Data breaches don’t often make the headlines. Mostly, the fear of negative publicity deters companies from reporting a data breach to the public.

But last year, one incident received widespread attention: the Change Healthcare data breach. The breach was massive; it affected around 190 million people in the U.S. 

After a year, the dust has somewhat settled, but the lessons are still rolling in. If anything, this cyberattack was a wake-up call that rattled the healthcare industry to its core.

So, what have we actually learned? We’ll share a few key takeaways here. 

#1 Ignoring Multi-Factor Authentication is a Big No-No!

Do you know that a lack of multi-factor authentication resulted in the Change Healthcare cyberattack? UnitedHealth CEO admitted that in a U.S. Senate hearing. 

Compromised credentials allowed a ransomware group, the AlphV, to access Change Healthcare’s Citrix portal—an app that allowed remote access to desktops. 

No multi-factor authentication, or MFA, was turned on. So, when hackers used those compromised credentials, they successfully intruded into the system. Once they were inside, the threat actor used advanced techniques to move laterally and exfiltrate data.  

Their attack went undetected until Feb 21, when they encrypted the system. Change Healthcare had no option but to take its operations offline. 

Don’t make the same mistake. Turn on MFA. It’s a security feature or an authentication method that requires users to verify their identity in more than one way before accessing an account. 

According to CISA, MFA reduces the likelihood of cyberattacks by 99%. A compromised credential is useless without the second authentication factor. If you have this security measure in place, the attacker’s entry will be denied even when the first factor is compromised. 

#2 Patient Data Protection Should be a Priority

Change Healthcare was founded in 2007, but its core medical claims and payment processing tech systems are four decades old. 

When UnitedHealth acquired the healthcare company, it was working to upgrade and modernize a large segment of its technology. 

Most of Change’s data was stored in on-premise data centers before the attack. Whether the healthcare company’s on-premise data center had a security team is still unknown. But one thing is clear: Change Healthcare didn’t prioritize patient data protection. 

If you own an on-premise data center, you better hire a robust security team. They will monitor and protect your patients’ data and systems 24/7. 

Don’t have an on-premise data center? You can look for a data center provider who builds and operates these facilities off-site. 

Be sure to look into the data center location strategy and site development process. 

Those who are the best in the industry don’t just screen and tour available sites. They also assess market conditions, use a proprietary GIS tool, and work with stakeholders to understand on and off-market properties. Stream Data Centers explains that this results in:

• Well-positioned properties that are sustainable and scalable
• Risk mitigation to avoid delays, surprises, and cost overruns later in the development stage

#3 Robust Employee Education Programs are a Must 

The weakest links in cybersecurity? Lack of awareness and human error. 

While human error was not a cause of breach in the case of Change Healthcare, lack of awareness certainly was. 

Until the threat actor deployed the ransomware, they were inside the system for nine days. Shockingly, none of the healthcare company’s employees could figure it out. This shows that if employees aren’t educated on cyberattacks, they cannot do anything to stop them. 

Suspicious login patterns? Unusual data transfers? These are things a well-trained workforce should catch.

Robust cybersecurity training of employees is important to prevent phishing and other cyber threats.  

Regular training, phishing simulations, and clear security protocols can help them spot the difference between catching a red flag early or dealing with a full-blown data breach.

#4 Obtain Cyber Insurance to Safeguard Your Finances from Cyber Risks

The AlphV ransomware group’s intrusion into Change Healthcare’s IT environment cost UnitedHealth a lot. 

The healthcare giant had to spend a massive amount of money to recover from the cyberattack. Through the end of September, the healthcare company’s financial losses from the attack reached $2.5 billion, including $1.7 billion dedicated to direct recovery.  

So, healthcare businesses can’t afford to skip cyber insurance. It won’t stop hackers from trying to break in, but it will help cover the massive costs of recovering from an attack.

Don’t just purchase a policy for the sake of it. Assess your risk and choose the coverage that actually fits them. Your policy should cover ransomware payments, business interruptions, and regulatory fines. If not, you might be paying for a false sense of security.

The Change Healthcare breach was a stark reminder that robust cybersecurity is necessary for healthcare businesses. But with these lessons in hand, the industry is better positioned to fortify defenses, ensure patient data safety, and maintain trust. 

So, learn from this breach because you’ll set yourself up for the next one if you don’t.