Change Healthcare Cyber Attack: Cybersecurity Lessons Learned

With consequences and impact of Change Healthcare actively being determined, I wanted to share some insights below from our Cyber Team Leader Allen Blount

Change Healthcare’s recent cyber-attack sparked a crucial discussion on cybersecurity, business continuity, and contingent liability insurance within the healthcare sector. Cyber-attacks in healthcare have been increasing in severity, with far-reaching consequences for businesses, physicians, and insurers alike. Here are key observations and tips for protecting your organization.

Analyze the broad impacts of the Change Healthcare cyber attack

The Change Healthcare attack did more than compromise patient data. This breach halted operations and affected multiple sectors. It disrupted billing for physicians and pharmacies, threatening their financial stability. Three takeaways:

  1. The event highlighted the interconnected nature of our digital world, showing how finance, technology, and retail sectors are vulnerable, too. All organizations can gain insights from studying this cyber-attack.
  2. The situation demonstrated how third-party vendors can pose unintentional cyber risks. It’s worth taking a second look at your vendor cybersecurity. Could you benefit from additional technical and contractual safeguards?
  3. The Change Healthcare situation underscores the importance of strong business continuity planning (BCP). A swift, decisive response to a cyber-attack helps protect sensitive information, preserve customer trust, and maintain organizational resilience against catastrophic outcomes.

Assess vendor management and oversight

Effective vendor management involves assessing and mitigating risks throughout the vendor lifecycle, from selection and onboarding to continuous monitoring and management. Businesses need to:

  • Conduct thorough due diligence and risk assessments before engaging with any vendor to understand their cybersecurity posture and risk exposure.
  • Include specific cybersecurity requirements and obligations in vendor contracts. Ensure clear definitions of roles and responsibilities in the event of a data breach or cyber incident.
  • Implement continuous monitoring of vendor security practices. Evaluate compliance with contractual obligations to identify and address vulnerabilities promptly.
  • Ensure vendors have robust incident response plans that align with your organization’s response strategies. How will you coordinate efforts in the event of a cyber-attack?
  • Establish a comprehensive vendor risk management program that incorporates regular reviews, audits, and updates to security requirements based on evolving threats.

Revisit cyber liability insurance and business interruption coverage

The Change Healthcare cyber-attack illustrates the complexities of contingent business interruption claims, a major financial strain for affected parties. Cyber liability insurance policies differentiate between direct losses from cyber incidents and contingent business interruptions. This creates a maze of requirements for proving a claim.

The role of companies like Change Healthcare is under debate. Are they IT or data management suppliers within UnitedHealth Group? This distinction affects contingent business interruption claims directly. As a result, healthcare providers and other stakeholders face difficulties in securing timely reimbursements, complicating the recovery process.

Here are three tactical best practices to consider when navigating cyber liability insurance claims after a breach:

  • Keep detailed records of all disruptions and expenses incurred due to the cyber incident. Documentation is key in substantiating claims for lost income versus lost revenue and deciphering between direct and contingent business interruptions.
  • Review your cyber liability insurance policy thoroughly to understand the coverage scope, including breach response and contingent business interruption coverage. This understanding is key for identifying potential gaps and ensuring that claims fall within the policy’s parameters.
  • Engage with your insurance carrier early and maintain open lines of communication throughout the claims process. Providing updates and being responsive to inquiries can facilitate a smoother claims process and help in advocating for your coverage rights.

While there are nuances to each carrier’s standalone cyber coverage it is typically more robust than any throw in coverage you might have with your malpractice policy, so we do encourage you to review how you are covered.  

The contents of this article are for general informational purposes only and Risk Strategies Company makes no representation or warranty of any kind, express or implied, regarding the accuracy or completeness of any information contained herein. Any recommendations contained herein are intended to provide insight based on currently available information for consideration and should be vetted against applicable legal and business needs before application to a specific client. 

Leave a Comment