Lessons from the Change Healthcare Cyberattack Incident

Photograph displays letters and numbers in different colors against a black background. The words "Data Breach" and "Cyber Attack" are also shown.

Protecting Healthcare Data: Strategies in the Wake of the Cyberattack on Change Healthcare

The recent Change Healthcare cyberattack highlights the growing problem of cyber threats against healthcare organizations.

Change Healthcare is a medical payment processing company that handles clinical, financial, and operational transactions. It is a division of UnitedHealth Group. Change Healthcare processes 1 in 3 medical payment claims in the United States. Since the February 21st attack, operations across the healthcare industry have been severely affected.

The HHS’ Office for Civil Rights recently issued a statement stating that they are investigating Change Healthcare and UnitedHealth Group. The investigation aims to determine whether these companies have violated HIPAA Rules and whether any breach of protected health information has occurred.

This cyberattack serves as a reminder that healthcare providers face considerable cybersecurity risks. But what can healthcare organizations do to help protect their data?

Have a Disaster Recovery Plan to Get Back into Operation as Quickly as Possible

Healthcare organizations have a responsibility to safeguard data and privacy under HIPAA. Has your organization spent time developing a disaster recovery plan? How long will it take your organization to get back into operation if a cybersecurity attack happens?

PrivaPlan Associates recommends that healthcare providers and business associates perform regular Security Risk Analysis to assess and develop the following:

  • Identify current processes
  • Determine technology gaps
  • Update technology infrastructure as needed
  • Create an action plan
  • Standardize approach to cybersecurity
  • Perform annual assessments of security and privacy measures


Two things often overlooked during a Security Risk Analysis are evaluating medical devices and maintaining ongoing training and awareness programs.

Evaluate Medical Devices & Improve their Digital Defenses

Healthcare and technology have incredible advantages and can transform how patient care is delivered with medical devices, especially interconnected devices, offering a range of benefits. 

However, medical devices are just as susceptible to being hacked as a workforce laptop. Medical devices are vulnerable to cyber threats because these tools’ connectivity opens up the possibility of hacking, which can then jeopardize patient health information (PHI).

Protect Against Cyberattacks by Securing Medical Devices

Many medical devices rely on software, which raises the possibility of security failures. Additionally, the PHI stored or transmitted by these devices could be compromised, leading to violations of the HIPAA Rules.

When evaluating your security safeguards, don’t overlook medical devices. Healthcare organizations can audit their medical devices to ensure data security and meet HIPAA regulatory requirements.

Review the systems and software used to operate medical devices to safeguard PHI from unauthorized access and disclosure. 

Examine how your organization will implement cybersecurity measures to mitigate the risks associated with medical device hacking. And reserve time each year to review your processes. 

Include Managed Phishing as Part of Workforce Training

The Change Healthcare ransomware incident underscores the significant cyber threats facing healthcare organizations and reinforces the need for ongoing training and awareness.

The HIPAA Security Rule mandates that covered entities implement policies and procedures to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI).

Part of these policies and procedures involves workforce training. Covered entities are required to provide training to all members of their workforce who have access to ePHI. This training should cover the organization’s policies and procedures for safeguarding ePHI, including identifying and responding to security incidents and breaches.

HIPAA’s Privacy Rule also requires covered entities to train their workforce on the privacy policies and procedures related to PHI, including electronic and paper records. This training ensures that the workforce understands their responsibilities in safeguarding PHI and maintaining patient privacy.

Ongoing training and awareness programs, such as PrivaPlan’s Managed Phishing program can help healthcare organizations effectively discourage cyber threats. 

A managed phishing program is a proactive approach to testing and improving workforce awareness and response to phishing attacks. Our program aims to assess workforce susceptibility to phishing attacks and identify areas where additional training or security measures may be needed. By monitoring how the workforce interacts with simulated phishing emails, your organization can gauge the effectiveness of its security awareness.

PrivaPlan provides various programs to enhance an organization’s cybersecurity posture. With over twenty years of HIPAA consulting experience, we know how to protect data privacy and enforce data security. Reach out today, and let’s safeguard your healthcare organization together!  info@privaplan.com or 877-218-7707


Related Posts

What’s On Your Website?

The partnership combines PrivaPlan’s industry-leading guidance with Cyndelos’ AI technology to pinpoint website vulnerability and uphold website compliance.

Learn More +

Access PrivaPlan Toolkit

Access CMA-PrivaPlan Toolkit

Sign up for updates

Sign up. Learn about Compliance

Subscribe now for up-to-date information about privacy & security compliance! You’ll receive emails regarding news about compliance & alerts for new blog posts.