Need for Greater Attention to Cybersecurity

CHANGE HEALTHCARE, A subsidiary of UnitedHealth Group, recently experienced a major attack by a cybercrime organization known as ALPHV or BlackCat, which has been implicated in other high-profile attacks.¹ Change Healthcare has multiple software products that include electronic health records, patient scheduling, and claims adjudication. Because of its reach across the health care ecosystem, at least 140 million Americans were affected in some way, costing providers up to $1 billion per day.² It has taken weeks for the systems to slowly return, and I expect the cleanup will continue for several more weeks or months.

This was a ransomware attack in which the terrorists encrypt data and hold it hostage until a ransom is paid. Only then will they release the key to allow access. Health care data are extremely valuable because they are critical to provide the necessary care for each patient. They are also necessary to ensure health care providers are paid for their services, and unlike a credit card that can be easily canceled, health care data last forever.

Patients often express frustration about the fragmentation of their care with separate groups on different platforms. However, imagine if all of us were on the same platform during a cyberattack. An event like this would have shut down the entire system and could have led to serious harm, even deaths. Separate systems help make the environment less fragile.

Although details are limited, the terrorists were able to gain access through human error, which is the most common mechanism. All of us are targets, and we need to approach every email as a potential threat. Unfortunately, the gestalt of many in leadership is to make things more resilient, which can interfere with efficient care. Nassim Taleb, philosopher and author of the book Antifragile, argues that the better approach is to develop systems that get stronger when damaged.³ I don’t have specific recommendations for features of systems, but they would include having simple rules, redundancy, and avoiding things that don’t work, such as passwords.⁴

The US government needs to be more aggressive in prosecuting these terrorists and protecting its citizens. Imagine if the police fined you when your car was stolen because they felt you did not do enough to protect it. This victim-blaming approach often occurs in cyberattacks.^5-7 Health care corporations have a responsibility to their customers to protect their data and to their shareholders to prevent business disruption. The government has a responsibility to protect citizens and corporations from state-sponsored cyberterrorist attacks. Attacks will continue to occur, and we all need to be better prepared and equipped to handle them.

Leslie Busby, MD, is chair of the US Oncology Pharmacy & Therapeutics Committee, and a medical oncologist and hematologist at Rocky Mountain Cancer Centers, Boulder, Colorado.

REFERENCES

1. Minemyer P. Another ransomware group is seeking a payout from Change Healthcare, according to cybersecurity analysts. Fierce Healthcare. Updated April 8, 2024. Accessed health-ff5a00d2

2. GOP doctors demand CMS take immediate action in wake of Change Healthcare ransomware attack. Congressman Brad Wenstrup. March 22, 2024. Accessed April 8, 2024. https:// wenstrup.house.gov/updates/documentsingle.aspx?DocumentID=408176

3. 10 principles to live an antifragile life. Farnam Street Media Inc. Accessed April 8, 2024. https://fs.blog/an-antifragile-wayof-life/

4. Secure yourself & your family. Cybersecurity and Infrastructure Security Agency. Accessed April 8, 2024. https://www.cisa. gov/secure-our-world/secure-yourself-your-family

5. Mathews AW, Michaels D. U.S. opens UnitedHealth antitrust probe. Wall Street Journal. February 27, 2024. Accessed April 8, 2024. https://www.wsj.com/health/healthcare/u-s-launches-antitrust-investigation-of-healthcare-giant-united-health-ff5a00d2

6. Change Healthcare cyberattack class action lawsuit (2024). Gibbs Law Group LLP. Accessed April 8, 2024. https://www. classlawgroup.com/consumer-protection/privacy/changehealthcare-class-action-lawsuit-2024

7. HHS Office for Civil Rights issues letter and opens investigation of Change Healthcare cyberattack. US Department of Health and Human Services. March 13, 2024. Accessed April 8, 2024. https://www.hhs.gov/about/news/2024/03/13/ hhs-office-civil-rights-issues-letter-opens-investigation-change-healthcare-cyberattack.html