Change Healthcare, which processes 15 billion healthcare claims per year, was knocked out by a cyberattack in February. It’s still not back online. Providers aren’t getting paid, prior authorizations aren’t happening, and the Biden Administration is stepping in.
How vulnerable is healthcare to cyber-attacks? And can anything be done?
TOPICS (1:18) What happened with Change Healthcare? (3:40) What are the ripple effects of the Change Healthcare cyber-attack? (8:35) Cybersecurity and critical infrastructure warfare (11:32) What makes healthcare vulnerable to cyber-attacks? (19:46) Securing hospitals: challenges and solutions (25:47) How can we work with the government to protect ourselves from cyber-attacks?
🎙️⚕️ABOUT CARETALK CareTalk is a weekly podcast that provides an incisive, no B.S. view of the US healthcare industry. Join co-hosts John Driscoll (President U.S. Healthcare and EVP, Walgreens Boots Alliance) and David Williams (President, Health Business Group) as they debate the latest in US healthcare news, business and policy.
🎙️⚕️ABOUT Gregory T. Garcia is a cybersecurity expert with extensive experience in both the public and private sectors. He currently leads the Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group. Previously, he served as the nation’s first Assistant Secretary for Cyber Security and Communications at the U.S. Department of Homeland Security. In this role, he played a key role in developing national cybersecurity initiatives.
Greg has also held leadership positions in the financial sector and has advocated for cybersecurity policy at the federal level. He has a proven track record of bringing together different stakeholders to develop and implement effective cybersecurity solutions.
Change Healthcare, which processes 15 billion healthcare claims per year, was knocked out by a cyberattack in February. It’s still not back online. Providers aren’t getting paid, prior authorizations aren’t happening, and the Biden Administration is stepping in.
How vulnerable is healthcare to cyber-attacks? And can anything be done?
TOPICS (1:18) What happened with Change Healthcare? (3:40) What are the ripple effects of the Change Healthcare cyber-attack? (8:35) Cybersecurity and critical infrastructure warfare (11:32) What makes healthcare vulnerable to cyber-attacks? (19:46) Securing hospitals: challenges and solutions (25:47) How can we work with the government to protect ourselves from cyber-attacks?
🎙️⚕️ABOUT CARETALK CareTalk is a weekly podcast that provides an incisive, no B.S. view of the US healthcare industry. Join co-hosts John Driscoll (President U.S. Healthcare and EVP, Walgreens Boots Alliance) and David Williams (President, Health Business Group) as they debate the latest in US healthcare news, business and policy.
🎙️⚕️ABOUT Gregory T. Garcia is a cybersecurity expert with extensive experience in both the public and private sectors. He currently leads the Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group. Previously, he served as the nation’s first Assistant Secretary for Cyber Security and Communications at the U.S. Department of Homeland Security. In this role, he played a key role in developing national cybersecurity initiatives.
Greg has also held leadership positions in the financial sector and has advocated for cybersecurity policy at the federal level. He has a proven track record of bringing together different stakeholders to develop and implement effective cybersecurity solutions.
Change Healthcare, which processes 15 billion healthcare claims per year, was knocked out by a cyber attack in February. And it's still not back online. Providers aren't getting paid, prior authorizations aren't happening, and the Biden administration is stepping in. How vulnerable is healthcare to cyber attacks? And can anything be done? Welcome to Care Talk, America's home for incisive debate about healthcare business and policy. I'm David Williams, president of Health Business Group. And I'm John Driscoll, a senior advisor at Walgreens Health. Well, I'm pleased to welcome Greg Garcia. He's executive director at the Health Sector Coordinating Council Cybersecurity Working Group. And I hope everyone will join the ever-growing Care Talk community on LinkedIn, where you can dig deep into healthcare business and policy topics, access Care Talk content, and interact with the hosts and our guests. And please be sure to leave us a rating or review on Apple and Spotify while you're at it. And David, we are now the highest ranked Apple business healthcare podcast. Let's not mess that up. Thank you listeners. Greg, thank you for joining in and thanks for helping us unpack the change hack. Uh, it, uh, maybe first, I mean, we all know that change healthcare, or most of us know is one of the backbones. of defining eligibility, which is elemental to actually getting paid. You know, at Walgreens, we obviously got noticed it because change clears eligibility transactions for over 67,000 pharmacies in America. And actually I had one friend whose time sensitive neurosurgery was postponed because Mass General Hospital and David's home in the People's Republic of Massachusetts. couldn't determine whether she was covered by UnitedHealthcare. So this really was damaging and slowed down and put a lot of small providers, as well as individual patients at risk, but maybe step back and say, what happened? Yeah, thanks, John. And first of all, gentlemen, it's a privilege to be on this podcast, the Most Listened Health Care Podcast. And what happened? I mean, you... summarized, John, this is an existential threat. Cyber attacks on the healthcare system and the change healthcare event was the most palpable manifestation of the threat