After the February attack on Change Healthcare (Change), the U.S. Department of Health and Human Services (HHS) released a statement that said, “This incident is a reminder of the interconnectedness of the domestic health care ecosystem and of the urgency of strengthening cybersecurity resiliency across the ecosystem.” I wholeheartedly agree.
The Change attack caused widespread, dire disruption to our healthcare system that the industry will be digging out of for years. Unfortunately, attacks like this are only going to continue and likely multiply.
According to the 2024 IBM X-Force Threat Intelligence Index, healthcare is the third-most targeted industry in North America, having moved up from fourth place in 2023. If nothing else, the unfortunate attack on Change is a sobering reminder that health systems, health plans, and the systems that serve them are a vector to make a lot of money. Each of us who work with healthcare data should view the Change attack as a wake up call (I might even take it a step further and say a kick in the pants) to do all that we can to strengthen cybersecurity. We also must remain hyper aware of just how vulnerable the healthcare system is to cyber attacks.
I first heard about the Change attack through the press. My first thought was, “If Change’s system isn’t safe, is our system safe?” My second thought was, “What can Moxe do now to protect the security of our data?” We immediately shut down the connection. By shutting down our connections with Change, we made sure that any attack surface exposed by our connections was cut off. When it comes to data security, we take a proactive, thorough, and safe approach: The impact of needing to restart, rebuild, reconfigure, re-everything these connections is exponentially less than the impact to of a data breach.
Each of us who work with healthcare data should view the Change attack as a wake up call (I might even take it a step further and say a kick in the pants) to do all that we can to strengthen cybersecurity.
Thankfully, Moxe was not impacted by this attack. Over the past several weeks, we established direct connectivity to Optum—Change’s parent company—systems, which were not impacted by the attack. We do not expect to reestablish a connection directly to Change in the near future.
How can we respond to HHS’s call to action to strengthen cybersecurity across the ecosystem with a heightened sense of urgency? As someone who has been deeply invested in data security and privacy for over two decades, I have a few thoughts.
At Moxe, we are deeply committed to protecting privacy and ensuring the highest levels of data security. We treat patient data as we would want our own patient data to be treated.
Over the past few years, we have implemented a number of tools to ensure protection of our environment from a ransomware attack similar to what Change experienced. This includes Endpoint Detection and Response (EDR) System through Crowdstrike, continuous penetration testing through Sprocket, and security event and incident management (SEIM) through Blumira. These tools ensure that what is happening on and through traffic in and out of our systems are all safe.
Additionally, we leverage Snyk to scan our code and third party applications used in our environment to make sure that patches are applied quickly and that the code we deliver to our production environment is as safe and secure as possible.
In addition to the many tools we have in place, I’m thrilled we were able to recruit Drew Hjelm—a true cybersecurity expert—to join our team last year as Director of Information Security and Chief Information Security Officer. Drew is tasked with ensuring Moxe is doing everything in our power to keep data safe and secure.
I can’t close without saying that my heart—and all of our hearts here at Moxe—go out to the many patients, individuals, and organizations that have been impacted by the Change attack. As always, we are grateful for and inspired by the resiliency and persistence of our healthcare partners.
If there’s anything we can do to serve you, please don’t hesitate to reach out.
Mike Arce is Moxe’s Chief Administrative and Privacy Officer.