Sikov - stock.adobe.com

How Health First navigated incident response for Change Healthcare cyberattack

A well-practiced runbook helped Health First, an integrated delivery network in Florida, swiftly respond to the Change Healthcare cyberattack, though not without lessons learned.

Few US healthcare organizations were left unscathed when Change Healthcare fell victim to a cyberattack in late February. After all, Change Healthcare, which is part of Optum and owned by UnitedHealth Group (UHG), processes 15 billion healthcare transactions annually and touches one in three US patient records.

In the weeks since the incident occurred, healthcare practices of all sizes have reported widespread financial and operational impacts.

From an IT security perspective, the cyberattack forced healthcare organizations nationwide to activate incident response plans, lean on their third-party risk management strategies, and coordinate with teams across the organization to maintain business continuity.

Health First, an integrated delivery network (IDN) in central Florida, was one of the many healthcare organizations that had to react to news of the cyberattack swiftly. HealthITSecurity spoke with Kimberly Alkire, Health First’s chief information security officer (CISO), about how the organization responded to the incident and what lessons were learned throughout the process.

How Health First navigates third-party cyber incident response

When Alkire first heard rumblings of the cyberattack on Change Healthcare, her team immediately activated the organization’s runbook dedicated to dealing with third-party security incidents.

“This is, unfortunately, one of our most well-exercised runbooks because healthcare and its third parties are highly targeted,” Alkire noted.

A typical response to these types of incidents involves turning off the third party’s support to Health First’s systems. For example, if there are VPNs where secure information is being transferred back and forth, they get disabled. If the impacted third party has network access or accounts within Health First systems, those are turned off.

Kimberly Alkire, CISO at Health First
Kimberly Alkire, CISO at Health First

“We turn off their mail to our systems if they're sending us any kind of mail. Those things get blocked by default, and then we of course have to communicate that to our impacted stakeholders internally,” Alkire said. “Is finance expecting an invoice from them this month? Then we have to make sure that they know that they're not going to get that email, for example.”

When the incident began, it was initially unclear whether Optum or other UHG systems were impacted, so Health First decided to sever connections with Optum as well until it was deemed safe to turn back on. As an IDN, Health First operates not only hospitals and medical groups but also a health plan. This means that the Change Healthcare incident impacted different areas of the organization in various ways.

This incident response process was eye-opening because it revealed the magnitude of UHG’s presence in the health sector as the parent company of several major industry players.

“There's been a whole lot of different names of organizations and contracts that kind of put a magnifying glass on our ability to be able to track – if we're evaluating a vendor, are we truly evaluating that vendor all the way across the board? Do we understand if they were to have a large-scale event such as Change, what that would mean for those other vendors?” Alkire questioned.

“We knew we were big Change customers. But we didn't realize how deep they were into so many different arms of the organization by those different agreements and separate contracts for different services along the way.”

Alkire stressed that Health First’s incident response process only worked because it was based on well-practiced and proactive strategies. At the time of the cyberattack, Health First had recently completed tabletop exercises and had security conversations with its executive management team, making the incident response process more seamless.

Even with a well-practiced plan, the prevalence of UHG in the healthcare industry and the scale of the Change Healthcare cyberattack resulted in large-scale disruptions across the sector. As such, Health First emerged from the incident with a list of lessons learned that it and other organizations can apply to future incident response efforts.

Lessons Health First learned from the Change Healthcare cyberattack

One of the biggest takeaways that Alkire’s team learned was the importance of understanding the organization’s single points of failure, and having a plan for keeping the entire system operational in the event of a large-scale outage.

In light of the Change Healthcare cyberattack, Alkire said her team plans to dig deeper into its business impact analysis efforts to fully understand the impacts of an interruption to critical services.

“We have a whole process for quantifying the business impact per application, and we really like that process. But what we found is that it didn't take into account if multiple applications were down, because then you have five or six failure points to fix versus just one,” Alkire noted.

Healthcare organizations now must consider what their operations would be like if these services were down for a month or two, or whether switching to an alternative vendor is feasible.

“You would expect that that would not be the normal incident to prepare for, but here we are,” Alkire added.

This event necessitated that organizations reassess their disaster recovery and incident response plans and highlighted the importance of foundational security practices like network segmentation and third-party vendor due diligence as well.

“With most things in security, this comes back to basics,” Alkire emphasized. “Do you have a good list of your third parties, and do you understand which ones are your most important? Internally, we know which applications are our critical applications. Well, do we have the same thing for our third-party partners? Do we know which ones those are? Because if something bad happens to them, it's going to be a bad day for us.”

What’s more, healthcare organizations should consider their regulatory responsibilities in light of this event, even though it originated from a third-party vendor.

“We are still having to do some reporting to our regulating bodies even though this event isn't ours,” Alkire said. “We've had systems become unavailable. That's enough of an impact on the business that we have to report it.”

Alkire also emphasized the importance of leveraging industry cyber threat intelligence and sharing knowledge with others in the security community, especially during unprecedented events like this.

“We have learned that no one is immune,” she added.

Even with security certifications and proper third-party risk management strategies, cyberattacks remain powerful enough to interrupt critical services and cause widespread disruptions across the sector, necessitating adjustments to response and recovery plans as a result.

“Some of our leaders have had family members who were in other hospitals when past events happened, and they've seen firsthand what it is like to have that question mark about whether providers are getting the information they need to provide the right level of care for their loved ones, Alkire said.

“The more these things happen, the more real it gets for individuals making decisions. And unfortunately, everyone to some extent in healthcare in the United States has seen some impact, whether it's direct or indirect.”

Next Steps

Pharmacy group sues UHG over Change Healthcare data breach

Dig Deeper on Cybersecurity strategies