that we face across the healthcare industry. And the fact that a ransomware attack can get into a major healthcare infrastructure utility. which is change healthcare, locking it up and disabling the critical functions, the critical services that it provides to the health sector makes a direct line from cyber attack, cyber threats to patient safety. And one of the organizing principles of the health sector coordinate council is that cyber safety is patient safety. So this is a clear example of a major choke point that if disabled has a rippling cascading effect across the entire healthcare system. I guess when you knock out the backbone, it's like it's turned the system into a snake from something that could actually stand up as pretty significant. I mean, your metaphors are terrible. Thank you, Joe. It's not didn't affect the veterinary claims, right? John, but the, you know, but the impact, like this is far more than sort of like defacing a website and asking United to pay $5 million. I mean, what, what is John mentioned, you know, I think broadly and on a specific level. kind of some of the impacts, but you know, what was the initial impact and what is the impact that it's still having? Cause I actually talk to people outside of healthcare, they're not even aware of it. I mean, is this, it's like sort of one and done and it's over. I mean, what's the, what's the, not just ripple effect, but what's the long-term impact or medium term? Well, I mean, I think in the short term, can't get my prescriptions. If my pharmacy is using change healthcare, if I need to get some procedure and need to get that approved by the insurance company as a prior authorization, You're out of luck. If you're a hospital system, small clinic, if you're a doctor, you're a group practice, you might not get paid because the reimbursement function from Change Healthcare has been cut off. So this creates a solvency issue for for health providers that not only do the hospitals not get paid, but the doctors, the nurses, everyone else is not going to be paid when you go to a small provider and they say, boss, we have, we have two days of cashflow left. Okay. That that's forcing some very serious decisions about the short-term future of that organization. Over the, over the long-term, this really puts into start relief. As I've said earlier, what are, what are the broader. systemic vulnerabilities in the healthcare system that can be exploited, that would disrupt patient care on a massive scale. And we've seen this in sort of smaller regional areas where a major cyber attack, a ransomware attack on a Southern California health system. resulted in, for example, the diversion of ambulances that were headed to the hospital, but when the EMR goes down, when scheduling system goes down, when medical devices and patient records are no longer available, ambulance needs to be diverted to a hospital up the road and that hospital is not ready for the surge of patients coming in to its smaller facility. and patients are on gurneys in the hallway because they don't have enough bed space now for patients in need. So you have that kind of a rippling effect just within a region. So this is the kind of existential threat we have to really bear down with our government as industry and government working together to map out what is that. What is that healthcare critical infrastructure? What are the essential nodes, services, um, serving that infrastructure that we need to protect, particularly if there is no redundancy or low redundancy of those, of those systems. Of those utilities, uh, then, then we're in deep trouble. It's massive. I mean, you know, I've talked to hospitals that have had the revolutionary guards, the Iranian revolutionary guards actually. prying through their intellectual property so that they could then take that and sell that to other medical device manufacturers. I've talked to cancer hospitals that have had all of their scans locked up so it prevented any surgery the next day. They had to hire external NSA decoder packers to basically unpack their system. I talked to one hospital that did a real-time exercise and realized they had no paper. Or, uh, they had no ability to actually immediately go to physical documentation because they'd taken all the paper out of the hospital and they had removed that slush and so they, in a critical moment, if everything went down, the hospital would not, it would be severely impaired. So this is a, this is a, uh, you know, obviously a healthcare problem, but to Greg's point, it's a social problem because everything we unconsciously and consciously have transferred a lot of the ways we work to digital form that when they go down, stopped, impaired or stolen, really can destroy the underlying infrastructure. I think in healthcare, it's particularly dangerous because it directly affects patients' lives, like my friend who needs exploratory neurosurgery to determine whether she has got a very serious mass. growing and that's multiplied times thousands of people. And I think we're also, Greg, you should comment on this. This feels to me a little bit in the cyber world with North Korea, Iran, Russia, and China playing, equivalent to sort of what's happening in the Middle East where people use proxies to poke and probe, whether it's Houthis and drones or the Iranians through Hezbollah and Lebanon. to create a constant set of low-level conflict that doesn't actually turn into cyber war, but can transition to a fair amount of cyber pain that can affect us financially and physically. If you think about the exposures in the banking system and the healthcare system, I think we're in a totally new phase of international conflict. I don't