Whereas cyberattacks are a standard prevalence for companies of any measurement, the Change Healthcare incident is a deviation from the norm, primarily due to the corporate’s interconnectedness with numerous key gamers within the healthcare trade, equivalent to hospitals and pharmacies.

“What makes this specific cyberattack fascinating and totally different than different comparable situations is that the risk actors went after a real linchpin within the general US healthcare ecosystem,” mentioned Stephanie Snyder Frenier (pictured), SVP of cyber & skilled options at CAC Specialty.

“Change Healthcare processes claims funds and pharmacy prescriptions as a clearing home and taking them out of the equation has simply induced lots of downstream results at this level for different healthcare suppliers which can be using this platform.”

What has resulted is a cashflow situation for patrons of Change Healthcare — a subsidiary of UnitedHealth Group — on account of claims funds being delayed.

“That is inflicting lots of healthcare suppliers ache, as there’s not lots of wiggle room that suppliers have when it comes to their general money movement as a result of we’re solely in March they usually’ve solely began accepting claims funds for this yr in January,” Snyder Frenier mentioned.

The query is whether or not organizations, particularly smaller healthcare suppliers, are going to must shut down or not, to have the ability to pay folks which may doubtlessly impression healthcare providers for sufferers.

“It’s very regarding,” the SVP mentioned.

In an interview with Insurance coverage Enterprise, Snyder Frenier spoke about what doable impact the Change Healthcare assault may have on the cyber insurance coverage market and what the trade can be taught from this high-profile loss occasion.

How the cyber insurance coverage market may be affected by the Change Healthcare breach

There’s nonetheless lots to be discovered about this cyberattack since a few of the outcomes associated to the occasion are nonetheless purported or alleged at this level.

“Change Healthcare has filed an 8-Ok in compliance with the SEC’s new cybersecurity disclosure guidelines. Nevertheless, it didn’t reveal lots,” Snyder Frenier mentioned.

There was hypothesis on what this loss occasion entailed, primarily via on-line chat boards, the place it has been alleged that six terabytes of knowledge have been pillaged throughout this assault.

BlackCat additionally accepted a $22 million Bitcoin cost again on March 1, however it’s nonetheless unknown if that giant sum was paid in affiliation with the cyberattack.

If true, this results in the potential for a significant privateness breach of healthcare data, which is extremely regulated on the federal stage via HIPAA, alongside the 13 states which have state privateness legal guidelines, along with the 50 states which have information breach notification legal guidelines.

“Proper now, we don’t know what’s in these six terabytes of knowledge that have been allegedly taken and if any of that data would violate HIPAA legal guidelines,” Snyder Frenier mentioned.

Giant tech errors and omissions legal responsibility claims are additionally a chance on account of a number of related companies being affected by this information breach.

“Associated events may argue that Change Healthcare’s know-how product didn’t work as supposed as a result of they’d a safety breach, so there’s additionally a safety privateness side to it from a legal responsibility standpoint,” Snyder Frenier mentioned.

“The tech E&O and the safety privateness legal responsibility definitely overlap.”

Lastly, for the businesses and organizations utilizing Change Healthcare as a clearinghouse, enterprise interruption may be very cumbersome.

“They might not have a contract in place with one other such clearinghouse, which can lead to these companies incurring bills to determine tips on how to get these claims paid,” Snyder Frenier mentioned.

“Relying on how lengthy this goes on, we might want to see if there may be true internet earnings impression, how giant the additional bills will likely be and whether or not or not they breach the retention on cyber insurance coverage insurance policies.”

The SVP believes that this assault is akin to the Colonel Pipeline ransomware occasion from 2014, the place the oil and fuel lynchpin was the topic of an IT breach that affected the corporate’s skill to ship fuel in sure areas of the US.

“Colonial Pipeline may nonetheless run their enterprise, however they didn’t know what they have been pumping and distributing,” she mentioned.

“As a result of that was on their IT system, they have been put in a really tough place of getting to find out in the event that they have been going to pay a ransomware demand in order that they may get entry again to their methods.”

On March 8, UnitedHealth Group revealed that Change Healthcare’s platform will likely be up and working on March 15, whereas its medical claims community will likely be again on-line March 18.

Classes from the Change Healthcare cyber breach

In keeping with Snyder Frenier, cyber insurance coverage professionals and the purchasers they serve can be taught lots from this assault.

“Cyber resiliency isn’t just about having higher firewalls or extra MFA, it should embody a real third-party threat administration plan, understanding the cybersecurity of the third events that you just’re contracting with after which creating redundancies,” she mentioned.

Within the case of companies solely counting on the capabilities of Change Healthcare, it’s smart that additionally they look to various technique of amassing funds and never placing all their eggs in a single basket.

It is very important have incident response, enterprise continuity and catastrophe restoration plans in place alongside tabletop workouts to observe these plans.

Moreover, Snyder Frenier thinks that cyber underwriters may gain advantage from understanding cyber threat from another angle.

“We don’t sometimes see underwriters asking lots of questions round single factors of failure inside an trade. There’s lots of give attention to systemic threat in cyber insurance coverage that focuses on what occurs if there’s an outage of a cloud service supplier or what occurs if there’s an outage or a crucial vulnerability that’s exploited in an working system,” she mentioned.

“However are they pulling again and looking out throughout all the trade to establish the only factors of failure since there’s solely so many corporations that service specific wants of the healthcare ecosystem like Change Healthcare?”

Nevertheless, Snyder Frenier is optimistic that the Change Healthcare breach will allow constructive adjustments on understanding and underwriting cyber threat.

“There will definitely be lots of classes discovered,” she mentioned.