Healthcare - Governance, Risk Management, + Compliance

executive summary

Last month, a cyberattack on the largest U.S. healthcare payment system crippled operations and caused severe financial loss for many healthcare organizations. Change Healthcare, which operates 14 billion clinical, financial, and operational transactions annually, was at the center of a ransomware attack thought to be carried out by the notorious ALPHV (BlackCat) ransomware group.

The unexpected ransomware breach left healthcare professionals in a state of urgency, scrambling to find solutions. Hospitals, healthcare plans, and physicians catering to Medicare and Medicaid beneficiaries encountered difficulties in transmitting essential claims and data to the Department of Health and Human Services (HHS). Although HHS set up payment workarounds for providers with flexible deadlines, the fallout from the incident was immense.

According to Beau Woods, a co-founder of the cyber advocacy group I Am The Cavalry, the government has traditionally depended on voluntary standards to safeguard healthcare networks. However, Woods stated that this voluntary approach has proven inadequate, stating that the purely optional, “do it out of the goodness of your heart” model is evidently ineffective. He advocates for increased federal funding and heightened attention to address this pressing issue.

How can the healthcare sector mitigate the risk of future ransomware attacks like the one that affected Change Healthcare? One solution could lie in implementing governance, risk management, and compliance (GRC) practices. GRC provides an integrated and robust approach, allowing healthcare organizations to effectively manage governance, enterprise risk, and regulatory compliance in a cohesive manner. Now, let's delve into GRC and explore how healthcare organizations can leverage its advantages.

change healthcare + alphv (blackcat)

The attack on Change Healthcare occurred when unauthorized parties gained entry into Change Healthcare's network. Specific details regarding how ALPHV/BlackCat managed to breach the network have not been publicly disclosed.

Although the exact method used to breach Change Healthcare's defenses remains undisclosed, ALPHV/BlackCat is known within cybersecurity circles for using various tactics. These tactics, reported by security experts, include exploiting vulnerabilities in Microsoft's remote desktop protocol and conducting brute-force attacks on Active Directory (AD). There has also been speculation about potential involvement of vulnerabilities in the ConnectWise Screen Connect application, disclosed on Feb. 19, though Change Healthcare has not confirmed this. ConnectWise has also denied any association between its software and the Change Healthcare incident.

Once inside Change Healthcare's network, the attackers launched ransomware. This attack on Change Healthcare disrupted critical operations, and the company responded by disconnecting over 111 different services across its system to prevent further harm. Additionally, the company collaborated with law enforcement and cybersecurity experts to contain and address the ransomware threat.

Now, the healthcare giant is facing a new threat. The extortion group RansomHub has begun selling sensitive patient data from the Change Healthcare breach. The data includes Social Security numbers, insurance details, payment claims, and medical records. RansomHub also claims to have healthcare data on active-duty military personnel. The group is the second group to target Change Healthcare, with ALPHV being the first – receiving $22 million in ransom payments. RansomHub stated they are willing to accept ransom payments from individual insurance companies that work with Change Healthcare. The company has spent a total of $872 million responding to the breach.

governance, risk management, + compliance in healthcare

In an era where healthcare organizations face an ever-growing array of threats to sensitive patient data and regulatory compliance, the importance of robust governance, risk management, and compliance (GRC) frameworks cannot be overstated. At its core, GRC embodies the holistic approach of integrating governance, risk management, and compliance activities to fortify healthcare operations.

Governance establishes the foundation of accountability and transparency, defining roles and responsibilities across the organization. In the healthcare sector, this might entail establishing data protection policies and delineating protocols for managing patient information.

Meanwhile, risk management identifies, assesses, and mitigates potential threats to patient data security and operational continuity. Within the healthcare industry, risks span from data breaches to operational inefficiencies, highlighting the importance of a clearly outlined GRC strategy in their mitigation. Compliance ensures adherence to regulatory mandates, including standards such as the Health Insurance Portability and Accountability Act (HIPAA) and various industry regulations.

the breakdown

Governance

• Governance plays a fundamental role in shaping an organization's compliance approach. It establishes the framework for organizational operations, ensuring alignment with its mission and strategic objectives.
• In healthcare, governance encompasses the formulation and enforcement of policies and procedures governing the management of patient data and information. This involves establishing guidelines for accessing, sharing, and storing patient records securely and ethically, in adherence to pertinent laws and regulations.
• Governance entails clearly defining roles and responsibilities within the organization and implementing mechanisms for accountability. This clarity fosters a shared understanding among all stakeholders regarding their obligations regarding data protection and regulatory compliance.
• Robust governance is essential for upholding compliance with HIPAA regulations and fostering operational efficiency in healthcare entities. It serves as the cornerstone upon which the broader healthcare GRC framework is constructed.

