Strengthening Healthcare Resilience: Integrated Risk Management as a Response to the Change Healthcare Cyberattack

HealthcareIntegrated Risk Management
Written By Samantha "Sam" Jones

The recent cyberattack on Change Healthcare, a pivotal entity in the U.S. healthcare ecosystem, has laid bare the vulnerabilities in the sector's interconnected infrastructure. This incident, which disrupted insurance billing and payments for months, underscores the critical need for a more comprehensive approach to risk management. As the healthcare industry grapples with the fallout, integrated risk management (IRM) emerges as a vital framework to bolster resilience and safeguard against future threats.

The Scope of the Attack

Change Healthcare operates the largest clearinghouse for insurance billing and payments in the United States. The February cyberattack on this linchpin entity cascaded across the healthcare system, paralyzing medical providers' ability to process claims, conduct prior authorizations, and perform routine clinical functions. The breach endangered the financial viability of healthcare providers and compromised the personal and health data of a significant portion of the U.S. population.

This attack is a stark reminder of the healthcare sector's vulnerability due to its heavy reliance on interconnected digital systems. As Erik Decker, Chief Information Security Officer at Intermountain Health, aptly noted, the healthcare industry is an "ecosystem of interconnectivity," where disruptions at a single chokepoint can trigger widespread consequences.

IRM: A Strategic Solution

Source: IRM Navigator™ by Wheelhouse Advisors

Integrated risk management (IRM) offers a strategic solution to these challenges by providing a unified approach to identifying, assessing, and managing risks across the enterprise. Unlike traditional risk management practices that often operate in silos, IRM emphasizes the interdependencies within an organization's risk landscape, making it particularly well-suited to address the complexities of the healthcare sector.

Here's how IRM can play a critical role in strengthening healthcare resilience:

  1. Proactive Risk Identification: IRM enables healthcare organizations to identify risks within their operations and across their entire supply chain and partner networks. By mapping out these interdependencies, organizations can anticipate and prepare for potential disruptions, such as those experienced in the Change Healthcare attack.

  2. Resilience Through Risk Assessment: A core component of IRM is the continuous assessment of risks, which allows organizations to understand the potential impact of various threats on their operations. In healthcare, this means evaluating the risks associated with critical functions like claims processing, laboratory services, and supply chain management. By doing so, organizations can develop contingency plans that ensure continuity despite significant disruptions.

  3. Comprehensive Risk Mitigation: IRM promotes a coordinated approach to risk mitigation, ensuring that all parts of the organization work together to manage risks. For healthcare providers, this means aligning cybersecurity efforts with other risk management activities, such as compliance and operational risk management. The goal is to create a unified defense against threats, reducing the likelihood of a single point of failure.

  4. Strategic Supplier/Third-party Risk Management: As the Change Healthcare attack highlighted, third-party vendors play a critical role in the healthcare ecosystem. IRM frameworks incorporate supplier and third-party risk management, ensuring all partners adhere to rigorous cybersecurity standards and integrate their risk management practices with the healthcare provider. This comprehensive approach minimizes the risk of supply chain disruptions and enhances overall system resilience.

IRM Navigator™ by Wheelhouse Advisors

Source: IRM Navigator™ by Wheelhouse Advisors

To help organizations implement a robust IRM strategy, Wheelhouse Advisors has developed the IRM Navigator™, a comprehensive framework designed to guide businesses through the complexities of integrated risk management. The IRM Navigator™ provides a structured approach to identifying, assessing, and managing risks across all areas of an organization, ensuring that risk management efforts are aligned with strategic objectives.

The IRM Navigator™ includes the following key components:

  • Risk Identification and Mapping: This component helps organizations identify all relevant risks, including those related to third-party vendors, and map them across the enterprise to understand their interdependencies.

  • Continuous Risk Assessment: Through ongoing assessment, organizations can track how risks evolve and determine the potential impact on operations.

  • Integrated Risk Mitigation: This module focuses on developing and implementing coordinated mitigation strategies that involve all relevant departments within the organization.

  • Supplier/Third-party Risk Management: By incorporating supplier and third-party risk into the broader risk management strategy, the IRM Navigator™ ensures that all external partners are held to the same standards as internal operations, reducing the likelihood of supply chain vulnerabilities.

The IRM Navigator™ has been specifically designed to address the needs of industries with complex, interconnected systems, such as healthcare. By adopting this framework, organizations can transform their approach to risk management, moving from reactive to proactive and from siloed to integrated.

Moving Beyond Compliance to Comprehensive Risk Management

The discussion surrounding the implementation of minimum cybersecurity standards in the healthcare industry, as highlighted by experts at the WSJ Tech Live Cybersecurity forum, underscores a critical point: compliance alone is not enough. While regulatory mandates can provide a baseline for security, they must be part of a broader, more strategic approach to risk management.

IRM goes beyond compliance by embedding risk management into the organization's culture and operations. It encourages continuous improvement and adaptability, ensuring that healthcare providers meet regulatory requirements and are prepared to respond to emerging threats.

The Way Forward

As the healthcare industry moves forward in the wake of the Change Healthcare cyberattack, it is clear that a more integrated approach to risk management is essential. IRM, specifically the IRM Navigator™ framework, provides the tools necessary to navigate the complexities of the modern healthcare ecosystem, offering a pathway to greater resilience and security.

By adopting IRM, healthcare organizations can transform their risk management practices from reactive to proactive, siloed to integrated and compliance-focused to truly resilient. In doing so, they will be better equipped to protect their operations and the patients and communities they serve. As we reflect on the lessons from the Change Healthcare incident, healthcare leaders must recognize the value of IRM in safeguarding the industry's future. The time to act is now, before the next crisis strikes.

References:

Wall Street Journal, "What We Learned From the Cyberattack on Change Healthcare," Aug. 13, 2024.

Samantha "Sam" Jones

Samantha “Sam” Jones is a seasoned technology market analyst, specializing in integrated risk management and adept at uncovering market insights through advanced analytical tools. Passionate about sustainable business practices and emerging technologies, she enjoys staying at the forefront of the industry by participating in community tech events and exploring new trends.

Previous

Top 10 Questions Answered in the 2024 GRC Report: Insights from the IRM Navigator™ Vendor Compass
Next

Streamlining AI Risk Management with NIST and IRM