Cybersecurity
Joshua Corman unpacks the consequences of the Change Healthcare cyberattack on an HFMA podcast episode
March 29, 2024
3:20 pm
The February cyberattack on Change Healthcare, a unit of UnitedHealth Group, continues to cause concern and frustration for providers.a The March 25 episode of HFMA’s “Voices in Healthcare Finance” podcast featured an interview about the long-term effects with Joshua Corman, founder of I Am the Cavalry, an organization focused on cybersecurity, and former chief strategist for the COVID-19 task force of the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). Below is an excerpt of the interview.
Erika Grotto: What made UnitedHealthcare a good target?
Joshua Corman: Sometimes these ransom crews target somebody because they’re attractive and they think they can extract a pound or more of flesh. Sometimes they’re just targets of opportunity where they may have been using a vulnerable piece of software and they’ll do what’s called an initial access campaign to successfully get a toehold into lots of organizations. And then subsequently when they come in and have their coffee, they’ll decide who to spring their trap on.
In this particular case, whether deliberate or accidental, because so many parts of the healthcare ecosystem depend upon this, [it] is not like ransoming a single hospital. This affected disruptions to lots of [hospitals]. They were able to command a very high premium for a ransom payment.
Grotto: So let’s talk about that very high ransom, a reported $22 million. You have told me if you’re focusing on just the money piece, just the ransom piece, you’re focusing on the wrong thing.
Corman: I don’t want to be dismissive of such a large payday, but this is a significantly larger amount than a typical hospital will pay. There are … reasons why I think it’s misleading. I think the real interesting part to this story is, we have been fairly cavalier in healthcare …. about concentration of risk. When you hear the term merger and acquisition, if you want to drive fiduciary value for your shareholders, you might like it. If you are one of the ones … on the acquired end of mergers and acquisitions, you could say this is predatory.
There’ve been some stories about private equity firms squeezing hospitals. But from a national security perspective, there can be significant risk and too many eggs in too few baskets. So the more consolidation we have from merger and acquisition, the more concentration of risk we have where a single point of failure can have very pronounced cascading failures and second- and third-order effects.
Moreover, independent of the mergers and acquisitions, there’s a notion in the cybersecurity arena of SICI, or systemically important critical infrastructure, .… and the idea here is of all the entities in a banking system, there’s a handful that if they went down, no banking [could] transpire. We have similar weak links in the supply chain or concentration of risk in the supply chain for healthcare, for oil and gas [and] for food supply.
So there has been a push to identify these systemically important entities across all 16 critical infrastructure sectors, including — and especially — healthcare and public health. But lobbyist groups and private sector groups have … pushed back really hard, and as such, institutions like HHS have pushed back as well. And CISA … is responsible for taking these [systemically important entities] in from the various 16 sectors so that we can be better prepared. If we don’t know what our SICI is, our adversaries will continue to show them to us. That’s what’s happened here with Change.
We talk about “the boom,” the bad thing that happens is the explosion. So there’s left of boom, before harm, and right of boom, after harm. If we know what the SICI is, then left of boom, we can engage them, get emergency contacts, have an action plan if something happens.
And then right of boom, because we’ve done these things, we can prioritize emergency response, emergency assistance, exercise the plays we did left of boom, maybe have emergency funds that are only available to SICI entities. But if we don’t deliberately look for and prioritize these both left of boom and right of boom, we’re going to continue to see elective damage and elective cascading consequences.
Grotto: What do you think should be the focus going forward?
Corman: I think it depends on who we’re speaking about. What you can do in individual hospitals is … scrutinize which of the services and products that you procure and acquire, if they shut down for a day, for a week, for a month, what your tolerance levels are. And as you spend your limited dollars on these, you can try to make sure that you have contingency plans and supply chain resilience, [so] you’re not overdependent on … these larger entities that will increasingly be targeted.
Or you could start to ask for and demand evidence of what your entities you’re giving money to are doing to secure themselves. Have service-level agreements that if they’re down longer than X, there are contractual penalties and remunerations that could be made. So we’re pretty dependent on these undependable things. And in the meantime, that’s not going to change. But what [you] can do is be smarter about how many eggs you put into how many fewer baskets and how much accountability [to] expect from those who put us into these concentration-of- risk scenarios.
Footnote
a. Hut, N., “Cyberattack on Change Healthcare brings turmoil to healthcare operations nationwide,” HFMA, March 14, 2024.
