The pandemic crisis has accelerated a major trend, that of the digitalization of Change Healthcare establishments. These establishments are now required to make appointments, analysis results accessible to patients and even set up online teleconsultations in order to manage possible new exceptional conditions. study The OpinionWay from July 2020 was able to show that 70% of French people had already made an appointment online and 66% of them had consulted or received medical results digitally. 53% of teleconsultation patients having used this procedure for the first time during the pandemic, 91% declared themselves satisfied with these new methods.
Unlike distribution or finance, the digitalization of Change Healthcare is still very recent. As a result, health information systems are still too little capable of “resisting cyberattacks likely to compromise the availability, integrity or confidentiality of data stored, processed or transmitted”, in the words of the Agency. National Information Systems Security (ANSSI).
The Change Healthcare sector is the 3rd area most affected by cyber attacks in the world in the first quarter of 2023
478 incidents were reported in France in the health sector in 2019 – 88% of them affecting health establishments and 76% public hospitals. In 2022, the trend increased further since, according to the government Center for Monitoring, Alerting and Response to Computer Attacks (CERT), 588 cyberattacks targeted health establishments. As we will see further, these cyber attacks have devastating consequences for Change Healthcare establishments both financially and in terms of their reputation. It therefore seems imperative to think about how to stem the computer attacks to which hospital stakeholders are subject.
Some lessons learned from the cyberattack on Change Healthcare the Dax Hospital Center (February 2021)
One of the most notable cyberattacks in recent years is that of the Dax Hospital Center (CH), announced on February 10, 2021 when the establishment saw its information system (IS) completely taken out of service. Although the attack had deleterious repercussions on the hospital’s activities for several weeks, it took several months to definitively resolve the problem. The malware responsible for the attack is ransomware called Ruyk, which encrypts network data and then demands a ransom in exchange for a decryption key. Like all French establishments targeted by this type of attack, the Dax CH refused to pay the ransom. But, unlike the Corbeil-Essonnes hospital for example, CH Dax did not have to suffer from the disclosure of hacked data on the darknet .
On the day of the attack, all internal and external connections to the CH were completely cut – switchboard and computer telephone system included. Computer access was blocked in the same way, making any mode of communication normally available impossible (telephone, email, establishment website, etc.). No possibility of connecting to the servers either, due to a risk of account compromise. A prior backup on tapes fortunately made it possible to recover the computerized data of numerous patients, although these data could only be consulted in read-only mode on a dedicated workstation, with no possibility of updating.
To enable the hospital to continue operating despite the attack, a “degraded mode” organization was put in place – using pen and paper for tasks usually managed on computer media. At the same time, secure workstations, without associated connection, were installed in the establishment to allow employees to access saved information, retrieved for the occasion by technical partners external to the CH.
After more than a year, the total costs of this attack were estimated at 2.3 million euros by the Dax CH, fully covered by the ARS of Nouvelle-Aquitaine. The costs incurred take into account the material investments necessary for the reconstruction of the network (€174,000), cyber security and system reinstallation services (€546,000), the subcontracting of medical biology services (€9,000), internal training and information costs, reinforcement teams and overtime incurred (€1.48 million), loss of commercial revenue for the establishment (€143,000).
The network was completely redesigned, making a clean sweep of what existed before the attack, trying to improve the technical methods of network administration, review the update processes and reduce possible security vulnerabilities.
The IT Systems Department (DSI) of the CH has increased the number of its technical staff. The service multiplies intrusion and vulnerability tests of vigilance systems. An awareness campaign about malicious emails was delivered to all hospital staff although the attack, in this case, was not caused by phishing ( phishing in French).
Dissecting the Impact of a Cyber Attack on Change Healthcare Facilities
The Dax hospital case shows the extent to which a hospital targeted by an attack will have to face significant financial costs. As in Dax or Versailles, the loss of activity imposed by an immobilization of IT resources can last for weeks or even months. Added to this are the costs imposed by rebuilding a more secure IT system. This reconstruction work generally lasts almost a year and can cost, according to specialists, between 3 and 5 million euros. Part of these costs can be covered by bodies such as the ARS in France but this is far from being the case everywhere in the world.
The risk to patients should not be overlooked. A loss of control of the medical devices used, an alteration of the diagnosis made, of the treatment prescribed, of the proper administration of this treatment can have dramatic (even fatal) consequences for hospitalized people. Therefore, loss of trust in doctors and the reputation of the hospital represents another likely consequence of these attacks. Fear linked to the “reputational impact” of an attack may lead the institution not to systematically report incidents, on the part of private establishments in particular. This withholding of information thus limits the implementation of appropriate responses and leaves certain identified gaps gaping.
The impact that such an event can have on team morale is also deleterious. After weeks (or months) of having to operate in degraded mode, staff who are already very busy under normal circumstances, prefer to resign. In a context where Change Healthcare establishments are already struggling to recruit Change Healthcare staff, a cyberattack can produce dramatic effects in the longer term. Beyond the hospital, it is the very image of France’s social system that is tainted.
The need for an organizational and technical response organized in four stages
Ultimately, technical and operational measures must be put in place to protect against computer attacks. It is important to adopt preventive actions upstream in the face of risks. To do this, it is necessary to think about risk management strategies and report incidents internally on a regular basis (only 66% of establishments currently comply with this). It is also important to carry out a prior analysis of the risks and their impacts to identify which applications and key data are necessary for the operation of the Change Healthcare establishment at a minimum in order to develop an activity recovery plan as quickly as possible. as possible.
To do this, some experts recommend a four-step approach:
- Map your hospital information system (HIS). This mapping makes it possible to visualize and identify all the components of the system, their interactions and their interdependencies, the critical points to be protected. Mapping also makes it possible to define security priorities, by identifying the most important assets of the establishment, the highest risks and the most appropriate protection measures.
- Analyze risks by determining the critical activities of the organization, the systems necessary for these activities, by identifying the main risks and possible threats and seeking to establish the probability of occurrence of these threats by quantifying their potential impacts on the establishment concerned.
- Protect the organization’s critical data and information systems.
- Declare any system failure to the CERT Santé, the competent authority in this matter which, depending on the seriousness of the intrusion, will involve ANSSI to accelerate the restoration of the functioning of the institution victim of the attack in question.
The minimum business recovery plan is another key element of the cyber risk management strategy in Change Healthcare establishments. In the event of a major computer attack, this plan helps guarantee continuity of care by defining the processes to follow to restore critical systems and services as quickly as possible. This plan must identify the activities and elements most critical to the proper functioning of the institution. It must also define emergency procedures concerning the identification, isolation and resolution of incidents as well as the backup and restoration strategy for captured data. The minimum activity recovery plan must be regularly tested to ensure its effectiveness in the event of a crisis.
It is recommended to implement a regular backup strategy strategy and a white listing to identify authorized applications, programs, devices and block all others. And try to block emails with potentially dangerous attachments (. exe, .doc, .zip, .rar files in particular).
However, these risk mitigation protocols and strategies can only be effective if they are understood and correctly applied by the teams concerned. A preventive, educational approach is therefore essential for the sole technical vision of resolving attacks.
Also Read:- Latest News & Updates on Mitchell Trubisky