Security

ViVE 2025: Evolving From a Reactive to a Proactive Posture for Healthcare Cybersecurity

Industry leaders share lessons a year after the Change Healthcare attack.

Teta Alim is the managing editor of HealthTech. Teta previously worked as a digital journalist in Washington, D.C.

News of a ransomware attack hitting a major healthcare technology vendor broke during last year’s ViVE conference. On the attack’s anniversary, and with a federal investigation ongoing, industry leaders reflected on lessons learned during this year’s conference in Nashville, Tenn.

Reflecting on the Change Healthcare attack, which may have exposed the data of more than 190 million people, Lisa Gallagher, national cybersecurity adviser at CHIME, said that though the focus has been on the ransomware aspect of the crime, the threat actors had infiltrated the company’s network days before.

That’s why advanced persistent threats should be a growing concern for healthcare organizations across the country. Previous cybersecurity approaches must evolve as vulnerabilities, threats and attacks increase across the industry.

“We have to make sure that nothing that happens injures a patient,” Gallagher said. “That can happen from a number of different perspectives. It could be specific to a device that’s connected to them. But it could also be like what happened in our ecosystem with Change Healthcare, where we couldn’t process prior authorizations, people couldn’t get into surgeries, ER slowdowns. So, there’s a lot of ways risks to patient safety manifest themselves.”

Cyber resilience is not a buzzword but a strategy that healthcare organizations must consistently strive toward.

Click the banner below to learn why cyber resilience is essential to healthcare success.

x-cyberresillience3-static-2024-na-desktop

x-cyberresillience3-static-2024-na-mobile

Change Healthcare, One Year Later: Perspectives From the Field

When the first public reports of the Change Healthcare attack surfaced in February 2024, recalled Chelsea Arnone, director of federal affairs at CHIME, her team quickly reacted to the news and kept the organization’s members updated with the latest information.

Arnone also highlighted CHIME’s advocacy on Capitol Hill as a liaison between the industry and policymakers. “We educated folks in the federal agencies. So, when we were hearing just how much our members were financially impacted, we went directly to the Department of Health and Human Services and the Centers for Medicare & Medicaid Services,” she added.

Even with the new administration, Arnone said, she expects healthcare cybersecurity to still be top of mind and hopes legislation will be reintroduced.

Jason Taule, CISO at Maryland-based Luminis Health, said that when his health system first learned about the attack, the organization cut its connections to the company to mitigate the impact. “Fortunately, we were one of the more lucky organizations, in that we had some resiliency, and the worst possible situation of having to divert patients did not occur,” he said.

A major challenge was that when the asset management system identified which items to disconnect from, assets that were relatively old and hadn’t been updated when a company was acquired or changed its name had flown under the radar; these turned out to be impacted.

Calli Dretke and Lisa Gallagher on stage at ViVE 2025

Calli Dretke, Executive Vice President and Chief Digital and Marketing Officer at CHIME, asks a question of Lisa Gallagher, National Cybersecurity Advisor at CHIME, on Monday, Feb. 17, 2025, during the ViVE conference in Nashville, Tenn.

UnitedHealth Group acquired Change Healthcare in 2022 and merged it with its Optum subsidiary. During a U.S. Senate hearing last year, UnitedHealth CEO Andrew Witty said that the threat actors had entered a server that lacked multifactor authentication.

Even health systems that didn’t use Change Healthcare and thought they weren’t affected learned that they had been impacted.

For instance, James Case, vice president and CISO at Baptist Health in Jacksonville, Fla., said that though the health system used a different company for revenue cycle management, it learned that certain contracts still went through Change Healthcare.

“We weren’t affected that much, but we were affected in pockets, and we didn’t know about that,” Case said. Older contracts that hadn’t been updated to the Change Healthcare name were also discovered. “It had a much broader impact for us and the whole industry than expected.”

As for what healthcare organizations should do in the aftermath of an industry-shaking cyberattack, Taule stressed the importance of having built-in redundancy and stricter security expectations for vendors.

FIND OUT: How does zero trust support cyber resilience for healthcare organizations?

“This is an ecosystem problem, and if we don’t address this as an ecosystem problem, we’re going to be in the same situation,” he said. “The big takeaway is that we all, as customers or as members entering an ecosystem, we have to be more demanding of our vendors and of one another.”

Healthcare organizations should know who their top 10 to 15 critical vendors are and have a backup plan to ensure business and operational continuity, Case added.

“There are many things that happened for which we could’ve been better prepared, and I mean that as an industry,” Taule added. “Do you have the people? Do you have the playbooks? Do you have the alternate means of accomplishing those functions? Do you know who your critical partners are? All of us should have identified Change as one of our most critical vendors.”

He added that his organization has started standardizing security clauses and reconsidering the kinds of vendors it will use for its business.

“This is going to occur,” Taule said. “It may not be this exact scenario, but something on this scale that affects our industry is very likely.”

Check out this page for our complete coverage of ViVE 2025. Follow us on the social platform X at @HealthTechMag and join the conversation at #VIVE2025.