A nearly week-long cyberattack on Change Healthcare has caused prescription delays at thousands of pharmacies across the country, highlighting the fragility of our healthcare systems and their reliance on third-party software vendors for essential infrastructure, says Kevin Fu, an engineering professor at Northeastern College. and cyber security expert.
“I think it's really a house of cards,” Fu says. “I think a lot of times companies, whether they're big or small, don't realize how dependent they are on thousands of pieces of software. This particular one [software] it happens to be the cornerstone of the entire healthcare delivery practice. It is deeply embedded in pharmacies. That's why we're seeing these holidays.”
Change Healthcare is a health technology company that provides thousands of pharmacies and healthcare providers in the US with tools that enable them to process claims and other key payment and revenue management practices. The company said it suffered a cyber attack last Wednesday.
A day later, he informed her US Securities and Exchange Commission of the incident, noting that it had “identified a suspected nation-related cyber security threat actor and gained access to some of Change Healthcare's information technology systems.”
In response to the attack, the company, which is a subsidiary of United Healthcare, took its systems offline as it worked to investigate and resolve the issue, causing prescription delays at drugstores like CVS and Walgreens.
From Tuesday 27 February, its systems remain offlinebut 90% of pharmacies affected by the attack have found solutions to continue providing services to customers, according to statement Change Healthcare parent company UnitedHealth Provided to CNBC.
Reuters reported the attack was carried out by hackers who are part of the notorious Blackcat ransomware gang. However, Change Healthcare representatives did not confirm this or share more details about the perpetrators.
Fu says the fact that the company had to shut down its systems is a major indication that its systems were not properly designed with cyber security in mind.
“If cyber security plans were done right, we wouldn't need to pull the plug, but there's a lot of legacy software out there that just isn't resilient against an adversary,” he says. “Essential clinical functions must be available to run regardless of whether the network goes down or not. … But today, the way things are written, it's very common that if one piece goes down, the whole portfolio goes down.”
Aanjhan Ranganathanprofessor in the Khoury College of Computer Sciences and a cybersecurity expert, says these attacks highlight the need for systems that are more distributed, less locked-in, and more flexible and resistant to attack.
“I think the biggest lesson over and over again that these attacks teach us is the requirement for decentralized systems, to have no single point of failure.”
Building these kinds of systems isn't easy, Ranganathan explains, as it often requires operators to rethink and rebuild their networking systems from scratch.
“It's one of those things where you always go for functionality and don't build systems with security and privacy by design,” he says. “There has been a recent trend with building systems with privacy and security by design.”
But what does a decentralized cybersecurity system look like?
“For example, you could first of all, not store everything in one place,” says Ranganathan. “You could store all the critical data in multiple places with different keys. There are ways you can store parts of the data in different places and even if one part is not accessible, you can retrieve that part based on information you have in other places. By doing this, you force an attacker to successfully target more than one endpoint.”
He adds, “You build the infrastructure in such a way that there is no place to bring down the whole system. You have to remove a lot of different pieces of the puzzle to really make any impact.”
