In Wake Of Change Healthcare Attack, MSPs Say Health System Is Far Too Vulnerable

‘We don’t need to be alarmist, but we have to just be real that this is happening,’ the CEO of one health-care-focused MSP tells CRN.

With the disruption from the ransomware attack against a UnitedHealth Group prescription processor now in its third week, MSPs say the incident underscores the massive vulnerability of the U.S. health-care system—an issue with no easy fix.

For any health-care organizations that were still unfazed by the seriousness of the threat until now, the recent attack shows that cybercriminals are increasingly looking to target the health-care system even to the point of impacting patients, according to MSP CEOs.

“We don’t need to be alarmist, but we have to just be real that this is happening,” said Malinda Gagnon, CEO of Portland, Maine-based Uprise Partners. “Unfortunately, I think this is going to continue to be an issue and a growing issue.”

The interest from cybercriminal groups in targeting U.S. health care is likely to only accelerate amid reports that UnitedHealth paid a $22 million ransom to the Russian-speaking cybercriminals behind the attack, which affected Change Healthcare, a unit of its Optum subsidiary.

UnitedHealth, which has declined to comment on the ransom payment reports, said in a statement Thursday evening that it expects to have its IT systems restored starting in mid-March. If the timeline is followed, the disruptions from the attack will have lasted a month in total.

The attack has prevented some U.S.-based pharmacies and hospitals, as well as other health-care facilities and offices, from processing claims and receiving payments. Reports have suggested some patients have had to pay for prescriptions out of pocket due to the disruptions to insurance processing.

In interviews this week, the CEOs of four MSPs told CRN that the attack is a stark depiction of the problems they’ve been working for years to help mitigate within their health-care industry clients.

Lack Of Resources, Cyber Hygiene

Within the hospital sphere, the problem is especially acute at smaller regional and rural hospitals, which lack the funding and skills to protect their IT environments adequately, said Mike Shook, CEO of Cary, N.C.-based 5S Technologies.

“They don’t have budget for the security tools, and they don’t have people that can run them anyway,” Shook said. “And so that’s been a huge focus for us in terms of trying to help. Because maybe we can do it cheaper than [if they tried to hire] a CISO.”

As for outpatient medical offices, the lack of cyber hygiene continues to be a major vulnerability, said Nalit Patel, CEO of Livingston, N.J.-based All Solutions. These offices are “fertile ground” for hackers as a result of subpar policies and practices on everything from email to record-keeping to access of information, he said.

For example, in many offices, “you will see that the passwords are still written out and anybody can go in and flip the keyboard or turn the monitor, and you can see it,” Patel said.

A Valuable Target

Meanwhile, on the attacker side, health-care records are valuable targets for cybercriminals due to the vast amount of personally identifiable information they contain, said Raymond Ribble, founder and CEO of Gardena, Calif.-based SPHER.

“It’s the motherload,” Ribble said, noting that breaching even a small health-care office could yield tens of thousands of patient records.

From the data acquired in a single breach, an attacker “can work all year long and make a lot of money,” he said. “And the worst part of it is, most of the organizations don’t even know they’ve been breached.”

At ThreatLocker, an endpoint security vendor with numerous health-care customers, CEO Danny Jenkins said the vulnerability of the health system ultimately goes back to the decision-makers at the top.

And at many hospitals, for instance, the influential voices on matters of IT security include surgeons and other doctors who are not always tech-savvy, Jenkins said.

“They don’t realize that the rest of the company, the rest of the business, runs on technology,” he said. “That makes it hard for health care to often get budget [for security] or the right IT teams.”

The Good News

On the brighter side, Uprise Partners’ Gagnon said she does believe awareness has increased in the health-care sector about the severity of the threat it’s facing.

“The good news is our customers are becoming more aware and educated that that is the case,” she said.

Educating health-care clients on the threat of a cyber incident “was something that we worked really hard at three, four years ago,” Gagnon noted.

“What we're focusing on [now] is to elevate cybersecurity in all of our customers’ organizations,” she said. “So, the C-suite has to understand and be more involved with how they are handling cybersecurity. Not only what are they doing to protect themselves, but also what is that resiliency plan, that business continuity plan. And their IT environment is so critical to that.”

Ultimately, MSPs like Uprise are working closely with health-care organization leaders “to make sure that [security] has that seat at the strategy table,” Gagnon said. “Because it needs to.”