Founder Letter: What We Can Learn from Change Healthcare

Many of you are probably still feeling the effects of the Change Healthcare cyberattack that took place in February. That ransomware attack managed to grind a large portion of the healthcare industry to a halt—not that you’d know it from the minimal media coverage of the incident. What gives? Sure, it’s hard to compete for headlines with everything else going on—particularly in an election year—but I would think that a successful attack on one of the top 10 largest companies in the world and largest healthcare insurance provider in the US should be a big friggin’ deal. That’s especially true when the resulting shutdown was affecting patients trying to get treatment or their prescriptions and providers getting paid for their services or authorization for care.

Unfortunately, we don’t have any control over what the media does or doesn’t cover. What we can control is how we respond to this incident—and we absolutely must respond with our own technology and security response review, because these types of attacks will happen again unless we take steps to protect ourselves.      

Here’s what happened with Change Healthcare.

If you’re still not entirely sure what exactly happened at Change Healthcare, you can check out the article Change Healthcare cyberattack on the WebPT blog. In short, a group called AlphV or BlackCat launched a ransomware attack against Change Healthcare, the clearinghouse owned by UnitedHealth Group (UHG), in late February. If you’re unfamiliar with ransomware, it’s a type of cyberattack where hackers infiltrate a system and encrypt the data, demanding money from that company to decrypt it. 

The attack forced Change Healthcare to disconnect its systems to avoid compromising third parties, including WebPT. Fortunately, we did not and still have not detected that any WebPT Member data had been compromised. However, the closure created a backup of claims submissions, treatment, and prescription orders, leaving patients and providers in the lurch. 

The Department of Health and Human Services (HHS) stepped in to facilitate expedited clearinghouse switches for Medicare providers, and Change Healthcare created a Temporary Funding Assistance Program through Optum. Perhaps most crucially, Change Healthcare reportedly paid the hackers a $22 million ransom—a move that governments have come out against and many experts believe will only embolden cybercriminals. This whole saga is far from over, as Washington has called on the CEO of UHC to testify on behalf of this mess.     

Health care is an increasingly common target for cyberattacks.   

How frequent are cyberattacks within our industry? According to a study on Cyber Security in Healthcare: The Cost and Impact on Patient Safety and Care conducted by the Ponemon Institute in 2022, 88% of organizations had experienced at least one cyberattack in the past year, and 54% of organizations experienced an average of four ransomware attacks over the previous two years.  

We shouldn’t be surprised that healthcare companies are a top target for hackers. According to CMS, national health expenditures grew to $4.5 trillion in 2022, or 17.3% of the Gross Domestic Product. And it’s not just that there’s a lot of money in healthcare; as Joseph Menn lays out in his article “After years of ransomware attacks, health-care defenses still fail” for the Washington Post, failure at the federal level to mandate stronger security standards for healthcare systems, combined with the willingness of organizations (like Change Healthcare) to pay these ransoms, has made the industry low-hanging fruit for opportunistic hackers.  

We’re committed to keeping your data secure. 

Our Members and their patients rely on us to help keep their sensitive information safe, and we have always been committed to going above and beyond the industry standard for cybersecurity. You’ve probably seen us mention our ISO-27001 certification or our completion of a SOC-2 audit. While those might not mean a lot to clinicians, they’re a sign to cybersecurity experts and other companies that we’re the gold standard when it comes to rehab therapy software. 

Of course, a lot of cybersecurity comes down to the human element—after all, phishing emails (like the one that reportedly got Change Healthcare into this mess) only work if someone clicks on those malicious links. That’s why we require regular cybersecurity training for all our employees, including how to spot phishing emails and “hook” them for our cybersecurity team to handle. Our team also sends occasional dummy phishing emails to ensure people follow the right protocols and offer additional training to anyone who opens and clicks on the wrong link. And that’s in addition to the other tools we use like Okta, two-factor authentication, Crowdstrike, and VPN to ensure unauthorized users can’t access our systems.   

With a few changes, you can protect your practice. 

