In this episode of the HIPAA Vault Show, we delve into two pressing issues in the realm of healthcare data security. First, we spotlight the recent ransomware attack on Change Healthcare by the RansomHub gang, marking the company’s second major cyber threat. The attackers have compromised 4TB of sensitive data, including information on US military personnel and medical records, and are demanding a ransom with threats of selling the data if their demands are not met. This segment examines the implications for HIPAA compliance and the broader healthcare sector, analyzing how businesses are struggling financially due to delayed insurance payments stemming from the attack. Round 2: Change Healthcare Targeted in Second Ransomware Attack https://www.darkreading.com/cyberattacks-data-breaches/round-2-change-healthcare-targeted-second-ransomware-attack In the second part of the episode, we focus on the importance of regression testing in safeguarding Protected Health Information (PHI). This discussion emphasizes why business leaders should take the helm in ensuring that applications handling PHI not only meet functional requirements but also comply with the HIPAA Security Rule. We’ll explore the key aspects of regression testing and discuss strategies for integrating these processes into the broader business strategy to enhance PHI security and ensure compliance.
Transcript:
Adam
Hello and welcome to the HIPAA vault show where we discuss all things HIPAA compliance in the cloud. My name is Adam Zeineddine and joined as always, by Gil Vidals.
Gil
Hello, Adam. Ready to go today?
Adam
Look forward to getting stuck into our topics this week. So we’re talking about regression testing in healthcare and healthcare applications. But before we dive into regression testing, we’re going to talk about our breach of the week. And it’s a. It’s a big one, Gil, this week. So this is the second.
Gil
Okay, the second attack.
Adam
So it’s round two. Change healthcare. So they’re targeted by a second runs ransomware group, Ransom Hub. And yeah, the long and short of it is it’s not good news for change healthcare and United Health and all the many thousands of healthcare facilities that use them. Four terabytes of sensitive data stolen from the beleaguered healthcare company. The ransomware gang issued a warning to change healthcare at its parent company, UnitedHealth, emphasizing the exclusivity of their chance to protect their clients. Data. Data. So this is, you know, typical ransom tactics. They said it’s not yet been leaked. The data includes the. The personal data of military personnel, us citizens, Social Security numbers, amongst other things. And, yeah, it’s. It’s just gone from bad to worse.
Gil
Yeah, I talked to my wife, who’s a pharmacist, and she went to her physical therapy appointment. She hurt her leg the other day. So she was at PT and the PT therapist said what’s happening is a lot of the medical offices haven’t been paid for months. So they get a patient and then they submit the paperwork to the insurance provider, which is this company here, UnitedHealth and change healthcare. And when they submit it’s just crickets because they can’t work, they can’t process the payment. So this physical therapist was telling my wife that a check came in for $66 after waiting for months. And now what they’re doing, they’re having to rotate staff. So the staff that comes into medical office, they can’t pay them their paycheck. So they’re just telling them, hey, sorry, you know, maybe.
Gil
Maybe you can work this week and you work the next week. They’re alternating employees because they can’t pay the whole staff. So it’s just gotten really ugly. And you can guesstimate what’s happening based on the other ransomware attacks that we know more about on the back end. What’s happening is they’re negotiating. So these overseas offices where the hackers are, they are negotiating for how many millions of dollars they want to get to release this information. And so they’re busy trying to negotiate that.
Adam
Yeah. And reading between the lines, it seems like the, one of the main issues, at least with the first ransomware group and change healthcare, was that there was a lack of disaster recovery policies, it seems. I mean, I was looking at a, a press release from Senator Warner on the change healthcare cyber attack says this ransomware attack on a major health company should surprise no one. For some time, I’ve been sounding the alarm on the need for the entire healthcare sector to drastically step up its game when it comes to cybersecurity. We’ve seen incidents that have caused regional disruptions in clinical care, and it was only a matter of time before one disrupted the ability to treat patients nationwide. And. Yeah, so this was on the first one because this is March 8.
Adam
This second one, which was April, is only going to bolster those calls from officials to step up in the health care, the cybersecurity practices.
Gil
Yeah, it’s just terrible because, of course, they’re trying to extort money, you know, big dollars, but it’s disruptive to the healthcare industry. Sometimes these attacks cause some of the. Well, not sometimes, all the time. The ransomware attacks when they lock up the systems, they can’t use the billing system, what we just discussed, so they can’t pay their employees, but also sometimes a critical monitoring of patients so that the actual systems that do some of the health monitoring doesn’t work either inside the hospital, what it looks like, according to Terry, the pharmacist we talked to, she says they have to go to paper mode so quickly, the hospital tries to convert back to the old days.
