Context over chaos. Disconnected technologies, siloed data, and reactive processes can only get you so far. Protecting businesses in today’s threat landscape demands more than a set of security tools – it requires context.
That's where Avertium comes in
Security. It’s in our DNA. It’s elemental, foundational. Something that an always-on, everything’s-IoT-connected world depends on.
Helping mid-to-enterprise organizations protect assets and manage risk is our only business. Our mission is to make our customers’ world a safer place so that they may thrive in an always-on, connected world.
Best-in-class technology from our partners... backed by service excellence from Avertium.
Interested in becoming a partner?
With Avertium's deal registration, partners can efficiently and confidently connect with Avertium on opportunities to protect your deals.
Microsoft Copilot for Security analyzes and synthesizes high volumes of security data which can help healthcare cybersecurity teams do more with less.
Dive into our resource hub and explore top
cybersecurity topics along with what we do
and what we can do for you.
Last month, a cyberattack on the largest U.S. healthcare payment system crippled operations and caused severe financial loss for many healthcare organizations. Change Healthcare, which operates 14 billion clinical, financial, and operational transactions annually, was at the center of a ransomware attack thought to be carried out by the notorious ALPHV (BlackCat) ransomware group.
The unexpected ransomware breach left healthcare professionals in a state of urgency, scrambling to find solutions. Hospitals, healthcare plans, and physicians catering to Medicare and Medicaid beneficiaries encountered difficulties in transmitting essential claims and data to the Department of Health and Human Services (HHS). Although HHS set up payment workarounds for providers with flexible deadlines, the fallout from the incident was immense.
According to Beau Woods, a co-founder of the cyber advocacy group I Am The Cavalry, the government has traditionally depended on voluntary standards to safeguard healthcare networks. However, Woods stated that this voluntary approach has proven inadequate, stating that the purely optional, “do it out of the goodness of your heart” model is evidently ineffective. He advocates for increased federal funding and heightened attention to address this pressing issue.
How can the healthcare sector mitigate the risk of future ransomware attacks like the one that affected Change Healthcare? One solution could lie in implementing governance, risk management, and compliance (GRC) practices. GRC provides an integrated and robust approach, allowing healthcare organizations to effectively manage governance, enterprise risk, and regulatory compliance in a cohesive manner. Now, let's delve into GRC and explore how healthcare organizations can leverage its advantages.
The attack on Change Healthcare occurred when unauthorized parties gained entry into Change Healthcare's network. Specific details regarding how ALPHV/BlackCat managed to breach the network have not been publicly disclosed.
Although the exact method used to breach Change Healthcare's defenses remains undisclosed, ALPHV/BlackCat is known within cybersecurity circles for using various tactics. These tactics, reported by security experts, include exploiting vulnerabilities in Microsoft's remote desktop protocol and conducting brute-force attacks on Active Directory (AD). There has also been speculation about potential involvement of vulnerabilities in the ConnectWise Screen Connect application, disclosed on Feb. 19, though Change Healthcare has not confirmed this. ConnectWise has also denied any association between its software and the Change Healthcare incident.
Once inside Change Healthcare's network, the attackers launched ransomware. This attack on Change Healthcare disrupted critical operations, and the company responded by disconnecting over 111 different services across its system to prevent further harm. Additionally, the company collaborated with law enforcement and cybersecurity experts to contain and address the ransomware threat.
Now, the healthcare giant is facing a new threat. The extortion group RansomHub has begun selling sensitive patient data from the Change Healthcare breach. The data includes Social Security numbers, insurance details, payment claims, and medical records. RansomHub also claims to have healthcare data on active-duty military personnel. The group is the second group to target Change Healthcare, with ALPHV being the first – receiving $22 million in ransom payments. RansomHub stated they are willing to accept ransom payments from individual insurance companies that work with Change Healthcare. The company has spent a total of $872 million responding to the breach.
In an era where healthcare organizations face an ever-growing array of threats to sensitive patient data and regulatory compliance, the importance of robust governance, risk management, and compliance (GRC) frameworks cannot be overstated. At its core, GRC embodies the holistic approach of integrating governance, risk management, and compliance activities to fortify healthcare operations.
Governance establishes the foundation of accountability and transparency, defining roles and responsibilities across the organization. In the healthcare sector, this might entail establishing data protection policies and delineating protocols for managing patient information.
Meanwhile, risk management identifies, assesses, and mitigates potential threats to patient data security and operational continuity. Within the healthcare industry, risks span from data breaches to operational inefficiencies, highlighting the importance of a clearly outlined GRC strategy in their mitigation. Compliance ensures adherence to regulatory mandates, including standards such as the Health Insurance Portability and Accountability Act (HIPAA) and various industry regulations.
Governance
Risks
Compliance
Historically, healthcare organizations have often adopted linear compliance approaches, compartmentalizing governance, risk management, and compliance functions. However, this fragmented structure fosters silos, hindering effective communication and collaboration. Such silos lead to inconsistencies in policy implementation, operational inefficiencies, and heightened vulnerability to regulatory scrutiny.
On the other hand, an integrated GRC framework fosters synergy among governance, risk management, and compliance functions, yielding a ton of benefits. By breaking down silos and promoting cross-functional collaboration, integrated GRC facilitates real-time risk identification and mitigation, proactive policy adjustments, and timely resolution of compliance issues. This cohesive approach not only enhances regulatory compliance but also bolsters operational efficiency and patient care quality.
Furthermore, GRC integration drives operational efficiency by streamlining processes, minimizing redundancies, and optimizing resource allocation. Through continuous monitoring and feedback loops, organizations can identify procedural gaps and swiftly implement corrective measures. Automation tools, such as GRC software solutions, play a pivotal role in expediting compliance management tasks, automating workflows, and facilitating real-time reporting.
A comprehensive GRC framework could have potentially prevented the ransomware attack on Change Healthcare through several key procedures:
Overall, a comprehensive GRC framework provides organizations with the tools and processes needed to proactively identify, assess, and mitigate cybersecurity risks, thereby reducing the likelihood and impact of ransomware attacks and other cyber threats.
It’s important to get ahead of the curve by being proactive with protecting your organization, instead of waiting to put out a massive fire. Avertium can provide the following services to help keep your organization safe.
RansomHub
Domain
Hostname
What is Healthcare Governance, Risk Management, and Compliance (GRC)? (hipaajournal.com)
RansomHub - AlienVault - Open Threat Exchange
Governance Risk And Compliance: 5 Things You Should Know (complyassistant.com)
Healthcare Governance Risk and Compliance - Compliancy Group (compliancy-group.com)
Health industry struggles to recover from cyberattack on UnitedHealth : Shots - Health News : NPR
Change Healthcare facing HHS probe following crippling cyberattack | News Brief | Compliance Week
What's Healthcare GRC? (accountablehq.com)
The Change Healthcare attack: Explaining how it happened (techtarget.com)
GRC Solutions for Healthcare: CISO Challenges (wolfpacsolutions.com)
HIPAA & GRC Key to Principled Performance in Health Space (compliancy-group.com)
UnitedHealth says Change Healthcare cyberattack cost it $872 million - CBS News
Change Healthcare’s New Ransomware Nightmare Goes From Bad to Worse | WIRED
Change Healthcare stolen patient data leaked by ransomware gang | TechCrunch
Change Healthcare cyberattack fallout continues (healthitsecurity.com)
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.