Learning From the Change Healthcare Attack and Steps to Prevent Future Breaches

The attack on Change Healthcare has become a cautionary tale, prompting healthcare organizations to re-examine their cybersecurity strategies. The attack confirmed the importance of reviewing third-party vendors and financial intermediaries for potential vulnerabilities and updating incident response and contingency plans to minimize the impact of future attacks. Many organizations are now prioritizing cybersecurity even more, with many increasing their spending on security measures.

A survey conducted by KLAS Research and Bain & Company involving 150 U.S. healthcare providers revealed that 70% of respondents were directly affected by the Change Healthcare attack. In response, nearly half of the respondents conducted audits of their internal systems and third-party vendors. Many organizations increased their cybersecurity budgets, with 19% hiring more cybersecurity professionals or investing in managed services to strengthen their defenses.

The Department of Health and Human Services (HHS) has acknowledged the need for greater cybersecurity measures across the healthcare sector. The department has published new cybersecurity performance goals and is considering a regulatory approach to encourage healthcare providers to adopt stronger security measures. However, this push for increased regulation may face resistance from healthcare organizations, particularly those with limited resources. To address this, the HHS is seeking additional funding from Congress to help low-resource providers implement cybersecurity improvements, though these funds are not expected to be available until at least 2027.

The HHS and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) are working on identifying systemically important entities (including HIPAA-covered entities) in the healthcare sector that require special protection, but progress has been slow. The goal is to focus on important components of the healthcare system that, if compromised, could cause widespread disruption, similar to what was seen with Change Healthcare.

The Centers for Medicare and Medicaid Services (CMS) is also examining what can be done to prevent future cyberattacks of this magnitude. During a recent leadership symposium, Principal Deputy Administrator Johnathan Blum of CMS indicated that the agency is exploring ways to prevent such extensive disruptions, potentially through increased monitoring of third-party healthcare vendors.

The Change Healthcare attack also brought attention to the risks posed by the consolidation of healthcare services. In 2022, the Justice Department and Attorneys General from Minnesota and New York sought to block UnitedHealth Group’s acquisition of Change Healthcare, citing concerns over the potential harm to competition. Since the cyberattack, there has been growing criticism of UnitedHealth Group’s dominance in the healthcare ecosystem, with some arguing that the company’s operations have become a national security risk. The consolidation of healthcare services into fewer, larger entities can create vulnerabilities, as a single point of failure, like the one seen in the Change Healthcare attack, can have a cascading impact on healthcare throughout the nation.

During a hearing on the cyberattack, Anna Eshoo, Ranking Member of the Energy and Commerce Committee’s Subcommittee on Communications and Technology, stressed that the attack revealed vulnerabilities in the U.S. healthcare system. Moving forward, mergers and acquisitions in the healthcare sector may face increased scrutiny, not only regarding antitrust issues but also in terms of the potential cybersecurity risks they introduce.