Calli Dretke, Executive Vice President and Chief Digital and Marketing Officer at CHIME, asks a question of Lisa Gallagher, National Cybersecurity Advisor at CHIME, on Monday, Feb. 17, 2025, during the ViVE conference in Nashville, Tenn.
UnitedHealth Group acquired Change Healthcare in 2022 and merged it with its Optum subsidiary. During a U.S. Senate hearing last year, UnitedHealth CEO Andrew Witty said that the threat actors had entered a server that lacked multifactor authentication.
Even health systems that didn’t use Change Healthcare and thought they weren’t affected learned that they had been impacted.
For instance, James Case, vice president and CISO at Baptist Health in Jacksonville, Fla., said that though the health system used a different company for revenue cycle management, it learned that certain contracts still went through Change Healthcare.
“We weren’t affected that much, but we were affected in pockets, and we didn’t know about that,” Case said. Older contracts that hadn’t been updated to the Change Healthcare name were also discovered. “It had a much broader impact for us and the whole industry than expected.”
As for what healthcare organizations should do in the aftermath of an industry-shaking cyberattack, Taule stressed the importance of having built-in redundancy and stricter security expectations for vendors.
FIND OUT: How does zero trust support cyber resilience for healthcare organizations?
“This is an ecosystem problem, and if we don’t address this as an ecosystem problem, we’re going to be in the same situation,” he said. “The big takeaway is that we all, as customers or as members entering an ecosystem, we have to be more demanding of our vendors and of one another.”
Healthcare organizations should know who their top 10 to 15 critical vendors are and have a backup plan to ensure business and operational continuity, Case added.
“There are many things that happened for which we could’ve been better prepared, and I mean that as an industry,” Taule added. “Do you have the people? Do you have the playbooks? Do you have the alternate means of accomplishing those functions? Do you know who your critical partners are? All of us should have identified Change as one of our most critical vendors.”
He added that his organization has started standardizing security clauses and reconsidering the kinds of vendors it will use for its business.
“This is going to occur,” Taule said. “It may not be this exact scenario, but something on this scale that affects our industry is very likely.”
Check out this page for our complete coverage of ViVE 2025. Follow us on the social platform X at @HealthTechMag and join the conversation at #VIVE2025.
link