Your business's survival could heavily rely on your understanding of how technology impacts your day-to-day operations and your readiness to navigate business operations even without it. Are you equipped to meet this challenge?
The cyber-attack on Change Healthcare in 2024 and its mishandled response will be studied in business schools for years. The case offers important lessons, particularly demonstrating the impact a vendor disruption can have on a business's survival.
You may not have heard of Change Healthcare before this breach, but as the largest U.S. medical insurance clearinghouse, thousands of hospitals, insurers, and pharmacies nationwide of all sizes and complexity depended on Change Healthcare to facilitate billing, payments, benefits evaluations, and data exchanges. These are all the behind-the-scenes processes necessary to collect payment. With 1 in 3 patient records affected, the disruption of Change Healthcare meant that money stopped flowing and revenues dried up for healthcare providers. The attack caused severe financial strain on the healthcare sector, with healthcare executives warning of the “devastating” financial fallout from the hack and of “significant cash flow problems” facing healthcare providers. With no cash inflows, owners had to find alternate sources of cash, either through additional equity investment, bank loans, funding assistance programs through UnitedHealth (Change Healthcare’s parent company), or close their doors.
A survey by the American Medical Association (AMA) revealed the extent of the damage caused by the Change Healthcare cyberattack. Among the surveyed practices affected:
- 36% experienced suspended claims payments.
- 32% were unable to submit claims.
- 77% reported service disruptions.
- 80% lost revenue from unpaid claims.
- 78% lost revenue from claims they were unable to submit.
- 55% used personal funds to cover expenses incurred due to the attack.
The reality is that executive management often perceives the business impact analysis process as a regulatory issue and delegates it to compliance, audit, or IT departments. The Change Healthcare cyberattack clearly debunks the myth that business continuity planning is part of the regulatory obstacle course and provides evidence that the input of business owners and executive officers is crucial in preparing the business impact analysis and developing the business's survival plans.
Amidst the chaos of the 1906 San Francisco Earthquake and the subsequent fires, entrepreneur AP Giannini reopened his business on the pier using only two planks for a desk. He conducted business "on a handshake," providing stability and trust in a time of uncertainty. While AP Giannini may not have had the luxury of a written business continuity plan, business impact analysis, or testing scenarios, he did have a survival plan.
Will your business continuity efforts provide the essential cash flow needed to survive as a going concern? Or will your business continuity plan merely ensure that employees can update their resumes before the lights are turned off?
Every business should consider how it collects payments, the technologies that enable this process, and the vendors that support it. What is your survival plan if those vendors are attacked or those technologies fail? Do your customers and suppliers have survival plans in place?
Before your next business continuity planning exercise, set aside modern risk management methodologies and terminologies and think like Giannini did: think survival.
And survive he did. A.P. Giannini's Bank of Italy eventually became Bank of America. Giannini is credited with inventing many modern banking practices, offering banking services to middle-class Americans, and pioneering the holding company structure.
The Change Healthcare cyberattack demonstrated that simply having backups is insufficient, as recovery from ransomware attacks may take longer than expected. Paying the ransom is not a guaranteed solution. The attack also highlighted the risks posed by third-party vendors and the need for businesses to enhance their scrutiny of vendors' cybersecurity protocols and build in redundancies to avoid relying on a single source by establishing connections with alternate vendors.
Boost Your Cybersecurity Posture
No matter the industry you're in, it's crucial to be prepared for unexpected challenges that can disrupt your business, tarnish your reputation, or harm your employees.
Be Prepared for Any Scenario
Take the frustration out of risk assessments, vendor management, business continuity management, and other critical cybersecurity risk management tasks by using TRAC.
See How TRAC Can Work for You