Lessons Learned from a Healthcare Cybersecurity Attack

USC Price School professor – working with two students – identifies ways to improve cybersecurity of the U.S. healthcare system

Earlier this year, a little-known but critical component of the U.S. healthcare system ground to a halt after suffering a cyberattack by a shadowy, transnational organized crime organization called ALPHV/Blackcat.

The attack on Change Healthcare, which verifies patients’ insurance coverage, prevented hundreds of thousands of physician practices, hospitals, and pharmacies from submitting claims or receiving payments. Many facilities were unable to deliver care and faced financial collapse.

Two students — one an undergraduate and one a graduate at other universities — wanted to find out more. So they approached Genevieve Kanter, an associate professor at the USC Price School of Public Policy and senior scholar at the USC Schaeffer Center, to help them learn lessons from the cyberattack. Their effort led to the publication of a Viewpoint letter in JAMA Health Forum titled Lessons From the Change Healthcare Ransomware Attack.

What is the problem they looked at?      

That ransomware attack on the health insurer and payments processing part of the healthcare system showed the potential for “huge financial consequences – not just patient safety implications,” Kanter said. “If a provider can’t get permission to get the prior authorization to do a procedure, then they’re usually not going to do it unless they know they’re going to get paid. And then we worry about the financial viability of many practices, whether they can stay open until this all gets resolved, which could be weeks or months until the ransomware victim can get its system up again.”

What did they find?

Although the U.S. Department of Health and Human Services released a concept paper outlining its strategic approach to cybersecurity in 2023, there were large gaps in this strategy. There was no mention of an approach for health plans and payments processors, which experience, on average, bigger cybersecurity incidents than healthcare providers.

Professor Kanter and coauthors had the following recommendations.

  • The HHS strategy needs to expand beyond health delivery organizations to large billing processors and vertically integrated health plans.
  • A parallel strategy for preempting economic harms needs to be developed alongside a strategy for preventing patient harm.
  • There is no security patch for occasional human lapses. Given this element of randomness, increased penalties on organizations that have an imperfect ability to prevent cyberattacks may have limited or perverse effects.
  • The Change Healthcare cyberattack is an opportunity for the public and private sector to come together to clarify cybersecurity priorities and focus efforts on the most vital measures needed to secure the healthcare system.

Sign up for Schaeffer Center news