Risks

• Risk management is a key element of the healthcare GRC framework, playing a crucial role in anticipating and addressing potential challenges that could impact an organization. In the dynamic landscape of healthcare, risks come in various forms, ranging from data breaches and technical glitches to compliance lapses and operational hiccups.
• For instance, a data breach could jeopardize sensitive patient information, leading to significant harm to the organization's reputation and even legal repercussions. To navigate these challenges effectively, healthcare organizations rely on a proactive approach to risk assessment. This involves identifying potential threats, evaluating their likelihood and potential impact, and implementing strategies to mitigate them.
• In healthcare, mitigating risks may involve a range of strategies, from strengthening data protection measures and developing robust disaster recovery plans to conducting regular compliance audits and providing staff with comprehensive training.
• By embracing proactive risk management practices, healthcare organizations can better prepare themselves to handle potential issues, ensuring the safety of their patients, maintaining their reputation, and safeguarding their financial health.

Compliance

• The compliance component of healthcare GRC is all about upholding adherence to pertinent laws and regulations, ensuring that healthcare organizations operate within legal boundaries. In the United States, the cornerstone regulatory standard is the Health Insurance Portability and Accountability Act (HIPAA).
• HIPAA serves as the fundamental guideline for safeguarding health information, dictating how healthcare providers, health plans, and clearinghouses handle patient data in terms of usage, disclosure, and protection. Violations of HIPAA can lead to significant fines and penalties, not to mention the risk of tarnishing the organization's reputation.
• Another pivotal standard in healthcare compliance is the Health Information Trust Alliance (HITRUST). HITRUST offers a framework that consolidates various compliance standards, including HIPAA, into a comprehensive set of controls. Achieving HITRUST certification demonstrates an organization's dedication to maintaining the highest standards of data security and privacy.
• Ultimately, the compliance aspect of healthcare GRC ensures that healthcare entities align their practices with these and other relevant standards. By doing so, they not only steer clear of potential penalties but also cultivate trust among their patients and partners.

challenges of linear compliance approaches

Historically, healthcare organizations have often adopted linear compliance approaches, compartmentalizing governance, risk management, and compliance functions. However, this fragmented structure fosters silos, hindering effective communication and collaboration. Such silos lead to inconsistencies in policy implementation, operational inefficiencies, and heightened vulnerability to regulatory scrutiny.

BENEFITS OF INTEGRATED GRC

On the other hand, an integrated GRC framework fosters synergy among governance, risk management, and compliance functions, yielding a ton of benefits. By breaking down silos and promoting cross-functional collaboration, integrated GRC facilitates real-time risk identification and mitigation, proactive policy adjustments, and timely resolution of compliance issues. This cohesive approach not only enhances regulatory compliance but also bolsters operational efficiency and patient care quality.

Furthermore, GRC integration drives operational efficiency by streamlining processes, minimizing redundancies, and optimizing resource allocation. Through continuous monitoring and feedback loops, organizations can identify procedural gaps and swiftly implement corrective measures. Automation tools, such as GRC software solutions, play a pivotal role in expediting compliance management tasks, automating workflows, and facilitating real-time reporting.

A comprehensive GRC framework could have potentially prevented the ransomware attack on Change Healthcare through several key procedures:

• Governance Oversight: A robust governance structure would ensure that cybersecurity policies and procedures are in place, with clear accountability and responsibility assigned for their implementation and enforcement. This includes establishing protocols for regular security audits and assessments to identify vulnerabilities before they can be exploited by attackers.
• Risk Management Practices: Effective risk management within a GRC framework involves continuous monitoring and assessment of potential threats and vulnerabilities. By conducting regular risk assessments and implementing appropriate controls and safeguards, organizations can proactively mitigate the risk of ransomware attacks and other cybersecurity incidents.
• Compliance Adherence: Compliance with industry regulations, such as HIPAA in the case of healthcare organizations, is a critical component of GRC. Ensuring compliance with relevant standards and regulations helps organizations establish baseline security measures and safeguards to protect sensitive data from unauthorized access and exploitation.
• Incident Response Planning: GRC frameworks typically include protocols and procedures for incident response and management. By having a well-defined incident response plan in place, organizations can effectively contain and mitigate the impact of a ransomware attack, minimizing downtime and disruption to operations.
• Employee Training and Awareness: GRC encompasses workforce training and awareness programs to educate employees about cybersecurity best practices and how to recognize and respond to potential threats such as phishing attempts or suspicious activity. Well-trained employees are less likely to inadvertently engage in activities that could facilitate a ransomware attack, such as clicking on malicious links or opening infected email attachments.

