Cybersecurity and Change Healthcare

Dan Dodson [00:00:00]:
Maybe we don’t need to give everybody an email address. Now that’s a cultural thing. That’s a complicated, multi kind of faceted thing to think about. But if we’re serious about reducing the attack surface and that’s the number one attack vector, we ought to be thoughtful about that. Right? And so we’re starting to see a lot of people think about that.

Narrator [00:00:19]:
From Healthcare IT Leaders. You’re listening to Leader to Leader with Ben Hilmes. Our guest today is Dan Dodson, CEO at Fortified Health Security. Dan offers his viewpoints on the recent Change Healthcare cyber attack and what the healthcare industry can do to defend against similar incidents in the future.

Ben Hilmes [00:00:38]:
You probably are one of the busiest guys, I assume, in the industry these days. So I can’t tell you how appreciative I am. You kind of stopping by and taking time to spend some time with us on broad cybersecurity as well. But we do have a compelling event that’s occurred here in the recent weeks around Change Healthcare that really bring home some of these really important topics that, that we’ll kind of walk through. So with, without further ado, let’s just get started with the change breach. We’re going to dive into some deeper discussion as we get along in the conversation. But for our listeners, can you explain at a high level what happened? Who did this? How did they do it? Just the basic breakdown would be really beneficial.

Dan Dodson [00:01:20]:
Absolutely. There’s no doubt that this event has caused disruption for lots of organizations. And I think it’s important to first realize that change, big organization, complex infrastructure, they serve about one third of patients, so they’ve got a lot of their products and a lot of healthcare organizations to start with. And so in February, they had a cyber event, which they took, from my perspective, been pretty quick action to shut down connectivity to all of the places that they support. Right. So they had a cyber event. It’s largely credited towards a Russian backed ransomware as a service. Bad actor, black cat and ALPHV is what it’s called.

Dan Dodson [00:02:04]:
And a ransomware as a service is basically like a syndication of a lot of different organizations. There’s some thought out there that it could have been in cahoots with organizations in China. They basically have compartmentalized the chain of the attack to various affiliations so that they can execute the attack and kind of be less likely to get found out. Large ransomware group got in there in mid February, took quick action and began to shut down their services, which kind of led to the impact that we see today, which is web cycle events and some of the other things that we’re seeing based on the platforms that they provide the healthcare market.

Ben Hilmes [00:02:41]:
Wow. So by many accounts, this is being labeled as maybe the biggest breach on our industry in the history of our industry. So when I was thinking about it, I was like, so by what measure? Right. There’s human impact, there’s clearly financial impact, there’s disruption, et cetera. How are you guys for aggregating the impact? And why is this the biggest one in the history of the industry?

Dan Dodson [00:03:03]:
Yeah, great question. I think historically, Ben, we’ve looked at it based on patient records stolen. Right. That are reported to the Office for Civil Rights. And there’s been large cases with hundreds of thousands, there’s been small cases. This will certainly be a lot, but a lot of that measurement is really predicated on how many records did they extract. That’s been the barometer that we’ve used. I think what’s unique about this particular event is that it’s impacted so many facets of healthcare.

Dan Dodson [00:03:32]:
You have small physician practices that use a rev cycle firm or an EHR or practice management where changes behind it. You don’t even know that that’s impacted. You have large health systems that may be using their exchange, and then on the payer side, they may have some exclusivity or a large volume coming to them through the clearinghouse. So part of the impact of this is that it’s touched almost every facet of the healthcare delivery system. And so that’s why it’s so large spread from that nature. So I think, yes, it will go down as one of the most impactful, but I think ultimately, over time, once we recover and heal from this situation, I think there’ll be some lasting impacts that are going to be positive for us as an industry.

Ben Hilmes [00:04:13]:
You’re describing that, I’m picturing this big octopus because there’s so many tentacles that come out of change and the organizations and types of organizations that impacts. And it’s still early the assessment, but we can’t lose sight on the fact that this was a major crime that was committed against change. And their actions immediately or in the midst of this whole thing likely lessened the impact that this thing could have had. I’d love, you know, as an expert, your perspective on, as you talk about best practices and here’s how you would react in a situation or in an event. Talk to me about what you’ve learned about what change did. That really, in many ways lessen the impact.

Dan Dodson [00:04:55]:
Yeah, that’s an excellent point, Ben, because their quick action did lessen the impact. So let’s think about a couple of different scenarios in what actually happened was change. Healthcare had a cyber event. They didn’t hide it. They took quick action so that that cyber event did not flow through. Through that octopus to all the tentacles. So they cut, if you will, access to their systems. Had they not done that, we could be dealing with a cyber event at every end of those tentacles, which we are not.

