One year after: Lessons learned from the Change Healthcare cyberattack

Just over a year ago, the healthcare industry experienced an era-defining cybersecurity event. Change Healthcare, which processes more than 15 billion healthcare transactions each year, was attacked by the Russian ransomware group ALPHV BlackCat, which used ransomware to encrypt data and restrict huge portions of the company’s functionality. 

The effects were immediate as Change Healthcare shut down its network, stopping reimbursements, prescription requests, and eligibility checks in their tracks for a huge number of healthcare organizations. 

In the coming weeks and months, it would be revealed that the attack affected more than 190 million healthcare consumers and resulted in billions of dollars in losses to UnitedHealthcare Group, as well as significant financial losses and patient care disruptions for provider organizations. 

The event has prompted a renewed focus on cybersecurity, business continuity, and organizational resilience. Healthcare leaders are now paying even closer attention to securing their networks and developing response plans should a bad actor make their way through the defenses. 

To support organizations through their cybersecurity upleveling, the American Hospital Association (AHA) has compiled a list of lessons learned from the attack, as well as specific recommendations for organizations trying to feel their way forward in this newly uncertain environment. 

Third-party risks are the most significant and disruptive cybersecurity threat

According to the AHA, 88% of the biggest data breaches in 2024 were from business associates, (BAs), third parties, health plans, and non-hospital health care providers. Cybercriminals have discovered the effectiveness of the “hub and spoke” strategy: by gaining access to a third party’s technology, they also gain access to all of that entity’s partners, which could include thousands of provider organizations that depend on the third party’s services.  

Because providers typically have dozens, if not hundreds, of business relationships, it can be difficult for providers to keep track of what each of these vendors is doing to secure their infrastructure.  

The AHA recommends that healthcare organizations take the time to fully identify and prioritize risks posed by every vendor and subcontractor, incorporate third-party risk-based controls alongside other cybersecurity requirements, and consistently communicate cybersecurity policies to relevant internal and external parties. 

A fast, coordinated response is essential for mitigating damage

Speed is of the essence when responding to a threat, as is being clear about who is responsible for taking action when something goes awry. The AHA asserts that the Change Healthcare event was so disruptive for so long because government agencies didn’t fully understand the scope or scale of Change Healthcare’s services, and had limited authority to provide stopgap aid to providers.  Meanwhile, hospitals lacked clarity on how the government could or would assist them, which may have led to suboptimal decision-making. 

To prevent similar circumstances next time, organizations – including government entities – need to have clear, well-defined, and well-resourced response plans to ensure business continuity and organizational resilience.  

For its part, the AHA is strongly urging government partners to use all their capabilities, including military and intelligence resources, to proactively prevent attacks and offer more immediate assistance should a large-scale event occur in the future.  

Organizations should plan for at least 30 days of clinical and business continuity

The Change Healthcare event showed just how difficult it is to maintain operations without a core technology service, especially as the downtime dragged on over several weeks. Organizations should explore a multi-faceted, integrated approach to cybersecurity that includes mapping out the potential downstream impacts of losing a core technology component or critical third-party service. 

The AHA suggests that organizations can leverage the HHS Cybersecurity Performance Goals to assist them with this process. The voluntary framework can help organizations strengthen their preparedness and improve resiliency against cyberattacks. 

In addition, organizations should develop detailed downtime procedures, train downtime coaches to ensure care can continue without access to key digital services, and explore relationships to improve regional preparedness to respond to cybersecurity events, such as attacks that require organizations to divert patients to other care facilities for their own safety. 

Additional recommendations to fortify cybersecurity defenses in a post-Change world

To capitalize on the lessons learned from last year’s major event, organizations should also consider taking the following actions: 

• Coordinate cyber incident response, emergency management, incident command, business continuity, and disaster recovery plans to ensure full coverage but prevent duplicated efforts. 

• Evaluate network backup status, segmentation, and security by conducting regular vulnerability and penetration testing of backups as well as documenting and communicating estimates of network restoration milestones. 

• Establish clear roles and responsibilities for leaders with decision-making authority, and specify the “triggers” for activating both independent decision-making and the pathway for escalating decisions to additional leaders. 

• Review business associate agreements and cyber insurance coverage to ensure clear incident reporting requirements, sufficient legal and financial coverage, and technical, legal, and financial responsibilities in the event of an incident.  

While it may be impossible to fully prevent cyberattacks from occurring, organizations can take these lessons and recommendations to heart as they shore up their defenses and do their best to prevent and/or address cyberattacks now and in the future. 

Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry.  Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system.  She can be reached at [email protected].