How the Change Attack Changes Things (or Should)

After the February attack on Change Healthcare (Change), the U.S. Department of Health and Human Services (HHS) released a statement that said, “This incident is a reminder of the interconnectedness of the domestic health care ecosystem and of the urgency of strengthening cybersecurity resiliency across the ecosystem.” I wholeheartedly agree.

The Change attack caused widespread, dire disruption to our healthcare system that the industry will be digging out of for years. Unfortunately, attacks like this are only going to continue and likely multiply.

According to the 2024 IBM X-Force Threat Intelligence Index, healthcare is the third-most targeted industry in North America, having moved up from fourth place in 2023. If nothing else, the unfortunate attack on Change is a sobering reminder that health systems, health plans, and the systems that serve them are a vector to make a lot of money. Each of us who work with healthcare data should view the Change attack as a wake up call (I might even take it a step further and say a kick in the pants) to do all that we can to strengthen cybersecurity. We also must remain hyper aware of just how vulnerable the healthcare system is to cyber attacks. 

Moxe’s response

I first heard about the Change attack through the press. My first thought was, “If Change’s system isn’t safe, is our system safe?”  My second thought was, “What can Moxe do now to protect the security of our data?”  We immediately shut down the connection.  By shutting down our connections with Change, we made sure that any attack surface exposed by our connections was cut off. When it comes to data security, we take a proactive, thorough, and safe approach: The impact of needing to restart, rebuild, reconfigure, re-everything these connections is exponentially less than the impact to of a data breach.

Each of us who work with healthcare data should view the Change attack as a wake up call (I might even take it a step further and say a kick in the pants) to do all that we can to strengthen cybersecurity.

Thankfully, Moxe was not impacted by this attack. Over the past several weeks, we established direct connectivity to Optum—Change’s parent company—systems, which were not impacted by the attack. We do not expect to reestablish a connection directly to Change in the near future. 

A call to arms 

How can we respond to HHS’s call to action to strengthen cybersecurity across the ecosystem with a heightened sense of urgency? As someone who has been deeply invested in data security and privacy for over two decades, I have a few thoughts. 

1. Choose to work only with vendors that are continuously audited. If a vendor is in a SOC 2 or HITRUST audit, that’s good.  Consider their audit period though, and scope, and consider working with vendors who have ongoing audits so that we can minimize the vulnerabilities that could be exploited during a non-audit period. Vendors dealing with healthcare data should be expected to maintain the highest levels of data security possible.

2. Expand the scope of applications/tools that are part of the data security audit process. The app that was exploited in the Change attack was a remote access application that lacked multi-factor authentication. Organizations need to scrutinize the data security of every application/tool that plays a part or has access to the infrastructure, storage, processing, or transmission of sensitive information. When prospective vendors are looking at Moxe, we typically don’t get a lot of questions that go deep into the tools we use outside of the key components like our cloud host and systems storing any PHI/PII. I encourage every organization to run their data security risk assessments with a high level of scrutiny and really dig in when looking at prospective vendors. Make sure you understand how vendors maintain and control their systems and environments and that you’ve assessed every application/tool they use to do just that. 

3. Regulation should provide specific, more stringent cybersecurity rules. Considering how vulnerable the healthcare industry is to cyberattacks, there needs to be more guidance and requirements around cybersecurity. Whether they’re part of TEFCA or participate somewhere else, cybersecurity rules need to be clear. The concept paper on cybersecurity put out by HHS last year needs to go further.

4. Consider outsourcing cybersecurity functions that require expertise. Investments in security are essentially insurance against adverse events like a ransomware attack. This is not "sexy" work, and is often tough to fund and grow. At the same time cybersecurity threats become more sophisticated and are constantly finding new ways of exploiting people and systems. The good news is that there are vendors who offer great services to take this off your plate and use their expertise to protect you. Everyone should look in the mirror and consider what they know, where their expertise lies, and where they are not as strong, and really consider outsourcing items outside their areas of expertise.

5. Ensure HIM professionals have a seat at the table. HIM does stand for “health information management” and although they may not be driving data security discussions, as stewards and protectors of patient data, they should have a seat at the table during such discussions. Because patient privacy is top of mind for them during their daily work, they may be able to spot vulnerabilities that others cannot. Their voices should not only be included, but amplified when it comes to discussing and assessing data security risks.

What’s changing at Moxe in light of the attack

At Moxe, we are deeply committed to protecting privacy and ensuring the highest levels of data security. We treat patient data as we would want our own patient data to be treated. 

Over the past few years, we have implemented a number of tools to ensure protection of our environment from a ransomware attack similar to what Change experienced. This includes Endpoint Detection and Response (EDR) System through Crowdstrike, continuous penetration testing through Sprocket, and security event and incident management (SEIM) through Blumira. These tools ensure that what is happening on and through traffic in and out of our systems are all safe.

Additionally, we leverage Snyk to scan our code and third party applications used in our environment to make sure that patches are applied quickly and that the code we deliver to our production environment is as safe and secure as possible.

In addition to the many tools we have in place, I’m thrilled we were able to recruit Drew Hjelm—a true cybersecurity expert—to join our team last year as Director of Information Security and Chief Information Security Officer. Drew is tasked with ensuring Moxe is doing everything in our power to keep data safe and secure.

We’re here

I can’t close without saying that my heart—and all of our hearts here at Moxe—go out to the many patients, individuals, and organizations that have been impacted by the Change attack. As always, we are grateful for and inspired by the resiliency and persistence of our healthcare partners. 

If there’s anything we can do to serve you, please don’t hesitate to reach out.

Mike Arce is Moxe’s Chief Administrative and Privacy Officer.