Dan Dodson [00:05:28]:
What we are dealing with is the ramifications of that quick action, which is not necessarily a cyber event at the end, hospitals, clients, other payers, etcetera. We’re dealing with business impact. So it’s not that we’re not dealing with anything, but we’re not necessarily dealing with a direct cyber event on the fringe, so to speak, which, listen, I give them a lot of credit for that, Ben. I think that had they not taken swift action, we could be dealing with their cyber event, business impact on the action that they did take, as well as additional micro cyber events across their entire ecosystem. And the best we can tell, and the best knowledge that I have is, was there quick action that prevented that. And so now we are recovering and we will reflect on what do we need to be doing differently as we think about the business impact. The third party risk is a term we use a lot from that perspective.

Ben Hilmes [00:06:19]:
That’s actually really helpful. But it also scares me in the sense if I’m a leader at a hospital and I’ve been in some of these kinds of roles and in previous parts of my career, and I’m sitting there going, hey, this is a third party that we partner with that got affected or impacted. Thank goodness that they acted quickly. But the scary part is, what if they hadn’t, right? And then all of a sudden, I’m starting to see the compounding potential impact so quickly. My mind goes to, what am I doing inside of my own organization to try to minimize, as best I can, the potential for colossal failure, if you would, or protecting myself the best I can. So how should these hospital leaders be looking at this, thinking about this, thinking about their own security strategies, independent of those that they partner with?

Dan Dodson [00:07:07]:
Yeah, great question. I think that there’s no longer this notion that you can consider only the cybersecurity program within your proverbial four walls, if you will, or what you can’t control. You have to consider third parties, fourth parties. So we’re hearing a lot of, oh, I use a revenue cycle company. I didn’t know that change was on the back end, but so there’s this kind of layered effect, then. So I think what will be evaluated is the operating model of how we’re delivering care as it relates to administrative functions. So there had been lots of conversations around the technical stack or patient portal or clinical ability to deliver clinical care. This was really a rev cycle impact at the highest level.

Dan Dodson [00:07:49]:
And so how do we consider that model? And one thing that I like to tell people as I’m thinking through this is an example of how the model could evolve in a different industry. So when Silicon Valley bank went under in 23, what was unique about that situation, not about why they went under, but about the impact, was the banking model was largely designed where companies held their cash account and their debt account at a single institution, which meant everybody had one banking relationship because contractually they had to. So what happened, what’s that event transpired was I can’t pay payroll. All these kind of things that we’re dealing with, different with the change, but similar in that now everybody’s changed the model. Everybody has two banking relationships. Everybody has the ability to function like that. So I think as you translate that to change, we’re going to be more thoughtful about do I need one clearing house or do I need two clearing houses? Now there’s downside risk to that cause. Now you have to manage two relationships.

Dan Dodson [00:08:48]:
There’s costs associated with that that enters another attack vector. It doesn’t come without its own risk. And I think each organization needs to come up with a governance model, evaluate their risk tolerance, and then figure out what the path forward for their organization is.

Ben Hilmes [00:09:02]:
Yeah, I was just at a client this week, and they were thankful that they had multiple channels, if you would. And so while they were impacted, it was just one channel. And maybe that’s not the right term, but that’s the way they interpreted it. But they were then going, well, the fact we have multiple channels, that creates multiple points of risk. And so they are just in a conundrum here of which is the best strategy. So it kind of leads me down the path of something this big. Obviously is going to invoke dialogue around standards. And so broadly, should we be entering into dialogue around mandatory cybersecurity standards for healthcare? I know you talk a lot about this, both with your company, with clients, but in DC, other areas, I just would love for you to give our listeners a perspective of whats going on at the policy level and just understand where regulators are and how theyre thinking about this, whether its stepping in or do we continue to let private industry continue to drive the actions here?

Dan Dodson [00:10:03]:
Yeah, I think that prior to the events in February, there was already a lot of momentum in DC around creating two things. One, kind of a minimal set of standards for critical infrastructure of which healthcare falls into, as well as what funding mechanism is going to be able to be provided either care or stick to help increase the cybersecurity posture of critical infrastructure in healthcare. So there was a lot of momentum before that. And there’s this working concept of cybersecurity performance goals, or cpgs, that have come out from a partnership between DC and the private sector to come up with some minimal kind of best practices. I’ll call them then. And so the theory is that these will be iterated on over time, policy will be applied, and out of the end of that we could see some minimal standards with some funding mechanism for both a carrot and a stick. I personally believe, and I think talking to the practitioners in cybersecurity, the critical element of that is we need more funding. Right.

