One Year Post-Change Healthcare Cyber Attack: What Keeps This Healthcare CTO Awake at Night

A little over a year ago,  the average person wouldn’t think much of the words “change” and “healthcare” sitting next to each other. Who wouldn’t want to change healthcare? That perception was altered significantly in February of 2024 when the most significant cyberattack in the history of healthcare sent shockwaves throughout the industry. Patient data was being held for ransom. Providers weren’t being paid for care. Suddenly, the words “change” and  ”healthcare” meant something very different. It didn’t take someone deeply entrenched within the industry to understand the far-reaching effects of the cyberattack, as the reverberations were felt by a swath of the population that relies on healthcare systems working uninterrupted. Data from 190 million Americans were estimated to be impacted — that’s  56% of the country’s population. 

One year later, payers, providers, and healthcare organizations are still haunted by this attack and are looking for ways to keep their datasets safe. The mindset of all who are entrusted with this data has shifted. As a healthcare chief technology officer, this is what I lose sleep over every night: 

Exponential growth of healthcare data

More data, especially more interconnected data, will undoubtedly lead to monumental breakthroughs within healthcare. However, as these datasets grow and interact, it becomes incredibly complicated to protect every vector of not only an organization but the entire healthcare industry. As we saw with Change Healthcare, a lack of coverage within one aspect of one organization can lead to ramifications industrywide. Healthcare-related data is one of the fastest growing segments, year over year, and cybersecurity measures must grow with it.

Think of protecting healthcare’s data like a game of 3D chess. Data is a valuable game piece, and the board is the cybersecurity infrastructure. The more pieces placed on the board, the greater the need for vigilant protection across all layers of the board. Like a clever opponent, a cybercriminal only needs to exploit one weak spot to compromise the entire game.

The decreasing cost of computer power and its security implications

Computing costs are decreasing rapidly, and the sophistication of LLM/GenAI tools is quickly increasing. These tools can find the needle in the data haystack faster than ever before. When used correctly, it provides tremendous value in healthcare. Rogue actors, however, also have increased access to these GenAI tools. Making it exceedingly easier to craft complex cyberattacks, learn the patterns from denials, and exhaust the resources a given company might have to protect its endpoints

What helps me sleep

Ironically, an attack the size of Change Healthcare’s was the wake-up call that helps me sleep better now. It sent a message about cybersecurity, not just to the chief technology officers of the industry but to the rest of the C-suite and down the ranks of healthcare organizations. Cybersecurity is not something to be taken lightly, and we’ve seen the following being increasingly discussed over the past year.

• Secure design: Organizations are more focused on prioritizing cybersecurity during product development. This ensures fewer weaknesses can be exploited. Protective measures like threat modeling, penetration testing, and continuous monitoring are being implemented more rigorously from the inception of any new project. More healthcare organizations are also adhering to cybersecurity frameworks such as NIST, HITRUST, SOC 2, and ISO 27001.
• Incident response: In addition to adding cybersecurity protections, healthcare organizations are developing detailed plans in case they are attacked. These plans include forensic capabilities critical to determining the exact point of a breach.  
• Policy as a code: Organizations are increasingly embedding cybersecurity policies directly into their applications and systems. By doing this, they can enforce rules from the start and quickly detect any unexpected changes, preventing potential issues before they escalate.
• Improved vendor risk management: More organizations are understanding that their data posture and security are only as good as their weakest link. Some security leaders are improvising their assessment practices. This requires other organizations to more thoroughly vet and deeply understand data mapping to ensure a clear separation of concerns while handling healthcare data.
• Increased training: It’s not just external vendors that pose security risks. More organizations are implementing employee training to make sure everyone knows how to spot suspicious behaviors like phishing.
• Willingness to improve: Organizations are embracing a more cohesive strategy when it comes to data protection. And they’re not just focusing on tools and trends but ensuring there is a logical approach to defense that takes a look at the environment and industry as a whole.

Are there still significant industry-wide issues we need to address? Yes. Katie Adams explained four of them last year in her article, 4 Lessons We Learned From The Change Healthcare Cyberattack. 

The Change Healthcare attack changed everything. While there have been attacks on healthcare organizations before and after this data breach, it highlights how wide-ranging the effects of a singular breach can be. In this game of 3D chess, our opponent is becoming more sophisticated, and healthcare organizations must constantly focus on protecting their most valued pieces, their data. The possible ramifications across healthcare are too valuable to let our guard down. As long as the healthcare industry takes these threats seriously and is proactive, we should sleep a bit better.

Photo: Getty Images, weerapatkiatdumrong

This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.