that the Black Basta ransomware group has accelerated attacks on healthcare organizations.
Both incidents create a great opportunity to talk with your MSP prospects and clients who:
- Think they are too small to get attacked
- Don’t know anyone that has ever been fined
- Insist on just taking their chances.
The Ripple Effect of Security Mistakes
Change Healthcare is a healthcare payment processor that United Healthcare Group owns. United Healthcare’s CEO Andrew Witty confirmed in a Senate hearing that up to one-third of the U.S. population’s information was breached.
There were huge ripple effects when its systems went down. These included the failure to process payments to healthcare providers and pharmacies, many of whom were required by Change Healthcare to enter into exclusive agreements.
A nursing home closed due to cashflow challenges. One of my clients said he couldn’t get his daughter’s medicine approved for payment at their pharmacy. In addition, there was no guarantee that he would be reimbursed if he paid out of pocket.
Facing The Music
The Change Healthcare CEO was summoned to speak to the U.S. Senate. In front of the world, he said they had not protected the data of one-third of the U.S. population with multifactor authentication (MFA), even though his company policy required MFA on all externally facing systems.
Then Witty said they paid a $22 million ransom. He made excuses when asked why they missed the HIPAA reporting deadline for notifying victims of data breaches. The attack happened on February 21. Change still has not notified victims in May, even though HIPAA requires that victims be notified as soon as possible and no longer than 60 days. Many states have shorter notification deadlines, such as New York and Florida with 30 days, and California with just 15 days. Expect some massive fines from the federal and state governments and massive class action lawsuits representing victims.
United Healthcare acquired Change Healthcare in 2022 and was not done upgrading its systems when attacked in early 2024. The organization was still bringing some systems back online more than 60 days after the attack .
Then, just as the news of the Change Healthcare data breach was sinking in, we learned about the Ascension attack.
Expect Stricter Regulations and Cyber Insurance Requirements
Based on the comments of senators, there is no doubt that the Change Healthcare breach will bring new federal laws and regulations for healthcare providers, even small providers. Because of the reach of both the Change Healthcare and Ascension incidents, every industry should expect stricter federal and state regulations, contract terms, and stricter cyber insurance requirements.
Based on Witty’s testimony about their corporate policy requiring MFA on external facing systems, I assume they stated that on their cyber insurance application, which will likely result in a denied claim for the expenses, fines, and inevitable class action lawsuits that are sure to follow. I bet that in hindsight their investors will wish that they had taken the financial hit by upgrading systems and ensuring cybersecurity.
There is already a new regulation going through federal rulemaking that will require organizations to report incidents to the federal government within 72 hours, and within 24 hours of making a ransomware payment. Many states have shorter reporting periods. We also see business-to-business contracts and cyber insurance policies now including short reporting periods.
Lessons Learned
It may be tempting to make excuses that these are large breaches that aren’t relative to small businesses and the MSPs who service them. But make no mistake, there are lessons businesses of all sizes and in different industries can learn from these cyberattacks.
1. Healthcare Is The No. 1 Target For Hackers
If you have clients in the healthcare industry, they know the pain of patients yelling at them because of the Change Healthcare and Ascension breaches. Until the breach, patients and pharmacy customers didn’t know that Change Healthcare even existed. Patients and customers took out their anger on their providers when their healthcare was interrupted.
While that is still fresh in their minds, ask healthcare providers how it would feel if the next time their patient data is breached and they are being yelled at, it is their fault instead of someone else’s.
2. Leaders Will Be Held Responsible
The CEO’s Senate testimony is a great illustration of how business leaders, including C-level executives, owners, and boards of directors, are being held responsible for cybersecurity and data breaches. Regulations such as the FTC Safeguards Rule and the New York State Department of Financial Services Part 500 require cybersecurity reporting to leadership and requirements to provide adequate resources for cybersecurity.
I imagine even stricter requirements considering United Healthcare was still upgrading Change Healthcare’s systems more than two years after its acquisition. CEOs, CFOs, boards, and private equity investors love spreading out expenses across multiple calendar quarters, and even years, to maximize shareholder value. I expect stricter regulations and shorter deadlines. Also, I would not be surprised to see something like the new CMMC independent assessment requirements for defense contractors to spill over into other critical infrastructure sectors.
3. Timing Is Right To Establish Yourself As An Expert
Now would be a great time to speak at your local chamber of commerce, Rotary Club, or professional organizations about how business owners and executives are being held responsible for what their IT departments and MSPs are doing, and why enough money isn’t being spent on cybersecurity.
4. Do A Reality Check On Policies
It’s time to stop believing that because policies are in place they are actually being implemented through procedures. Stop believing that systems can’t be hacked and that you can immediately restore critical systems. You need to audit everything and show your clients if their own policies aren’t being followed, which creates a huge liability if something bad happens.
5. Think Cyber Resilience
Be open that even with your great products and services hackers may still get though. Start talking about cyber resilience being both the ability to prevent bad things from happening and also having a business continuity plan to continue critical services when systems are down.
Look at incident response plans to see that they include the notification requirements after incidents, not just how systems will be recovered. Our plans now have many pages of notification requirements for patients/clients/customers, the federal government, all 50 states, business partners and funding sources, regulators, and cyber insurance companies.
People Are Paying Attention – Act Now
One thing I learned when leading the Red Cross disaster program in our region was that you need to get your preparation message across while people are paying attention after a disaster.
With so many people affected by the Change Healthcare and Ascension health system breaches, now is the time to be vocal about protecting the personal and business victims of cyberattacks—and taking steps to make sure your clients aren’t the next victims.