know, Greg, whether you think that's overstating it. And not, not at all. It, you know, it was shortly before the, um, shortly before the, uh, change healthcare attack that also, uh, as you recall, AT&T suffered a major national connectivity outage for anyone using a cell phone, I was included in that several hours, um, of, of outage. You think, well, This can happen where we have nation states that are waging or probing for opportunities for cyber warfare. First, take out the telecommunication system, cause lack of connectivity, lack of communication, little bits of panic. Then take out major portions of the healthcare system, which will choke points like change healthcare. And then you have. cyber warfare, psychological warfare, critical infrastructure warfare. And there really are not good international norms yet that sort of like the Geneva Convention of War. We don't have that for cybersecurity. And so it is a little bit of a wild west and all major nations, major industrialized nations with good cybersecurity capabilities. are all doing it to each other, whether it's your basic spying or critical infrastructure probing and pinging. You know, the FBI director was in front of Congress a couple of weeks ago and talking about Chinese infiltration of critical infrastructure. And I think the focus that we heard on there were things like, you know, water, you know, electric utilities and that kind of thing. And I think that's what people think of with critical infrastructure. What you're pointing out with both the AT&T attack and then change healthcare is that critical infrastructure in an electronic world is actually a lot more than just the water, which of course is pretty fundamental. So if we talk about healthcare's role in that, what is it that makes healthcare a target? How is it different from just any other sector of the economy? Well, healthcare is critical infrastructure. There are 17 designated. government designated critical infrastructure sectors. You mentioned water and there's electricity and transportation and telecommunications, financial services. Health care is the care and sustaining of life. I can't think of any critical infrastructure more important than the care of life. And of course, water feeds into that. Can't do healthcare without water. Can't do healthcare without communications or electricity. Um, but, uh, you know, we are as designated as critical infrastructure, given a special, uh, status as a partner with the government. Even though we are regulated, we have this public private partnership, which is what the sector coordinating council does works with the government and with ourselves to identify. and mitigate systemic threats to the healthcare sector, not through regulation, but through creativity and resourcefulness and resiliency against evolving threats. So healthcare in and of itself is important, but then you think of healthcare as a function to sustain life of... first responders and other people that are important to running the government and running other critical infrastructures. If we don't have that system in place or it's, uh, or it is debilitated by some cyber attack, then healthcare ceases to become, um, a sustaining, uh, system for, for the, for the United States in the public. Hey, Greg, my sense is that, and it may be unfair that the banking system is held to a higher standard. of cyber protection, effectively digital hardening than healthcare. In your experience, you've worked in the federal government. Thank you for your service. You've worked in Bank of America. Can you please reduce my credit card late fees? And you're now pulling together organizations to help kind of protect us through a public-private partnership. But maybe you could level set on how... the financial system is set up to be protected versus health care. That's a really good point, John. So yes, the financial sector has traditionally been much more vigorously regulated in cybersecurity. And one of the areas I think that is telling here, the issue with the... a change healthcare attack. It was essentially a third party. Yes, United Health Group owns them, but it is a third party resource. Well, we don't have in the healthcare industry very rigorous standards or regulations about how, for example, a hospital can assess and attest to the security of their third party providers, whether it's a software company, a service provider. a medical device manufacturer. The financial services sector, in contrast, not only is required to assess their third parties, their third party service providers and technology providers, but they also need to have the attestation of their fourth party. So you got a service provider working for your bank. You need to know that service provider is also ensuring the security of their service providers. and their technology providers. So it's fourth party attestation. And that's an important piece. It is trying to build out a culture of security that supports the financial system in a way that won't lead to catastrophic meltdown of the global economy. You know, often what happens in hacks is there's either a breakdown of protocol around two factor authentication. It could be some low level tech person like Mark Zuckerberg making his password to Facebook password, which is actually true, that people just make mistakes or they don't follow protocol. But the critical thing in any system of security is having a closed hardened loop. And I feel like that is... better regulated and required in financial services than in healthcare. In healthcare, David, there are all kinds of access points because healthcare, both directly and indirectly through the infrastructure that supports it, where