Health Law Highlights

Cyberattack Shuts Down Pharmacies Across the US

From Brew Healthcare, by Quinn Sental:

Change Healthcare, a prominent health tech firm owned by UnitedHealth Group, suffered a cyberattack, disrupting patient payments and prescription processing across the US. The company, part of Optum, handles 15 billion healthcare transactions annually.

The cyberattack was first noticed as disruptions in the company’s applications, later identified as “enterprise-wide connectivity issues”, and eventually confirmed as a cybersecurity issue. In response, Change Healthcare disconnected its systems to prevent further spread.

The incident has affected pharmacies nationwide, preventing them from processing prescription orders. Some pharmacies could accept prescriptions but were unable to process them through patients’ insurance.

Change Healthcare said the disruption is expected to last at least a day and is specific to their systems, with all other UnitedHealth Group systems remaining operational.

Health Law Highlights

Researchers Observe Increase in Emerging Ransomware Groups Targeting Healthcare

From HealthIT Security, by Jill McKeon:

  • The healthcare sector experienced significant data breaches in 2023, with over 540 organizations reporting such incidents, largely due to ransomware attacks. Healthcare was the third-most targeted industry, following manufacturing and technology.
  • The GuidePoint Research and Intelligence Team (GRIT) identified 63 distinct ransomware groups responsible for these attacks, with established groups like LockBit, Alphv, and Clop causing the majority of breaches. These groups have operated for at least nine months and have well-defined tactics.
  • Both established and emerging ransomware groups have increasingly targeted healthcare organizations. Despite traditionally being considered ‘off-limits’ due to potential negative press and law enforcement attention, the number of attacks on healthcare organizations rose in 2023.
  • Emerging groups, defined as those in operation for less than three months, have been particularly problematic for the healthcare sector. One such group, Rhysidia, has been aggressive in its attacks despite its relative newness, using tactics like phishing to compromise victims.
  • GRIT predicts that ransomware attacks will continue to escalate in 2024, with the most prolific groups leading advancements in techniques and strategies. The report emphasizes the importance of industry best practices in threat intelligence, information sharing, and public-private partnerships to combat this growing threat.
Health Law Highlights

HHS Releases Voluntary Cybersecurity Performance Goals to Beef Up Healthcare’s Digital Defenses

From Fierce Healthcare, by Dave Mulio:

  • The Department of Health and Human Services (HHS) has published voluntary cybersecurity performance goals for healthcare organizations, aiming to enhance industry-wide cybersecurity. The goals are hosted on a new website launched by the department to centralize cybersecurity resources from various government groups.
  • The goals are divided into two categories: “Essential Goals” and “Enhanced Goals”, reflecting cybersecurity frameworks, best practices, and strategies developed by the healthcare industry. They address common attack vectors against U.S. hospitals, as identified in the 2023 Hospital Cyber Resiliency Landscape Analysis.
  • The voluntary goals cover initial protection, response, and mitigation of residual risk. They provide a prioritization roadmap for layers of protection across various points of weakness, aiming to prevent potential breaches.