Gil
And Terry, who’s older, said that the problem is that young pharmacists, young nurses, they’re not trained in the paper old school way, the way it used to be done. So the older pharmacists and nurses and doctors, they can pivot because they remember their first ten years of their career, you know, 30 years ago. They can kind of remember and they do it. But the newer ones that graduated five, 6710 years ago, they have no clue. They’re like, what form do we get? Or how does a form work? And where do I fill it out? I mean, they’re lost.
Adam
Yeah.
Gil
So it’s chaos inside the hospital. The clinics aren’t paying their employees because they can’t, and it’s really crippling. And for those of you who aren’t reading or keeping up with the ransomware, keep in mind that these aren’t what you see in the movies where you see some teenager with the hoodie hunched over clicking around. This is not that this is a corporation in Russia or China or the Ukraine or one of those countries. It’s a corporation with a CEO and hundreds of well trained programmers, software engineers, some of which are trained at MIT, by the way, and Stanford. They hire the best of the best. They send them over from Russia and China to be trained in the US. Think about that. Then they’re back in their home country and they’re getting paid a lot of money to figure out.
Gil
And these companies, these organized crime, are making millions and millions of dollars a.
Adam
Month and they’ll collaborate. So it could be single entity leading the effort. And then they’ll have thousands of different solar subcontractors. Yeah, it’s a whole industry.
Gil
So it’s a serious, very serious concern. And you know, who has the answer and we’re not, we don’t have the answer here in this podcast. But obviously this is like becoming a nation state attack, right? The government probably going to step in one of these years and try to see if they can do something about it. But it’s pretty devastating at this point. And the insurance, another thing we haven’t even mentioned is insurance companies are raising their bill. We, were seeing a bill that came in for, it used to be 8000 for insurance related to tax and it went up to 20,000 as an example. So eight to 20, that’s not quite twice as much. It’s what is that 250% increase or something like that. So insurance companies have to increase that. Costs are getting higher. And guess what?
Gil
You pass that cost on to the consumer. So the consumer is the one that pays for all of this. They get worse patient care. They have to pay more for it because the insurance has gone up. So you have to pass it on to the end consumer. So it’s pretty bad all around. And yeah, don’t really see a solution around the corner either.
Adam
Listeners, viewers, if you have been directly affected by this cyber attack and have more information and would like to share your experiences, please reach out to us at podcast@hipaavault.com or if you know anyone, share this video and we’d be happy to talk to them. We want to stay up to date and keep everyone else up to date on this.
Gil
Yeah, good comments on that. Well, I did want to mention one thing specifically because our audience can help. You know, it’s like, how can you help? Yeah, there some of these attacks, a decent number of them are happening because the organizations have an application that allows remote people to log in. And, you know, we’re in the day and age where people are working a lot from home. Even. Even radiologists can work from home now. They don’t need to go to the office. They can see all the. The charts and the x rays from their home. So you can imagine these hospitals, they have this equipment, these servers where you can log in. Well, those are great attack points because once the attacker finds a vulnerability with that software, they’re able to log in and get right into the system.
Gil
So this remote access software that’s being used in hospitals and offices across the United States, that is a favorite attack point. And once, like I said, once they get in there, they’re able to tunnel in and get into all the servers. And, and these attackers, by the way, they don’t just go in and they’re like, we got in. We’re done. No, when they go in, they’re very stealthy. They can sometimes stay in. It’s been known sometimes over a year before they do anything. It’s like, well, why do they take so long? Because they are in there diagnosing the entire network, finding out what everything’s worth, wherever. And then they. Then after a year, they may say, okay, we’re ready to go. We’ve prepared. We know what to do. They launch the attack.
Gil
They start freezing all the systems with this encryption key, and then they go and they ask for the money. Right? But they’re so well prepared, and they’re in there for a long time before anybody realizes it.
Adam
Yeah, that’s a great point. And I think one thing to note is that when you’re using software that is installed on your machine locally and it’s running on your local machine, the software might claim to be HIPAA compliant, and it would be, from a software standpoint, if it’s installed on your machine, then it’s your company’s responsibility to manage the security of that machine. And to your point, Gil, if you’re logging into that machine using a remote client, then it opens up avenues to attack, like you mentioned. So I’m wondering, does that add weight to the idea of moving away from clients installed software to software as a service models like cloud hosted software?