your scans go, how your eligibility is defined, who pays whom and how, are all points of potential digital access, digital failure, digital penetration. They're there. One is healthcare is porous where at least theoretically, Greg, clinic, the financial services is more of a closed loop. But I, I just, I don't, I don't know how we got there, but I think that's one of the reasons why it's not just change. It's Sancora. It's a whole, it's all these hospitals and physician systems that are getting, that are getting access because honestly, you knock over the easy targets as a criminal. Yeah. And you know, you're exactly right, John. We have this porous healthcare system. We have thousands of hospitals that are small, rural, critical access, urban, underserved. They are operating at zero to negative margins. Already heavily regulated where they have to meet all manner of conditions of participation to actually, you know, operate as a hospital. And we talk about, we know that they... fight administration will be coming out soon with more minimum mandatory controls on health systems. How are those smaller systems going to actually be able to comply if they have to make a decision between hiring a nurse or hiring an IT security person or outsourcing some managed security services? That becomes some very difficult trade-off decisions. So those regulations really can't happen without. some financial support from the administration. But again, it is a sort of a network system. There are the third parties. It is more than just the hospital system. You cannot always blame the victim. You have to look outside to other elements in the ecosystem. We are an interdependence, interconnected ecosystem in healthcare with plans and payers and health IT and medical devices, pharmaceuticals and the providers. And every hop along the way introduces a vulnerability. So we need to kind of look at this in a, in a holistic, comprehensive way, the way that the financial system has matured, you know, in 30 years ago, 20 years ago, uh, cyber attacks against the financial sector were rife because that's where the money is said Willie Horton. Well, now the money is against the health care system, easy money. And, um, we need to catch up. we need to catch up with the adversaries. So it sounds like on a change healthcare to me, seems like the sort of issue that you could remedy by following some of what's done in the banking industry. I mean, it is more of a, you know, it's electronic clearing house, you're paying money. Some of those same principles, you know, could apply. And it may be that the regulations on standards can be helpful there. When we get into hospitals, it is a little bit different. And I would argue that it is a little more complicated. So... If you think about hospital has both the regular sort of information technology, but then it also has these operational technology. So if you're an MRI machine and a variety of devices that are in there, that also can be hacked or harder to protect. And if I'm in a factory that has these sort of devices, I've got a fence around it. You have to have a badge to come in. There's armed security, et cetera. Now hospital people are coming and going, you know, all the time scheduled, unscheduled and the ambulance bringing somebody in. So what I wonder about is whether, you know, is it, is it hopeless to secure hospitals with these sort of environments. And we should just, you know, is that the case? Or what should we do about that? Because I think we can handle the change health cares of the world by emulating the financial services model, but I'm not sure we can do it with the physical sites of hospitals. No, it isn't. It isn't hopeless. And by the way, when are we going to stop crime? I mean, so crime is never going to stop. But there's still good, I can lock all my doors and windows in this house and they're still going to break it, right? But we do know that, I mean, for the hospital systems, a lot of the way, we did a study with the government, called it the landscape analysis. How are we getting beat? How are hospitals getting beat? What are the vulnerabilities that are most frequently exploited for a successful cyber attack? And it isn't complicated. There are some basic, there's three major things that happen most frequently. One of them is email phishing. Getting in through email because somebody has been tricked. Click on that link to open that attachment and in comes the attack. That's basic cyber hygiene. Secondly is vulnerabilities of devices and applications that are internet facing. Vulnerability hasn't been patched. Hacker is able to exploit that vulnerability, get into the hospital network and the third most frequent form of attack is third party, like change healthcare. And some of that is just not preventable. You remember SolarWinds? SolarWinds is a software program, a software utility that thousands of governments and companies use. The one update of a SolarWinds over the air, over the network update, pushed out to you, just like every Microsoft update, that software update was corrupted by a cyber attack. And with one mouse. that goes out to thousands of customers. Stoler wins was sending them a corrupted file. So one click thousands of corruptions. I want to, I want to just correct one thing. It was Willie Sutton, the bank robber who said that, uh, you know, you robbed banks. Oh, that's right. Well, who would I say Willie? And I think the Willie Sutton reference is actually really interesting because he famously at one point tried to rob a bank by going in the front door. I believe he was a postman or a policeman. someone noticed it and he was foiled. And then he had an accomplice actually ended