Updated March 8th, 2024 at 16:52 IST

American healthcare is a perfect cyber-hostage

Change Healthcare, the unit of $440 billion UnitedHealth is the biggest processor of healthcare insurance claims.

Robert Cyran
US & healthcare | Image:Unsplash

 Backed up. A detective will tell you any crime has three elements: motive, means, and opportunity. Cyberhackers have plenty of motive, reaping over $1 billion in ransom payments in 2023, according to Chainalysis. They have the means, thanks to identity-obscuring cryptocurrency payments. And in the fragile American healthcare system, where hiccups can cause cascading failures, they have a ripe opportunity.

Look at Change Healthcare. The unit of $440 billion UnitedHealth is the biggest processor of healthcare insurance claims, performing 15 billion transactions annually. On Feb. 21, the company disclosed that it had been attacked, later fingering the Blackcat hacking gang. That created a massive and still-ongoing disruption. After all, its systems help doctors determine if patients are eligible for treatment, file and track claims for payment, and handle pharmacy prescriptions.


The American Hospital Association called this the most significant U.S. healthcare cyberattack in history. Big insurers Elevance Health and Humana said claims dropped significantly. Doctors worry that practices - which often run with little surplus cash - may shut down.

The growth of hacking for profit bears much of the blame. Increased dependence on computer systems and the rise of cryptocurrencies, which can be used to take collection of ransom payments, make hostage-taking easier. Ransomware last year extracted a fifth more cash from victims than in 2020, Chainalysis reckons.


Compared to other industries, healthcare suffers the highest annual average cost per cybersecurity breach, according to IBM. Consequences, whether from shuttered emergency rooms or improper doses of medicine, are high. One study estimated 42 to 67 Medicare patients – elderly Americans covered by government-funded insurance – died as a consequence of hacks between 2016 and 2021. That’s plenty of incentive to pay up.

While this is true for any healthcare system, the United States is unique in its opaque intricacy, as hospitals, doctors, insurers and numerous middlemen fight for who gets what, and how much. This complexity makes effective cyber-defense difficult. It also creates single points of spectacular failure: many of these negotiations happen on Change’s network. When it goes down, the entire system takes a hit.


That has left officials scrambling to respond. Regulators are encouraging plans that privately administer Medicare plans to offer advance funding to affected providers, and said hospitals may ask for accelerated payment. That an isolated hack has potentially drawn government intervention is itself hazardous, since it validates the hackers’ strategy: attack a system that is too complex to fail.


Published March 8th, 2024 at 16:52 IST