Ransomware attacks and other cybersecurity threats aren’t just a concern for the Change Healthcares of the world, with millions in revenue. One study found that 82% of ransomware attacks target small businesses, defined as companies with 11 to 100 employees. The thinking goes that while the return might not be as large, the effort involved in breaking into the systems of a smaller business is less, as is the attention paid by media and law enforcement. So don’t think that, because of your practice size, you don't have to worry about the possibility of cyberattacks. 

Here are a few things every practice—whether you’re one provider or 1,000—should be doing to protect against cyberattacks:  

Make sure your team is trained on cybersecurity measures. 

Humans are the biggest weakness in our cybersecurity structures; per a study by IBM, errors made by people result in 95% of all breaches. I’ve said it before, but today, every company is a “technology” company. We must educate our staff on the basics of cybersecurity, like how to respond if they receive an email they suspect might be a phishing attempt or the importance of a unique password. Review those policies regularly with your team and provide further education for those who fail to meet those standards. Just as yearly compliance education occurs in the way of HIPAA and Medicare, so too should yearly online training specific to cybersecurity. 

Use a firewall and security software—and keep it updated.

A firewall is a security feature that blocks traffic to your network based on specific rules and has been a staple of cybersecurity since the world started migrating online. Employing a firewall along with security software helps block any incoming security threats before they become an issue. For those to be effective, though, you have to make sure you’re updating your security software (and browser and other software) as patches become available. Hackers often prey on vulnerabilities in outdated software to access your computer, so take a minute to install updates as you see them.  

Require strong passwords that change regularly.

We’re all guilty of getting a bit lazy with passwords—there are so many apps and accounts asking you for a login ID and limited brain space to try and memorize 25 separate passwords that are 12 characters long with two special characters. We can’t let our practices fall victim to our complacency, however—having simple passwords that you reuse for all your accounts means that if someone guesses one, they have access to all of your programs. Make it standard procedure for everyone to use complex passwords that change periodically (every 90 days per most cyber experts) to make it harder for hackers. If this seems too cumbersome, there are password managers, like Bitwarden or LastPass, that can remember the passwords for you and are more secure than that sticky note attached to your monitor. 

Adopt multi-factor authentication. 

Multi-factor authentication (MFA) may feel like another unnecessary step (particularly if you’ve taken the advice about strong passwords), but it can be a lifesaver when it comes to protecting your systems. Hackers may be able to figure out your ingenious password with three ampersands, but it’s a lot harder for them to get access to your phone or email to retrieve the additional code they’d need to log on as you. It’s even more challenging if you take it to the next level and introduce biometric measures for MFA like a retinal scar or fingerprint, although the basic code sent to your phone should suffice if you’re not ready to go full Mission: Impossible. 

Moving beyond MFA, you can further protect how you and your employees sign into digital platforms through services like single sign-on and federated login options. These types of services simplify the login process while not sacrificing the safety and security of your logins. This is what you will see in the WebPT system to keep your PHI safe.  

Back up your data.

What makes ransomware attacks so effective is the ability to cut off any and all access to your critical data. In the case of healthcare professionals, the fact that we’re dealing with people’s health records, which can be mission- or even life-critical, can really ratchet up the pressure to pay that ransom. Using cloud-based practice management software, like WebPT, can be a great way to ensure your files are backed up.  However, not all cloud systems are created equal, and it's an important question to ask when vetting a new vendor. For those using on-premise software, pay special attention to any programs or medical files you have saved on your local computer as that is the more traditional method of medical record theft.

This mess is nearly complete, but stay vigilant.

Fortunately, Change Healthcare is getting closer to fully restoring services, which will allow providers and patients to get what they need. However, for many hospitals, large healthcare systems, and pharmacies, the work continues with HIPAA policy compliance and full payment recoupment. This should be a major, red-flashing warning sign—and a reminder that none of us are immune. 

Cybersecurity has frankly been the biggest issue that has kept me up at night about WebPT since we first launched the company. But it's also why, from the beginning, we have implemented practices and tools that far surpass the required government standards—and the measures used by many of our competitors. Our focus on cybersecurity should be one of the main factors why you continue to trust WebPT. This is an extremely interconnected world, and while we can’t control what these massive organizations are doing to mitigate cybersecurity threats, we can ask the right questions when selecting our technology vendors and take the right steps to mitigate our own risk in every PT practice.