Q&A with Availity CISO Mike Green: Part 1

Cyberattacks are an all-too-common occurrence in healthcare, as evidenced by the Change Healthcare cybersecurity incident in February this year. In addition to grabbing headlines, cybersecurity breaches create unprecedented disruption to the healthcare ecosystem—negatively impacting patient care and privacy. To meet this threat, security has always been a top priority for Availity. It was a major strategic focus and market differentiator for our company long before this incident and continues to be one of our driving forces.

In this two-part Q&A series, Availity Chief Information Security Officer Mike Green offers his insights on the state of cybersecurity in healthcare and shares advice for healthcare organizations looking to proactively identify vulnerabilities and mitigate risks. Below is part one of the series, which covers the rise of cybersecurity attacks in healthcare and details key takeaways following the Change Healthcare incident.

Q: What are the major drivers of cybersecurity attacks in today’s healthcare ecosystem?

A: In our interconnected world, it only takes the outage of one or two partners, depending on their scope and scale, to create a significant impact. This unique nature and vulnerability of the healthcare industry requires heightened security and compliance requirements in the face of increased threats. In 2023, healthcare data breaches impacting 500 or more records were reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) at a rate of 1.99 per day – more than doubling rates from just five years earlier. These statistics equate to a whopping 364,571 healthcare record breaches every day and more than 133 million records exposed or impermissibly disclosed in 2023 alone.

A large reason for this rise is that healthcare cybersecurity attacks are relatively easy and profitable for hackers. In fact, the most successful attacks in recent years have not been very complex. As a result, I expect these types of attacks to continue as long as it remains easy and profitable for those looking to do so.

To counteract this threat, it is important for healthcare organizations to stay ahead of the game. It’s not about one big company adding more security, it is up to every member to do their part. This includes payers, providers, EMRs, clearinghouses and third-party business process outsourcing (BPO) solutions—all these service providers and consultants play a critical role in the larger healthcare ecosystem and each participant must do everything they can to ensure the health of that ecosystem.

Q: What are some common tactics used by bad actors?

A: Cyberattacks are big business, and as a result, today’s bad actors have become more sophisticated. To prevent attacks, it’s critical to think like one of them. Assess how these attackers operate and identify where your vulnerabilities lie. This is not just an IT team consideration, it’s crucial for everyone in the organization to keep security top of mind.

Educate your staff on the vulnerable cybersecurity attack scenarios/settings below, which are attractive targets for phishing campaigns, ransomware attacks, and other types of cyber threats. By investing in basic cybersecurity measures, training, and awareness for all, your organization can help to defend against these increasing threats from bad actors.

• Help Desks: Most help desk associates are trained to do whatever they can to make the client happy and to get them off the phone. These associates are generally driven by incentives or net promoter scores, making them motivated to keep clients happy and to solve their issue in the fastest way possible. And these individuals are also frequently outsourced. Attackers understand this dynamic, making the help desk a particularly susceptible inroad for bad actors. One common tactic employed by attackers involves calling into a help desk pretending to be a user and requesting a password change, so they can take over that user’s account.

• Reception Area: Like help desks, office reception areas present a prime target area for attackers. Have you ever been at your doctor’s office sitting in the waiting room and somebody up front yelled to the back, “Hey, my computer program logged me out again. What’s the password?” In response, an employee yells out the password. This laissez-faire approach to safety and security could have catastrophic consequences, so associates must be attuned and in line with security best practices in clinical environments.

Q: Who would you say is most at risk? Is that the big players? Or is it the smaller places that might not have the financials to put into security?

A: Cybersecurity is not just an IT issue; it’s a critical business risk that affects organizations of all sizes. While big players may have a higher profile and therefore attract more sophisticated attacks, smaller and mid-sized organizations, such as local hospitals, hospital chains, and business process outsourcing (BPO) companies, are often at risk as well.

In fact, smaller organizations are particularly vulnerable because they typically lack the financial resources and dedicated cybersecurity teams that larger organizations can afford. Hackers often see these smaller entities as easier to breach because they do not have the same level of cybersecurity protections.

Q: What are the key takeaways from the Change Healthcare incident? What measures did Availity take to better safeguard security measures for the future?

A: Following the Change Healthcare incident, Availity took several immediate measures to strengthen our defenses. One of our first action was to bring in Mandiant within days for a comprehensive breach assessment to ensure that Availity did not contain the same kind of malware and to reaffirm our security posture. As a result, we tightened several security policies around day-to-day operations. We work closely with our payer and provider partners to share intelligence and best practices in an effort to strengthen not only Availity, but the community at large. This only increased during and after the Change Healthcare incident.

We also revisited our “defense-in-depth” strategy—akin to securing a home with multiple layers, such as an automated gate, door locks, and a safe. This approach involves creating several barriers to deter attackers and safeguard critical assets. To do so, we enhanced Availity’s verification processes to combat social engineering attacks.

In addition to these measures, we conducted a thorough review of our risk management portfolio to identify any moderate or high risks, and we closed those immediately. We expedited our vendor review process as well; if a vendor did not meet our security or operational standards, we terminated those partnerships much faster than industry norms, achieving what typically takes 9-12 months in just three weeks.

Q: How prepared was Availity? What security tactics were in place before the Change incident?

A: As a trusted intermediary between providers and health plans in the healthcare ecosystem, Availity understands that if our operations are compromised, it could have a cascading effect on other key players in the ecosystem. Recognizing this unique position, Availity was exceptionally prepared because we had proactively conditioned ourselves for this kind of scenario. Nearly a year before the incident, we had already presented potential scenarios to our board, emphasizing the need for robust preparations. We also implemented multi-factor authentication (MFA), now widely discussed as a critical security measure, over five years ago.

Through continuous vigilance, adherence to industry standards, and proactive measures, Availity strives to maintain the trust and confidence of our stakeholders.

Check in soon for part two of the Q&A series, which will shine a light on Availity’s security posture. In the mean time, explore the ways Availity helps healthcare connect here.

About Availity’s CISO

As the Chief Information Security Officer at Availity, Mike leads the creation and implementation of robust security strategies and policies that align with Availity’s mission to facilitate secure and efficient healthcare data exchange. Recently, Mike played a pivotal role in developing proposed regulations presented to Congress, aimed at enhancing the cybersecurity posture of clearinghouses and strengthening the resilience of our healthcare infrastructure against cyberthreats. His efforts are instrumental in advancing national security measures and safeguarding sensitive healthcare data from emerging threats.