Change Healthcare, owned by UnitedHealth Group, was targeted by cybercriminals, affecting 140 million Americans and costing $1 billion daily. Recovery efforts underscore the critical need for robust cybersecurity measures in healthcare.
CHANGE HEALTHCARE, A subsidiary of UnitedHealth Group, recently experienced a major attack by a cybercrime organization known as ALPHV or BlackCat, which has been implicated in other high-profile attacks.1 Change Healthcare has multiple software products that include electronic health records, patient scheduling, and claims adjudication. Because of its reach across the health care ecosystem, at least 140 million Americans were affected in some way, costing providers up to $1 billion per day.2 It has taken weeks for the systems to slowly return, and I expect the cleanup will continue for several more weeks or months.
This was a ransomware attack in which the terrorists encrypt data and hold it hostage until a ransom is paid. Only then will they release the key to allow access. Health care data are extremely valuable because they are critical to provide the necessary care for each patient. They are also necessary to ensure health care providers are paid for their services, and unlike a credit card that can be easily canceled, health care data last forever.
Patients often express frustration about the fragmentation of their care with separate groups on different platforms. However, imagine if all of us were on the same platform during a cyberattack. An event like this would have shut down the entire system and could have led to serious harm, even deaths. Separate systems help make the environment less fragile.
Although details are limited, the terrorists were able to gain access through human error, which is the most common mechanism. All of us are targets, and we need to approach every email as a potential threat. Unfortunately, the gestalt of many in leadership is to make things more resilient, which can interfere with efficient care. Nassim Taleb, philosopher and author of the book Antifragile, argues that the better approach is to develop systems that get stronger when damaged.3 I don’t have specific recommendations for features of systems, but they would include having simple rules, redundancy, and avoiding things that don’t work, such as passwords.4
The US government needs to be more aggressive in prosecuting these terrorists and protecting its citizens. Imagine if the police fined you when your car was stolen because they felt you did not do enough to protect it. This victim-blaming approach often occurs in cyberattacks.5-7 Health care corporations have a responsibility to their customers to protect their data and to their shareholders to prevent business disruption. The government has a responsibility to protect citizens and corporations from state-sponsored cyberterrorist attacks. Attacks will continue to occur, and we all need to be better prepared and equipped to handle them.
Leslie Busby, MD, is chair of the US Oncology Pharmacy & Therapeutics Committee, and a medical oncologist and hematologist at Rocky Mountain Cancer Centers, Boulder, Colorado.
Leon-Ferre Explores Targeting of PIK3CA Alterations in ER+ Breast Cancer
July 24th 2024During a live Community Case Forum event in partnership with the Minnesota Society of Clinical Oncology, Roberto A. Leon-Ferre, MD, discussed drugs targeting PIK3CA alterations in patients with ER+ metastatic breast cancer.
Read More
Roundtable Roundup: Treatment for Metastatic pMMR Endometrial Cancer
July 23rd 2024In separate, live virtual events, Michael J. Birrer, MD, PhD, and Jubilee Brown, MD, surveyed participants on the treatment of a postmenopausal woman with stage IVA endometrial cancer after first-line chemotherapy.
Read More
George Explores Impact of Risk Status With Cabozantinib/Nivolumab in Advanced RCC
July 19th 2024During a Case-Based Roundtable® event, Daniel George, MD, discussed the results of the CheckMate 9ER trial across favorable, intermediate, and poor risk groups in patients with advanced renal cell carcinoma.
Read More
Depth of Response With Quadruplet Regimens Considered in Newly Diagnosed Multiple Myeloma
July 18th 2024During a Case-Based Roundtable® event, Timothy Schmidt, MD, and participants discussed treatment selection for a 54-year-old patient with transplant eligible R-ISS stage 2/R2-ISS stage 3 IgG-κ myeloma.
Read More
Rossetti Reviews Myelofibrosis Risk Stratification and Outcome Data for Pacritinib
July 17th 2024During a Case-Based Roundtable® event, James M. Rossetti, DO, discussed the role of risk scoring and stratification tools and treatment for a patient with declining hemoglobin and platelet counts due to primary myelofibrosis.
Read More