Dan Dodson [00:11:07]:
We need better visibility across the C suite, beyond the CIO. Understanding the impacts, the silver lining and events like that we were just talking about, helps that be a catalyst for it as we understand the impacts, as much as we don’t like that to happen. And so how do we gain visibility more broadly across the C suite, but also have funding? Because the CIO’s and C suites I talked to Ben, they know we need to be doing more. They know they need to increase their cybersecurity posture. They’re trying to figure out how do I ask for more capital when I’ve got grocery store budgets and I’m trying to open a wing or buy a CT machine or launch a patient engagement? I mean, every dollar we spend in cyber, we’re not spending by the bedside. Right? And so how do we get more inertia around this? And I think, you know, the events of change, healthcare will be a catalyst to help push that forward. But I do strongly believe that we’re moving in that direction.

Ben Hilmes [00:11:54]:
So just to give our listeners a perspective on the scale of a health system and the number of threats that they have. So I was at a large health system on the west coast, and we had 1700 different applications, so points of vulnerability. And so I just dont know if people truly understand how big, how complex the cyber infrastructure is at a health system. So you guys do a lot of this work. Talk to me about the work you guys do at fortified health. Kind of where do you start? Because many ways people get stuck because they don’t even know where to begin. And I would love to hear your perspective on that.

Dan Dodson [00:12:33]:
No, absolutely. I think that the starting point to build any comprehensive cybersecurity program is to do a risk analysis. Right. And I think that a lot of organizations are doing this. In fact, if you were to ask me what are some positives that have happened over the last number of years, I would say most organizations have created some type of framework based analysis. The output of that then is what’s called a corrective action plan, or CAp, as we call it, which basically outlines here are some things that you need to go shore up or create or invest in. And so organizations like Fortified, we help organizations go through that, and then we work through that cap with them so that they can begin to understand the likelihood and impact of deploying capital against that corrective action plan. So that’s one thing that we do.

Dan Dodson [00:13:21]:
And then we have a threat defense business, that it’s an MSSP. We monitor and manage cyber technologies for clients to help them protect their environment through a various number of technology enabled services. That’s what we try to do. And we recognize that every organization is at a different point in their cybersecurity journey. That’s one of the things that makes the regulation we just talked about really difficult, because hospital a may not need the same thing that hospital B is at because they’re more mature in one area, less mature in another area. You just don’t really know. Not everybody’s universally the same spot. And so we try to help organizations figure that out and plug in where we can and help reduce risk over time.

Ben Hilmes [00:13:58]:
You know, part of it is you’ve got to spend a lot of time helping people manage the now, but you’re also spending a lot of time thinking about emerging tech, massive pushes to the cloud, lots of conversation. I mean, if you’re obviously at Vive and hims and it’s AI everywhere, and so I’m sure in your mind you’re going, okay, I’ve got to be way out ahead of all of these emerging tech conversations because I got to think about it from a security posture. So is the advancement in tech moving to the cloud AI? Is that simplifying your life, or is it making it harder?

Dan Dodson [00:14:32]:
I think anytime you add new technologies or new ways to manage infrastructure, any type of change introduces risk. And so there’s a complexity that is inherent in that. I think there’s a lot of very positive elements of cloud infrastructure, both from a cost perspective, but also from a cybersecurity perspective. Redundancy, doctor, multiple data centers, et cetera. So tons of value there. I think when it comes to kind of responding to events. But also on the AI front, which everybody’s talking about, you know, we look at it through kind of two lenses, Ben. One is what are the good guys doing? What are our clients doing? How are they thinking about it? How advanced or bleeding edge do they want to be? And we encourage folks to think through the governance model of these.

Dan Dodson [00:15:12]:
And cyber is one element of the governance model of how are you making sure that it’s protected and making sure that there’s high integrity and we understand there’s no bias and all of those things. And a lot of times it’s executed in a cloud environment, so there’s some infrastructure changes. And so we talked to them about that. But the other lens we look at is what are the bad actors doing? How are they weaponizing AI? And they tend to be more advanced than the industries. Healthcare is not unique in that. And so what we’re seeing that manifest itself is the number one attack vector into organizations today continues to be through email, through humans, either doing a phishing, which is like a voice phishing, or doing an email or replicating through teams or slack or something like that. That continues to be the number one attack vector. And so our adversaries are using AI to better emulate what they’re trying to use as the action point.

Dan Dodson [00:16:05]:
I mean, you know, many years ago we would get these emails about a prince or princess that wants to give you a million dollars and man, it’s so much more sophisticated than that. Now they are replicating exactly the types of things that we’re seeing. They did that during COVID they do that during open enrollment periods, they do that during payroll cycles, they do that when you change your LinkedIn. I mean, they’re just very sophisticated in replicating that. And so how do we make sure that we have our defense tools keeping up with that as well?

Ben Hilmes [00:16:30]:
That’s really interesting. You mentioned the human element because I just picture a lot of companies that are cybersecurity focused, being primarily focused on the tech, tech, all of those things. But your best defense is the overall awareness and education of those that are potentially being attacked. We do a lot of tests, emails and those kinds of things, and I’m a sucker. I fall for them every time because you’re moving so fast. What are you guys doing around human education and awareness? And you partner with clients to do things like that that feel way beyond just the tech stack?

