The most recent cyberattack that involved Change Healthcare has gone on to underscore the costly state of cybersecurity when it comes to healthcare. There were many things that went on to contribute to this kind of attack, as well as the chaos that resulted from it. However, one of the most concerning aspects was that numerous CISOs as well as risk managers happened to be aware that Change was the single point of failure when it came to billing as well as payment processes.

In spite of being identified as a substantial risk, it was the one that many accepted was because of prohibitive costs as well as technical challenges that were associated with the execution of the redundant systems as a method for backup.

Although it was a dearth of budget as well as resources that left the healthcare setups unprepared for such an incident, there are many who are feeling a much greater resource as well as financial drain in the wake of this attack since many happened to be forced to tap into the cash reserves that were already diminishing so as to maintain the operations. It is well to be noted that there were pharmacies that struggled to fill up the prescriptions, with healthcare providers facing disruptions within the payment processes along with patient care, thereby resulting in Change Healthcare offering a $22 million ransom payment of ransom so as to get the operations up and running.

The scale as well as the complexity of this breach went on to spark a congressional discussion in which the hearing on the attacks went on to reveal that data from almost one-third of Americans may have been compromised. There is indeed collective ownership shared by healthcare firms as well as governing entities so as to make sure of patient safety. Under this scenario, one witnessed failure as well as oversight at all levels. Providers are still dealing with the fallout that has taken place because of this. And in spite of the fact that it was another attack on healthcare, one is yet to see the federal government offering minimum cybersecurity benchmarks, the execution of which could prevent an attack as well as the fallout that ensued. The point here is that the patients do deserve better, and if there is anything that comes from attacks like these, it has to be the innovation as well as change that the healthcare setups need, and that too immediately.

While the attack of this magnitude has already sent shockwaves across the industry, there are numerous other breaches that have already made the headlines, therefore exposing patient data and derailing the care processes. It is well to be noted that a breach that involved Kaiser Health in April 2024 led to exposure pertaining to personal patient data from the usage of tracking pixels, as well as yet another attack in May 2024 that involved Ascension disrupting the clinical operations that led to the diversion of ambulances.

As evidenced by the Change attack, healthcare organizations happen to be strapped for resources as well as budgets. There is nothing that has been done so far so as to ensure that healthcare is indeed capable of investing when it comes to cyber, nor have there been any minimum standards that have been established by government entities so as to take care of the intricate security needs as well as the workflow needs of the sector.

As there are threats that come to the fore and grow exponentially, thereby putting public health at risk, lawmakers as well as governing agencies happen to be turning their attention to this challenge. CISA has recently gone on to issue a pledge concerning software vendors to go ahead and meet the numerous security benchmarks by 2025; however, this in no way enforces any kind of accountability for the vendors or decreases the healthcare organizations profitability. Though best practices such as these that are outlined by the CISA, NIST, as well as HHS offer quite a helpful guidance, they don’t establish any firm minimum standards, effects, or even incentives that would go on to drive healthcare to go ahead and invest. Hence, sans motivating the legislation, healthcare organizations are going to continue to struggle, and the onus now happens to fall on them so as to execute a complete cybersecurity strategy, which can indeed be quite a daunting task, specifically without having minimum standards in place. There would indeed be bad actors who would consistently go after healthcare organizations that are known to pay ransom since they happen to be weak targets that put patient safety at whole lot of risk. The present reactive approach of healthcare to cybersecurity doesn’t look to be sustainable and it could as will take years before any kind of meaningful legislation happens to pass that would in a way fundamentally change the way cybersecurity is approached by healthcare. Meanwhile, there is also an immediate need to go ahead and address such cybersecurity, financial, as well as resource issues.

It is indeed great to see Senators such as Mark Warner pushing for minimum cybersecurity benchmarks; however, there is still a long way ahead before any kind of legislation gets passed that could go on to make a real difference when it comes to the industry. The fact is that although the CISA pledge happens to mean well, healthcare setups require more software vendors than just commitments. Especially, the healthcare organizations require solutions that are cost-effective, efficient, as well as innovative. In order to take a look into cyber vulnerabilities and also make sure of secure, safe, and frictionless access to the shared device ecosystems that, by the way, are ever-expanding, healthcare setups need to stress on keeping out the bad guys and reducing workarounds that are risky by way of executing strong authentication, access controls, as well as authorization benchmarks.

The creation when it comes to legislation that happens to address such security that is distinct can go ahead and prominently enhance healthcare cybersecurity as well as operational efficiency throughout the country.