The importance of Cyber Security at PharmSaver

The importance of Cyber Security

Posted by Learn More on May 05, 2024 with update May 06, 2024

What You Can Learn from the

Change Healthcare Cybersecurity Breach

Did you know?

Maintaining HIPAA compliance extends to cyber-security.

On February 21, the largest purveyor of revenue and payment cycle management for patients, providers, and payers suffered a cyber-security breach [1] causing billing and pharmacy services grind to a stop [2]; the supply of medications for clinical trials was interrupted[3]; and the healthcare data of the over 53 million global UnitedHealthcare members was compromised[4]. Change Healthcare worked with cybersecurity industry leaders including Palo Alto Networks to assess the damage[5] and eventually negotiated a Bitcoin payout of about $22 million to ransomware groups AlphV/BlackCat[1].

Even though the ransom has been paid, the reputational damages to Change Healthcare [6] may be an insurmountable blow as U.S. Department of Health and Human Services (HHS) and Centers for Medicare & Medicaid Services (CMS) has issued statements and major hospital systems refuse to re-activate communicating servers due to HIPAA concerns and the lack of cyber-security defensive strategy at Change Healthcare. This begs the question: How did this happen? The US Department of Health and Human Services Office for Civil Rights (OCR) has released a “Dear Colleagues” letter opening an investigation into the attack [7]. While we wait for the official word on a cause, rumors abound. Reporting from multiple outlets suggest that the hackers waltzed through an unlocked window. SC Media and others report that a known Connectwise ScreenConnect vulnerability was exploited due to critical security updates being ignored for over 48 hours [8]. At least $22 million and at most an entire healthcare company could have been saved by timely completion of security updates. That will make you certainly think twice next time before selecting “Ignore Update.”

3 Tips to Keep Yourself Safe:

1. Update your software.

2. Do not click unknown links, attachments, or downloads.

3. Use multi-factor authentication when possible.

Resources

In addition to opening an investigation, the letter released by HHS features multiple helpful resources so that you can evaluate the security risks within your own organization.

OCR HIPAA Security Rule Guidance Material	https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html	This webpage provides educational materials to learn more about the HIPAA Security Rule and other sources of standards for safeguarding electronic protected health information. Materials include a Recognized Security Practices Video, Security Rule Education Paper Series, HIPAA Security Rule Guidance, OCR Cybersecurity Newsletters, and more.
OCR Video on How the HIPAA Security Rule Protects Against Cyberattacks	https://www.youtube.com/watch?v=VnbBxxyZLc8	This webinar discusses the HIPAA Security Rule requirements for conducting an accurate and thorough assessment of potential risks and vulnerabilities to electronic protect health information and reviews common risk analysis deficiencies OCR has identified in its investigations.
HHS Security Risk Assessment Tool	https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool	This tool is designed to assist small- to medium-sized entities in conducting an internal security risk assessment to aid in meeting the security risk analysis requirements of the HIPAA Security Rule.
Factsheet: Ransomware and HIPAA	https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/ransomware-fact-sheet/index.html	This resource provides information on what is ransomware, what covered entities and business associates should do if their information systems are infected, and HIPAA breach reporting requirements.
Healthcare and Public Health (HPH) Cybersecurity Performance Goals	https://hphcyber.hhs.gov/performance-goals.html	These voluntary, health care specific cybersecurity performance goals can help health care organizations strengthen cyber preparedness, improve cyber resiliency, and protect patient health information and safety.

Feedback

Did you test out one of our new enhancements or tech tips? Let us know what you think. Have ideas about what you’d like to see? Let us know. We’re here to make your ordering experience as efficient as possible. So, we value your input. We already have some new features in the works because of feedback we received from clients. If you enjoy using PharmSaver and it saves you time and money consider giving us a reference. We love hearing from you! You can email us at info@pharmsaver.net with "testimonial" in the subject or you can reach us at the “Contact Us” link at the bottom of this page and we'll get back to you pronto. Thanks!

About the Author

Dr. Rachelle “Shelly” Idziak is a medical doctor and risk adjustment specialist in Tampa, Florida. She is a graduate of the University of South Carolina Medical School and Clemson University. When not working in the medical field, Shelly is a nationally competitive equestrian with her dressage pony Roman Holiday

References

[1] Arghire, I. (2024, March 14). Government launches probe into Change Healthcare Data Breach. SecurityWeek. https://www.securityweek.com/government-launches-probe-into-change-healthcare-data-breach/

[2] Silva, D., & Bendix, A. (2024, March 6). Patients struggle to get lifesaving medication after cyberattack on a major health care company. NBCNews. https://www.nbcnews.com/health/health-care/cyberattack-change-healthcare-patients-struggle-get-medication-rcna141841

[3] Tozzi, J., Swetlitz, I., & Griffin, R. (2024, March 13). Change healthcare cyber attack leaves cancer clinics reeling. Bloomberg.com. https://www.bloomberg.com/news/articles/2024-03-13/change-healthcare-cyber-attack-leaves-cancer-clinics-reeling

[4] Minemyer, P. (2023, May 8). Unitedhealth extends its hot streak as the most profitable payer in Q1. Fierce Healthcare. https://www.fiercehealthcare.com/payers/unitedhealth-extends-its-hot-streak-most-profitable-payer-q1

[5] UnitedHealth Group. (2024, March 5). Information on the change healthcare cyber response. https://www.unitedhealthgroup.com/ns/changehealthcare.html

[6] Centers for Medicare & Medicaid Services. (2024, March 9). Fact sheets change healthcare/optum payment disruption (CHOPD) accelerated payments to part a providers and advance payments to part B suppliers. CMS.gov. https://www.cms.gov/newsroom/fact-sheets/change-healthcare/optum-payment-disruption-chopd-accelerated-payments-part-providers-and-advance

[7] Fontes Rainer, M. (2024, March 13). Re: Cyberattack on Change Healthcare . HHS.gov. US Department of Health and Human Services. Retrieved March 14, 2024, from https://www.hhs.gov/sites/default/files/cyberattack-change-healthcare.pdf.

[8] Zurier, S. (2024, February 23). Exclusive: Cyberattack on Change Healthcare was an exploit of the connectwise flaw. SC Media. https://www.scmagazine.com/news/exclusive-cyberattack-on-change-healthcare-was-an-exploit-of-the-connectwise-flaw