UnitedHealth – Protecting healthcare organizations from cyber attacks An example to learn from

I have written blogs on the healthcare industry and the risk of cyber attacks.  The most recent and publicized attack brings this to the forefront, again.

UnitedHealth Group trounced first-quarter expectations even as costs from a cyberattack to its Change Healthcare business ate into the company’s performance.

UnitedHealth said earlier this year that a ransomware group had gained access to some of the systems of its Change Healthcare business, which provides technology used to submit and process insurance claims. The attack disrupted payment and claims processing around the country, stressing doctor’s offices and health care systems.  Federal civil rights investigators are looking into whether protected health information was exposed in the attack.

UnitedHealth is still restoring several services from the February attack. It took an $872 million hit from it in the first quarter, but CEO Andrew Witty told analysts on Tuesday that the company expected to bring Change Healthcare back “much stronger than it was before.”

That includes increased medical expenses the company incurred from suspending its pre-approval or prior authorization requirements for some care.

UnitedHealth expects the full impact of the cyberattack will amount to a hit of between $1.15 to $1.35 per share to earnings this year.

To prevent cyber attacks similar to those that may target UnitedHealthcare or other healthcare organizations, several measures can be taken:

1. Implement Robust Security Controls: Deploy advanced security technologies, such as firewalls, intrusion detection systems (IDS), and endpoint protection solutions, to detect and prevent cyber threats. Implement encryption and access controls to protect sensitive data.

2. Conduct Regular Security Assessments: Perform regular security assessments, including vulnerability scans, penetration testing, and risk assessments, to identify and address security weaknesses in systems and networks proactively.

3. Train Employees on Cybersecurity Awareness: Educate employees about cybersecurity best practices, such as identifying phishing emails, using strong passwords, and reporting suspicious activities. Conduct regular training sessions and awareness campaigns to reinforce security awareness among staff.

4. Implement Multi-Factor Authentication (MFA): Require the use of multi-factor authentication (MFA) for accessing sensitive systems and data. MFA adds an extra layer of security by requiring users to provide multiple forms of authentication, such as passwords and biometric verification.

5. Establish Incident Response Plan: Develop and regularly update an incident response plan that outlines procedures for detecting, responding to, and recovering from cybersecurity incidents. Test the incident response plan through tabletop exercises and simulations to ensure readiness to respond effectively to cyber attacks.

6. Collaborate and Share Threat Intelligence: Share threat intelligence with other healthcare organizations, government agencies, and industry partners to stay informed about emerging threats and trends. Participate in information sharing and analysis centers (ISACs) and cybersecurity forums to collaborate on cybersecurity initiatives and share best practices.

7. Stay Compliant with Regulations: Ensure compliance with healthcare regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) in the United States and the General Data Protection Regulation (GDPR) in the European Union. Implement security controls and privacy measures required by regulatory frameworks to protect patient data and avoid potential penalties for non-compliance.