Gil
Well, it is a ticking time bomber if you have VPN access to a for your trusted employees. But then where are they logging in from? Not all these companies issue laptops. Some do, some do. They say, okay, you’re an employee, here’s your lockdown secure laptop. Use that. But some of them don’t do that. You can use whatever windows machine you have and log in from your windows machine, and meanwhile, that windows machine is infected with all sorts of viruses and clandestine programs. So as you can see from just a few minutes we’ve been talking, this thing is a very hairy situation with lots of different angles and risk points. So it requires a lot of expertise and a lot of security. And it’s not an easy thing to solve.
Gil
Obviously, it’s not easy to solve because these hospital chains are spending millions of dollars on security and it’s still not working. Still not working. So it’s not just about the money. Like, oh, we don’t have enough money to protect ourselves? Well, those guys have enough money. The hospitals have enough money. They’re spending a boatload and they still can’t do it. So it’s not a matter of, well, there’s not enough money. No, there is enough money. They just haven’t figured out how to properly secure the systems to prevent this from happening. That’s the real issue here. It’s the knowledge they don’t know how.
Adam
So, shifting lanes. Regression testing is our topic for today. And Gil, I know we wanted to talk about regression testing specifically when it comes to healthcare websites and applications. If someone has a healthcare website that they’re updating and they have a developer that’s making the changes for them, or they have more complex application that they’re developing and it’s constantly updating. We were talking about this offline, and you’re saying that the responsibility for the regression testing should be on the business side of the organization rather than the technical side of the organization or the developers. So let’s talk a little bit about that. Maybe we should start from scratch and just explain what regression testing?
Gil
Yeah. So first, let me just tell a story, right? So there was a pharmacy consultant who had a website offering the services they did, and they noticed that they’re spending advertising and they have their website and they weren’t getting any leads. Well, as it turns out, there was an update that had been done many months ago, and that update somehow foiled their contact form. So when you fill out the contact form, if an interested prospect comes along, fills it out, that form supposed to send an email or a text saying, hey, somebody wants you to contact them. It’s a lead that wasn’t working. Nobody knew about it. So they’re spending lots of money on advertising, but yet the leads didn’t flow through. So it’s a business impacting problem in this story.
Gil
And the solution is to have somebody during the marketing meeting, like once a week, just spend 30 seconds. Imagine that. Just spend 30 seconds and you can fill out a form quickly and then see if the intended recipient of the organization receives it or not. So that’s an example of testing something easily. And the regression is, by regression, it means that you’re seeing if you broke something that used to work, right. So you have a website or web application, healthcare app, and it does ten different things after you update that healthcare app or website or both, maybe those ten things don’t work anymore. Maybe nine out of the ten work, but one doesn’t work. So how do you test it? Well, it’s easy. If you know the healthcare app, you can have one of your employees, doesn’t have to be a technical programmer.
Gil
In fact, it’s preferred they’re not. It’s preferred that it’s somebody who’s just used to using the software. Fill out the form, they click the button, they enter a field, a value in a field, they hit the next button, they do their normal workflow operation, and then they see the results. If the results aren’t expected, then you say, timeout, timeout. That last update we just did last night broke something. We need to roll back the update or fix the issue and then apply a patch. But the idea here is that you don’t want just the technical people doing this because either maybe they don’t do as thorough job as the frontline business people who are more concerned about the business flow, or they get busy and they forget. And we’re talking about applications that are at a certain level here.
Gil
Now, there’s a whole other world that is not really in line with this conversation, but there’s a whole other world where healthcare applications are too extensive. There’s too many of them. You have to use automated unit testing, where you have, you buy software that can actually test on your behalf. And then there are engineers that are unit testing experts that can come in and sometimes they work for these organizations. And their whole job in life is to automate the testing because the application has gotten so big and so wide that you can’t expect staff to running around testing every time you make a change. They spend too many hours testing, so they help automate it.
Gil
But for our audience, we have a lot of customers that have a healthcare app that is well within the scope of having their employees or the owners themselves tested. And you can’t really emphasize that too much. We’ve seen so many of our customers who complain about something being broken, and it’s a lot of times after they update the site, they go, we update our application now, it doesn’t work. Well, something in your software code changed.
Adam
Yeah. So what I’m understanding there is regularly meet to assess all, you know, aspects of the website or the web application. And also every time you make an update, do the regression testing. Is that right?
Gil
Yes. Yeah. And I would do that every time. Now it’s good to get in a rhythm where you say, well, we’re only going to do updates on Friday, at 02:00 or before Friday two. So even if you have three or four updates to do, you save them, do them one time, and then you have your testing people, usually you want more than one regression tester, and they get on the keyboard and they open up the application, they pretend they’re a customer of the software, and they just go through some of the key components. Yeah. And then they just sign off. They go, yep, everything’s working great. This, this update worked. Everything’s fine. If they find anything, it doesn’t work. They say, hey, they let the manager know, hey, this didn’t work. Something broke.