Dan Dodson [00:17:06]:
Yeah, absolutely. You know, we have services around managed phishing and awareness programs that we’ll run. We’ll do seminars, we’ll execute the phishing emails as you talked about. We’ll do phishing, we’ll do simulations like that. But the other thing that I talk to clients a lot about, Ben, is there is an opportunity to think a little bit differently about the surface area of ATT and CK that we have. So for example, when you join an organization, this is not unique to healthcare individuals. Humans, they think about their identity tied to their email address. In a healthcare environment, how many clinicians really need external email to do their job now? They needed to get their benefits, they needed to get their HR portal.

Dan Dodson [00:17:45]:
There’s business needs that they need, but they’re not big heavy email users. So when they go into their email once a year, twice a year is what we hear from clients. They’re more likely to click on stuff because they’re not familiar with what it should look like. They don’t do that a lot. And so how do we as an industry think about, wow, maybe we don’t need to give everybody an email address. Now that’s a cultural thing. That’s a complicated, multi kind of faceted thing to think about. But if we’re serious about reducing the attack surface and that’s the number one attack vector, we ought to be thoughtful about that, right? And so we’re starting to see a lot of people think about that.

Ben Hilmes [00:18:19]:
That’s incredibly insightful. I mean, we talk all the time internally here about where do we drive our workflow. We got outlook, we’ve got teams, we’ve got Salesforce, et cetera, and getting more focused and driving that workflow inside of a single system. And it’s not email. It’s really an interesting dialogue that we have quite often. Just a final thought here. I mean, so we had the change healthcare incident. It’s going to have a long tail.

Ben Hilmes [00:18:46]:
I don’t think we fully understand how long that tail is going to be and the full scale of the impact, but would love your perspective on that one and then two. Is this an event that we’re going to look back on and say that this was the tipping point or the catalyst, if you would, for what drove major move in cybersecurity posture in this industry?

Dan Dodson [00:19:07]:
I think that, no doubt that it was a major event. Ben, I agree that we are months away from understanding the total impact of it. I do think we will reflect on it as a catalyst for change. As I mentioned earlier, I think we’re going to look at our business relationships and models with the vendors that we have. I think we’re going to look at business impact analysis beyond just the clinical implications. Also, rev cycle administrative things will certainly be much more high alert there. So I think we’ll see some business model changes. And then lastly, I think it will be a catalyst for what happens in the legislative front, no question about that.

Dan Dodson [00:19:40]:
And I think we will come out of this stronger than we were before and hopefully be more resilient, which is what we all strive to do.

Ben Hilmes [00:19:46]:
That’s great. What I’d like to view is we’ll get you on the schedule, but twelve months from now it’d be interesting to come back and do the post mortem, what has occurred, what actions are being put into place, what things have been done, because I think it’d be interesting to see what happens over the next twelve months as a result.

Dan Dodson [00:20:04]:
I would love to do that. I think that’d be great. That’d be a great reflection to do, for sure.

Ben Hilmes [00:20:08]:
Well, thanks Dan. I know you and the fortified health team are just working around the clock. You’re helping a lot of people think about their strategies, the plans they need to put in place, and helping them become safer so that they can get back to doing what they really need to be doing, which is taking care of patients and delivering healthcare. So I really appreciate your time. Thanks for, for stopping by, watching and having a chat.

Dan Dodson [00:20:29]:
Absolutely. Always happy to talk with you, Ben. Thanks for the invite. Really appreciate it.

Ben Hilmes [00:20:33]:
You bet. Talk to you soon.

Dan Dodson [00:20:35]:
Talk to you soon.

Ben Hilmes [00:20:38]:
We’re lucky to have people like Dan helping our industry stay one step ahead of the bad guys. Here are my top takeaways from our discussion. One, the change healthcare cyber attack was one of the largest in healthcare history. Still, it could have been much worse had the vendor not acted quickly. Two, the change attack may be a catalyst for more cybersecurity regulation. If so, healthcare organizations will need more funding to upgrade their security plans. Three, email is still a weapon of choice for cyber attackers. Phishing attacks will become more sophisticated with the use of AI.

Ben Hilmes [00:21:12]:
So what do you think? What are your big takeaways from this episode? I’d love to hear from you on our social media channels, or drop me an email from our website at HealthcareITLeaders.com.

Narrator [00:21:23]:
Thanks for joining us for Leader to Leader. To learn more about how to fuel your own personal leadership journey through the healthcare industry, visit healthcareitleaders.com. Don’t forget to subscribe so you don’t miss any insights and we’ll see you on the next episode.