Change Healthcare/Optum Attack: What Do We Need to Understand?

Heart and network

Cyberattacks against change healthcare reflect the risk of a “snowball” effect that can lead to the presence of vulnerabilities in health systems. This breach also confirms that hackers are truly interested in critical infrastructure and the massive financial losses inherent in a successful attack; Whether it is to extract ransom payments or paralyze entire information systems. If you look closely, the interconnection of the various components of the care pathway resembles a “core and network” type of IT infrastructure. Instead of targeting each element or service provider, hackers attack these hubs (cores) that are deployed across hundreds of organizations and do so with greater panache and greater efficiency.

From large insurance companies to patients, everyone is affected. In some cases, the effect can be fatal for patients who cannot get the necessary drugs; and in others, financially devastating for health care providers who find themselves deprived of all sources of income.

This cyber attack is a striking example of the critical nature of support services in the care pathway. It also shows that the risk is not limited to medical devices, but extends beyond them.

Unplugged breach

A recent Armis report, “Anatomy of Cybersecurity: Dissecting the 2023 Attack Landscape,” already warned in this direction: global cyber attack attempts more than doubled last year, +104%. Another lesson is that on average, more than 55,000 physical and virtual devices are connected to information systems every day. Yet, surprisingly, 40% of these assets are not monitored! This risk of cyber attack is heightened when we also know that 12% of the healthcare industry is still using end-of-life (EoL) or end-of-support (EoS) operating systems. understand what? Hackers don’t need a sophisticated plan to break into a network and cause significant disruption. They just need to find one of the many unguarded doors.

The heart of this attack boils down to a fundamental cybersecurity principle of visibility and vulnerability management: strong cyber exposure management is non-negotiable. To conduct holistic risk assessments, healthcare organizations must expand their scope of visibility across their entire ecosystem of devices and support services—especially systems that directly enable the management of healthcare services, whether it’s a hospital, clinic, or outpatient service.

A comprehensive strategy will proactively mitigate all risks, address vulnerabilities, block threats and secure the entire attack surface. Every asset, from building management systems to connected medical devices, must be viewed, secured and managed.

What responses from the authorities?

In France, we know that progress is possible when we know the number of hospitals that will be victims of cyber attacks in 2023. Institutions, however, can find support in the strategic plan to combat cyber attacks announced by the state in December 2023. A first installment of more than €230 million in financing has been allocated until 2024, an amount that could reach €750 million in 2027, several sources indicate. In the United States, organizations can rely on the strategic plan of the Health Sector Coordinating Council, HIC-SP. He also finds the state of cyber security in the health sector worrisome. And it aims to bring it back to a steady state by 2029.

Organizations, regardless of country, should consider these strategic plans and defined cybersecurity performance objectives. They show not only the imperative to manage vulnerabilities, but also the extent of the healthcare pathway (pharmaceuticals, medical device manufacturers, investors, healthcare providers and policy makers). Suppliers and service providers, given the high risk they pose to healthcare organizations, must consider cybersecurity as an issue for their own existence.