Will This Event Actually Change Healthcare?
Forgive the pun, it’s a serious question. The Change Healthcare breach is a stunning example of just how bad one of these events can be under the right circumstances. It will no doubt go down as one of the costliest breaches in healthcare and will have repercussions for months and possibly years to come.
The reaction has been interesting, to say the least. Some are wondering why with a breach of this magnitude it’s not receiving more attention in the media. As important as healthcare is, why doesn’t this incident rival the Colonial Pipeline or Target breaches for coverage? Others are calling for greater investment in security, throwing money at the problem. But in what exactly should organizations invest? Many surveys and studies suggest that organizations are not getting optimal value from current investments, of the “solutions” aren’t fully implemented or are under-performing.
Some entities are quietly going about the business of trying to determine what this incident means for them and their organization. Thank goodness some are using their heads. We haven’t heard anyone say, “We can or should ignore it,” “This too shall pass,” like in previous breaches. But perhaps we need to give it time. Only one of these reactions is a correct response.
For those looking for more attention, I advise: Just wait for it. It will be hard for a breach of this size and impact to not receive a great deal of scrutiny and publicity before it runs its course. For those in the ‘throw money at the problem-’ camp I would advise discretion. In many cases, we’ve already spent too much on solutions that aren’t working, and we’re failing to invest wisely on things that matter. And no, we cannot ignore this because it won’t soon pass, and the next breach may be worse, which is hard but not impossible to imagine. For those quietly trying to understand how this happened and looking at their own organization to assess their risk and smartly address their reaction, I say: Keep doing what you are doing. This is not a time for knee-jerk reactions – It’s a time for cool heads and smart decisions.
The irony for anyone who attended the ViVE/CHIME conference this past week is that there were, as John Lynn so aptly put it, two conversations that dominated the hallways: the booth messages and the presentations. The first was everything AI, and the second was the United Health Group/Optum/Change Health breach. I say irony because the latter is an example of healthcare’s inability to address the present threat, while the former is yet another example of a headlong rush to embrace the next new technology that neither the industry, IT, or even the developers fully understand or are capable of securing.
This represents the duality of the challenge: Entities have not adequately addressed the risks of the past yet continue to pursue the technology of the future with new risks that they neither know nor fully understand. So the CIO and CISO fight a two-front war. The unfortunate part of this situation is that as healthcare becomes more technology-driven and more dependent on information and its ecosystem becomes more and more complex and interconnected, the threats of the past increase in risk and impact.
What was also amazing is that despite 34,000-plus technologists, scientists, lawyers, academics, etc. signing onto a petition asking that we take a break, step back momentarily from deployment of AI until we understand it better and can develop guard rails to promote safe development and controls to avoid risks – you could not see this in action on the floor of ViVE or by the dialogue you hear everywhere.
The risks of the past which are currently eating our proverbial lunch are incremental in nature, while the risks associated with AI could be transformative in nature. Imagine for a minute, this same attack fueled by an AI-enabled intelligent technology that could move much faster. For better or worse, we have already let the generative AI-genie out of the bottle, and it’s not going back. We better ramp up the research into the risks of AI, as well as its uses for cybersecurity defense, or we are going to have way bigger issues than what we see currently with the Change Healthcare breach.
There is an even scarier genie out there called Super AI and it has a friend called a Quantum computer that make the challenges of today pale in comparison to what we may face in the next decade and beyond. All of this should serve as a wake-up call.
As I posed up front, the question though is: Will it change anything? How will organizations react to this event? What value do we place on healthcare as a critical infrastructure? And what value do we place on privacy and life? Because, make no mistake, cybersecurity is patient safety.
Right now, organizations should be spending as much time and energy on more effectively securing what they have, while they chase the next new technology.
Boards and executives should be asking more probing questions, such as:
• Do we understand our risks?
• Do we have the right infrastructure?
• Do we have the right controls?
• Do we have enough people with the right skills to manage our security?
• Do we have good controls on our business partners, as well as their downstream partners?
• When was the last time we performed a thorough enterprise risk analysis, not just on our applications but our entire information ecosystem?
• How often do we test ourselves?
• What is our average time to fix when alerts are received to patch or update something?
• Do we understand exactly what is critical to the business within our enterprise?
• Have we identified and planned for a suitable alternative that will allow us to continue to operate?
• Have we ensured that venders have this same level of redundancy for solutions or services on which our business relies?
• And can we survive a Change Healthcare breach?
The list goes on. These are not new questions or rocket science, nor are they exciting or revenue generating. The answers come with costs. But healthcare decision makers must ask two critical questions: How much is the Change Healthcare breach likely to cost? And more importantly, from a patient safety perspective, how confident can you be on outcomes generated by AI and other new innovative technologies, if you cannot certify the integrity of the IT they run on or the data they use to generate those outcomes?
It’s not just time to hit the pause button on AI. It’s time to hit the pause button on where we are today and get our house in order, so we can embrace the future and the amazing things that AI and whatever is next can do for healthcare with confidence.