Overall, a comprehensive GRC framework provides organizations with the tools and processes needed to proactively identify, assess, and mitigate cybersecurity risks, thereby reducing the likelihood and impact of ransomware attacks and other cyber threats.

How Avertium is Protecting Our Customers

It’s important to get ahead of the curve by being proactive with protecting your organization, instead of waiting to put out a massive fire. Avertium can provide the following services to help keep your organization safe.

• Avertium simplifies Governance, Risk, and Compliance (GRC) by providing contextual understanding instead of unnecessary complexity. With our cross-data, cross-industry, and cross-functional expertise, we enable you to meet regulatory requirements and demonstrate a robust security posture without any vulnerabilities. Our GRC services include:
  • Cyber Maturity
  • Compliance Assessments and Consulting
  • Managed GRC
• Avertium’s GRCaaS portal centralizes management and visibility of all things compliance in one view. No more exchanging files back and forth by email.
  • Our platform will provide your team with the ability to analyze data, create questionnaire and tasks for individual business units and providers, schedule interviews, and immediately integrate insights into a more comprehensive score.
  • With Avertium’s GRCaaS portal, you can measure the health of your security controls today and get ahead of compliance requirements tomorrow.

INDICATORS OF COMPROMISE 

RansomHub

Domain

• authentication-tyloo-hub[.]com
• coinpayhub[.]com
• edenhuber[.]autos
• elchubutense[.]com[.]ar
• github[.]as
• gsxhub[.]com
• hitsbitsx[.]com
• huboftest[.]ir
• inbox-rules[.]at
• jobsforfelonhub[.]com
• meethub[.]gg
• my4flirtvibeshub[.]life
• secureci[.]org
• suddshub[.]com
• utilityhub-container[.]info

Hostname

• huboftest[.]ir
• mod.gov[.]ge
• msservice-143601145[.]hubspotpagebuilder[.]eu
• search[.]tab-hub-simple[.]online
• universitex[.]hubside[.]fr
• www[.]cwhubbb[.]cn
• www[.]mizuhubaenk[.]top
• www[.]mizuhubank[.]com
• www[.]mizuhubank[.]top
• www[.]mizuhubesnk[.]top
• www[.]mizuhubsank[.]top
• www[.]mizuhubsnk[.]top
• www[.]msaaezusshubsnk[.]top

Supporting Documentation

What is Healthcare Governance, Risk Management, and Compliance (GRC)? (hipaajournal.com)

RansomHub - AlienVault - Open Threat Exchange

Governance Risk And Compliance: 5 Things You Should Know (complyassistant.com)

Healthcare Governance Risk and Compliance - Compliancy Group (compliancy-group.com)

Health industry struggles to recover from cyberattack on UnitedHealth : Shots - Health News : NPR

Change Healthcare facing HHS probe following crippling cyberattack | News Brief | Compliance Week

What's Healthcare GRC? (accountablehq.com)

The Change Healthcare attack: Explaining how it happened (techtarget.com)

Batenburg, R., Neppelenbroek, M., & Shahim, A. (2014). A maturity model for governance, risk management and compliance in hospitals. Journal of Hospital Administration, 3(4), 43-52.

GRC Solutions for Healthcare: CISO Challenges (wolfpacsolutions.com)

HIPAA & GRC Key to Principled Performance in Health Space (compliancy-group.com)

UnitedHealth says Change Healthcare cyberattack cost it $872 million - CBS News

Change Healthcare’s New Ransomware Nightmare Goes From Bad to Worse | WIRED

Change Healthcare stolen patient data leaked by ransomware gang | TechCrunch

Change Healthcare cyberattack fallout continues (healthitsecurity.com)

APPENDIX II: Disclaimer

This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.

Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.