Gil
And then they go back to the technical team and they let them know, look at this error I got here. But it’s, I think it’s a, I personally think it’s better to have the business world and the tech world work as a team rather than it’s just all up to the tech world again. The tech world should interface with the business world. And I don’t think a separation entirely is wise. I think the business manager says, hey, I got a lot writing on this. They should have some responsibility, too.
Adam
Yeah. So when it comes to healthcare specifically, and if you’ve got a healthcare application, Gil, we, there’s a HIPAA law. There’s a security rule in place, and it mandates that protected health information be protected through various safeguards. And specifically, when it comes to regression testing, I think applicable is it does mandate contingency planning. It also mandates a data backup plan, an emergency mode operation plan, as well as technical safeguards as to where everything’s stored. So that fits in to the regression testing topic in a sense of, well, HIPAA also mandates that there’s these safeguards in place. So I think regression testing just comes as a natural part of all those procedures.
Gil
Well, but, I mean, I kind of disagree with this in some ways because you could have the most beautiful business continuity and recovery plans where if there’s a fire and burns down the computers. You say, well, that’s okay. We have computers in Kentucky that can take over instantaneously. So all of that is just there to make sure the system is working. But think about it. If the systems are all working and you have all these contingency plans to make sure the system is software working, but then there’s a bug in the software, there’s a bug that was pushed out when the last update was made.
Gil
All of this extra backups and all recovery, all that doesn’t help in that case, because it’s a functionality that’s broken that somebody had to go, should have gone in and tested and discovered, hey, this last update we did really screwed things up here. And then they go back and go, my gosh, we made a mistake. The software engineer has to fix that and patch that. And then you test it again and they go, and now it’s working. Now we can go have a beer on Friday. Yeah.
Adam
So it’s not enough to say, oh, it was backed up because you.
Gil
Right, right. Yeah, exactly. That’s probably a better way to say you’re just backing up your bad code, your bad application is just being backed up. So that doesn’t really help. I’m not saying that backups and snapshots aren’t important. I’m just saying that in this case, they’re both important. Right. One is useful for a different reason. Well, hopefully that helps. So, again, just as a recap, from my point of view, the regression testing, especially in smaller and mid level applications, can really be done, and I think should be done by the staff that uses that software, the ones that are interfacing with the customer. They’re the ones should be testing it.
Gil
But, and then also, I think, yeah, you alluded to something really important, Adam, is you can have a staging server, UAT server, they have all these acronyms for it, but basically a development testing area where you could test it first there. Do your testing there first. So your software developer says, we have a new push to make. We have the code, we pushed it out. That should be done in development. They should test it there themselves. But then even the business side should test it in development as well. And only then do they say, okay, now it looks great, let’s push it into production. Now, what’s in production? You got to retest it again. So you’re testing it twice, once in development, once in production. Hopefully, when you test it in development, you’ll catch it. Almost everything.
Gil
But you’d be surprised I’ve seen many cases where thorough testing is done on the development side, and when they push it to production, it doesn’t work. You say, well, how can that be? We tested it thoroughly. And the reason why specifically why does that happen is because the development environment is different than the production environment. The production environment is communicating with APIs, with vendors, all of this stuff. Whereas the development isolated, the environment is different. So the same exact code. Exactly the same code in a different environment behaves differently.
Adam
Yeah. It’s like a boat on a lake versus a boat in the sea.
Gil
Yeah, completely. When you have a different environment, you got to test all over again. You can’t just say, well, I test in development, I’m good. Let me just, you know, be done for the day. Nope, you’ve got to test it in production. So, yeah, I think this is a very, I like this conversation. I, and I, hopefully some people listening, especially business owners, say, hey, wait a minute. You know, we haven’t been doing that and, or we’ve been doing it. But my developers, sometimes I can tell they get busy. They’re, they are busy. They’re doing good work. They’re busy, but they don’t always have time to tell. Test as thoroughly as you would as the owner or as the manager. You would probably test a little bit more thoroughly through a different lens.
Adam
Right?
Gil
Yeah, it’s a different aspect too. So everybody’s busy like, oh, Gil and Adam are giving me something else to do. But this is your livelihood, right? It’s worthwhile. Certain things you just can’t put off at all or you couldn’t or you shouldn’t put off and have someone else do. This is really should be your responsibility.
Adam
Yeah, absolutely. Everyone is busy. And on that note, I think that’s all the time we have for today. So thank you all for listening and watching. Please do subscribe. Share like, and until next time, thanks for stopping by.
Gil
Thank you. Then.