Reflections on a Healthcare Data Breach: Where Are We Now?
By Matt Phillion
One year ago, the Change Healthcare cyberattack caused a disruption of healthcare operations on a massive scale, resulting in outages, payment delays, and cancellation of patient appointments. The attack highlighted the need for healthcare organizations to strengthen their cyber preparedness and security posture and demonstrated the devastating impact an attack can have on care delivery.
One year later, challenges still remain, explains Michael Gray, CTO of Thrive.
“We are still very much at risk,” he says. “A year out after an attack, you know a lot about that attack. I watched the Change Healthcare CEO speak in front of congress about how the attackers got in, and we knew how to stop these attacks 10 years ago. There’s this theme where you can tell people the right way to do things but until they prioritize security, it’s not going to get better.”
Attacks today aren’t much different than when ransomware first became the go-to option for cyberattacks.
“They find a simple weakness, they work their way in, extort the target. It’s not that advanced. It could happen again tomorrow,” says Gray.
The primary way to stop these types of attacks, he explains, is prioritization of security.
“We have a lot of conversations with customers about prioritization. Maybe there’s a business reason to swap out a system, and if I swap this system out, we’ll be 3% more efficient,” says Gray. “But we need to say we’re making this change because it will be more secure and more efficient.”
Mistakes will happen, Gray says. The trick is to be smart about it.
“I say don’t make two bad decisions in a row,” he says. “You put in a bad system and then you didn’t secure it. That’s two in a row. People are going to make bad decisions. The problem is that you didn’t think about when you make that change.”
Barriers to change
One of the unfortunate challenges organizations face when it comes to cybersecurity remains cost, Gray notes.
“Business leaders are trying to keep their eye on the margin,” he says. “And it’s the right thing to do. People are already complaining about the cost of healthcare in the first place, and if costs go up, people will be angry. But I think on this side of things, if you’re trying to keep healthcare costs down and protect the margins they’re trying to walk and chew gum at the same time.”
There’s also how information is held, stored, and shared, Gray says.
“Maybe there’s a bit too much separation between billing information and patient data,” he says. “You can look at the original story with Change Healthcare and say it’s just a billing company, but once you know my medical bills, you know my medical history. It’s naïve to not connect the dots. These are two interconnected data sets.”
This is an industry that still asks for someone’s driver’s license information to be entered into a spreadsheet, he notes.
“We’re still a ways off with education,” says Gray. “You can do a lot with someone’s driver’s license. If we all pushed back and said I’m not giving you this information or paying this copay without some assurance you’re not going to lose my data we’d see some change.”
There’s opportunity here for government regulation to help strengthen data security, Gray says.
“Ten years ago, I was in a forum and someone said if you think the government is going to save us, I’ve got a bridge to sell you,” he says. “But we know on the FCC side, the government pushing down policy does work to a degree. We have a lot of financial services customers whose first priority is the FCC and making sure they’re in compliance. I’d love to see that level of attention turned to healthcare. I tell customers all the time that HIPAA is just a guideline. I’m never a huge fan of government regulation but I see the benefit here.”
It really does come back to education and shared experience, Gray says.
“I watched that meeting in front of Congress when they spent time talking about how they couldn’t get to their bills, and this is very doom and gloom but at some point, if there is a hack that results in a fatality, that’s the worst kind of education,” he says. “These companies are losing money, and they did say that lives were threatened because of delays in care, but it may take something extremely severe to get people to ask how did this happen?”
Incremental improvements have been made, Gray notes, as some organizations are working to put security first.
“With budgets being squeezed they have to make hard decisions, but there are systems getting better at outsourcing to experts,” Gray says. “Just as I say I don’t practice healthcare on the side, I don’t expect hospitals to do security on the side. Work with those who know more about threats.”
He’s also seen a growth in operational maturity on the tech side in recent years.
“When we rebuild, we rebuild with security in mind,” Gray explains. “There’s consolidation and centralization where we need secure platforms, and not all these disparate systems.”
Biggest concerns now and in the future
Even as threats evolve and change, the biggest concern on Gray’s mind, he says, is timeless: missing the basics.
“If you look at these cyberattacks, the front door has a broken lock,” he says. “It’s not patching, expired certifications, all those little things.”
And the little things can be attended to and fixed by fundamentals.
“There’s always been an infatuation with the newest tech. Look at these blinking lights, look at what this AI can do,” Gray says. “But if your firewall wasn’t configured correctly, if you didn’t properly segment your network, it’s as if your house got broken into because you left the front door unlocked. We still see cases where an organization doesn’t have multifactor authentication on the web portal, and everyone knows you should have this.”
Leaders can educate themselves to better understand cyber risks and be able to, if not become experts themselves, know the right terms and concepts to ensure their organizations are moving in the right direction.
“I’ve talked with people in the private equity space who give individualized training to board members about the questions they need to ask, keywords to listen for,” he says. “This education isn’t watching a 45-minute video, it’s what are the things you can ask and the terms to listen for. I would love to see more of that.”
He also notes that while the bulk of the conversation focuses on the financial impact of attacks, the operations side has more power to change things.
“They’re the ones who have three weeks of bad days in a row,” says Gray. “They are the core of the business, those providers and nurses. They’re the ones who feel the most pain, alongside the patients, when these attacks happen. When the ones who provide the value to the business speak up and say back to the business: make sure we can do our jobs, businesses do sit up and listen. They are the ones providing those services.”
There also still needs to be a shift toward viewing security as everyone’s responsibility.
“A very straightforward question I’ve asked our customers for years is, do you have a security budget that is separate from your IT budget,” says Gray. “You need to recognize this is a function just like everything else you do. You need to look at security as a core business function, that is a peer and an equal, and in some cases even higher up the food change. You need to change your approach.”
One ideal change to the way healthcare handles data, Gray says, is a technological platform where the patient is in charge of their own data.
“This is very pie in the sky, but if someone put their mind to it, it could be built and then the patient can decide what data to share with providers and family members,” he says. “It puts the control in the hands of the human being. For example, one day you meet with a nurse practitioner instead of your doctor. You assume the nurse practitioner knows all the medical history as the doctor, but that might have been from two doctors ago. This is information and data management, and maybe that’s why we’re running into a lot of these problems. The data is all over the place, and we don’t know who has it, who doesn’t, how it’s stored.”
Disconnects in data continue to crop up, Gray says.
“As a technical person, I have assumptions about how data is stored, but I’ve been wrong—such as an MRI that doesn’t have a direct connection to the doctor’s office,” he says. “I didn’t think about this until I asked the question. It’s so disparate, and I do think we need some thoughtful centralization and ownership around data.”
Work is being done for this kind of data protection, he says, but more is still needed.
“Every day we get paper mail letting us know our data was leaked and what do we do? We put it in the trash. It’s just informing us that the leak happened,” Gray says. “I don’t believe what we’ve got now is working.”
Matt Phillion is a freelance writer covering healthcare, cybersecurity, and more. He can be reached at matthew.phillion@gmail.com.