Change Healthcare Ransomware Attack Represents Every CISO’s Worst Nightmare

The February 2024 ransomware attack on Change Healthcare is a perfect example of the kind of black swan cyber event that every CISO quietly dreads and prays will never happen: a devastating cyberattack that exposes the sensitive data of millions of customers, paralyzes an entire industry for weeks, and eats away at a company’s earnings for quarters and years to come.

The attack on Change Healthcare also highlights the inherent challenges of the CISO role: the responsibility to manage a potentially catastrophic risk with limited budget and staff, the resulting pressure to make risk acceptance decisions that sometimes compromise their integrity or contradict their better judgment, mounting obligations to report incidents to regulators within 72 hours, and criminal liability for cyberattacks.

Given the ongoing and far-reaching impact of the ransomware attack on Change Healthcare and the fact that the CEO of its parent company was summoned to testify before Congress earlier this month, I wonder if this unprecedented cyber event will change the risk calculus for other large organizations in the critical infrastructure sector? Put another way, will large organizations that create systemic risk for an industry or an economy be more apt to implement more rigorous cybersecurity controls? Will their risk tolerance for cyber incidents of this scope shrink?

For the millions of people whose sensitive health data was compromised, for the clinicians who went or are still without pay, and for the small healthcare providers who’ve had to shutter their doors in the aftermath of the ransomware attack, I hope the answer is yes.

The attack on Change Healthcare may very well be a watershed moment for other large, complex critical infrastructure organizations. Cataclysmic cyberattacks can be transformative events for organizations.

Consider how Equifax completely transformed its cybersecurity function in the aftermath of what was then a precedent-setting breach in 2017. The board of directors brought in a new CEO who made cybersecurity a priority and hired Jamil Farshchi as CISO. Equifax reportedly invested $1.5 billion in its cybersecurity transformation and is now widely recognized as a leader in cyber.

Naysayers may claim that other high-profile cyberattacks haven’t led to significant security transformation. But apart from NotPetya and SolarWinds, few attacks have reached the significance and severity of the attack on Change, and arguably, both NotPetya and SolarWinds led to a step change in cybersecurity governance and cyber risk management inside many organizations.

Now that business leaders have seen how much upheaval, disruption, and chaos can stem from insufficient cybersecurity controls and now that they can be held criminally liable for security breaches, they may be far more likely to ensure that their organizations have the right controls and that those controls are deployed everywhere they need them to prevent a catastrophic incident and buy down risk. When it comes to cybersecurity–in healthcare or any industry–an ounce of prevention is always worth a pound of cure.