up robbing the same bank later by going through the skylight. And that's kind of what we're doing in cyber, but I guess, it was a right perspective. There's a lot of stuff we can do to actually prevent this, but it's not just, you know, I just want to make, make clear this isn't just random criminals. A lot of the sophisticated hacks, but I believe change is going to play out that way. The, the whisper on it is it's. Black Cat, which is the name of a Russian state sponsored criminal organization that was involved with the Colonial Pipeline Hack, which if the people recall a few years ago, that caused a lot of damage and distress around the energy infrastructure in a big region in the country. The United States responded by directly confronting the Russians and taking down a couple of their institutions because we have the ability to respond. You know, as of changes in legislation and jurisdiction, we actually now, we now are, we, the United States are aggressively pursuing forward penetrations of foreign actors who are attacking us. This is an ongoing thing. And I really, I mean, there's a pretty significant possibility that if it was the Russian state sponsored actor it happened quickly after the United States responded to the Navalny murder with sanctions. This is going to be a call and response international problem that to your point, Greg, we're not going to get out of. So I think we have to kind of build some form of digital hardening. And maybe you could talk a little bit about the private public work you've done. You started, you worked in government in the cyber area, you've worked in banking, and now you're helping teach, collaborate, and connect a lot of the private actors in healthcare to... to leverage best practices to improve what's effectively, I think again, an ongoing low level war about money and I think international policy. Yeah, it's a great point, John, on that sort of international stage that you teed up. Yes, at some point, you know, that's this tip for tap that you were talking about. We need to have very clear rules about what is that red line. When does a cyber attack with kinetic impact, like colonial pipeline, when does that constitute an act of war? We're no longer, it's just cyber warfare. But when is it the same thing as dropping a bomb on another country? We don't have that yet. So for now, we've got this. uh, you know, sort of low level cyber warfare. But when you think about the health sector, we can, we are the victims of that. So how do we work with the government? As you asked, uh, to try, how do we protect ourselves knowing there's a limit to what the government can do is a limit what we can do. Um, so health sector council is here to try to bring together the cyber security working group is almost 150 organizations of industry and government from across the healthcare spectrum. As I mentioned earlier before, working together to identify and mitigate those threats and what we have done over the past five to six years is to develop a library of healthcare specific cybersecurity best practices, whether it's better cybersecurity hygiene in hospitals, whether it's how do we build security in a medical device is from the ground up. How do we do better incident response when something does happen? How about a checklist for operational continuity when, for example, University of Vermont health system back in 2022, they were off the grid for six weeks because of a ransomware attack, no email, no, no EMR, no scheduling. How did they maintain operational continuity patient care? Um, we've, we've produced publications on third party risk management supply chain, you know, how do you assess your your third parties. So a whole range of things and right down to a video training series for fiber security for the clinician. So it's not just the IT security person's job. Uh, the doctor, the nurse, um, the surgeon, they're touching patients and technology and data like it or not. They need to know what they should be doing and what they shouldn't be doing to help protect, uh, the data and systems, um, in the, uh, clinical environment. So. Um, these are, these are resources that we have developed, um, by the sector for the sector. I mean, who knows better than, than the chief information security officer, uh, whose job is on the line every day about how to better protect the data and systems. So we're bringing that to bear free resources for the rest of the sector. I'm still nervous, but David, any, any final question? Well, John, since we brought, you know, say, You know, if we got the Willys, I'll say, why don't we add with, uh, you know, we Willie Keeler, he said, uh, you know, hit them where they ain't and that's where, uh, it makes it easy hitting over 300. So I think some of the simple things that you're describing, Greg, you know, we, we hear about these sophisticated, everyone, when they get hit, they say, you know, sophisticated adversary, sophisticated attack, but sometimes it was just that they did the simple thing. So I think that there is the possibility of doing, uh, you know, some of you are more straightforward kind of cyber hygiene and we can get there. Well, I'll say. That's it for yet another episode of Care Talk. We've been talking today with Greg Garcia. He's executive director at the Health Sector Coordinating Council Cybersecurity Working Group. We've been talking about the Change Healthcare Attack and much more. I'm David Williams, president of Health Business Group. And I'm John Driscoll, senior advisor at Walgreens Health. If you like what you heard or you didn't, we hope you subscribe on your favorite service. And thanks, Greg, for helping us unpack the hack. Thank you very much.