In modern times, global interconnection and increasing dependence on digital technology have profoundly shaped the business landscape. However, along with the benefits of digitalization come significant challenges, with cyber security emerging as a crucial issue for the stability and continuity of companies. The recent attack on Change HealthCare in the United States illustrates how a breach in digital security can have a devastating impact on vital sectors such as healthcare.
This article explores the complex intertwining of cybersecurity and business, highlighting the pressing need to prioritize digital protection strategies in all operational phases. In a world where digitization is inexorable, the absence of robust cybersecurity measures is tantamount to a shot in the dark for companies, exposing them to risks that could compromise their reputation, finances and even their survival in the competitive market.
Without cybersecurity, business is at risk
Between February 21 and the first week of April 2024, about half of the hospitals, clinics and diagnostic services in the United States had a big problem: they couldn’t get paid for the services they provided. The reason is that on February 21, the company Change HealthCare, which specializes in processing financial transactions in the sector, suffered a ransomware attack and had to take more than a hundred online services offline. Unfortunately, the company is the largest transaction processor in the US healthcare sector, handling around 15 billion transactions annually – half of all charges from US healthcare providers.
As a result, payments, receipts, reimbursements, exam authorizations, requests, appointments, issuing prescriptions – everything was affected. In a survey of 1,000 hospitals in the first week of March, the American Hospital Association (AHA) found that a third of them lost half their financial revenue because of the attack. And 74% reported direct impacts on patient care.
Impact on finances and service
The financial impact was felt in no less than 94% of the hospitals surveyed, according to the AHA report. And that’s not all: a huge number of pharmacies couldn’t even deliver medicines to patients because Change’s system stopped displaying doctors’ prescriptions. Many clinics didn’t have enough money to cover the February payroll.
For some experts, the Change HealthCare incident was the most disruptive ever recorded in US critical infrastructure: the duration of the Change HealthCare downtime may not be considered exceptional, but its long-term impacts are considered extraordinary. And now the scenario could get worse, because the matter has already reached the courts: there are more than 20 lawsuits against Change’s parent company, UnitedHealth Group.
The scope of this incident can be considered a demonstration of the degree of digitalization of a sector that is not only strategic but also critical. A sector as important and strategic as finance, logistics and so many others that – despite operating under constant cyber risk – benefit people, companies, governments, cities and other organizations with fast digital platforms. Anyone who has experienced the Brazilian banking system operating on the basis of paper and the physical transportation of documents cannot fail to appreciate modern financial instruments such as the instant transfers provided by the Pix system, for example, or international money transfers, which take place in seconds on the various platforms. The advantages of digitizing processes in all sectors of society are indisputable.
However, digitalization done well needs to be accompanied by cybersecurity from the design phase onwards, so that fundamental aspects such as competitiveness, growth and business continuity are not jeopardized by a failure or an external threat.
You can't accuse without proving
In the case of Change HealthCare, the fact that the cyber attack was so widespread and had so many consequences for the American economy meant that several investigations were launched. They are being carried out not only on the initiative of the company itself (which needs to give answers to customers and shareholders) but also by police organizations and the federal government. Some will need to say whether the company has been foresighted and used sufficient cybersecurity. But until they are completed, no one can accuse the company of any negligence.
Few cyber incidents have so clearly demonstrated the connection between cybersecurity and business and its importance for business continuity: the hacking of servers and systems not only disrupted economic relations between thousands of medical service providers, but also tore a hole in the company’s reputation and cash flow. Worse still: its competitors stepped in to serve the sector, helping healthcare providers who were unable to send their invoices, in a demonstration of how market loss is also part of the consequences of a cyber attack.
Although company administrators – from management to boards – do not reach a consensus on the appropriate hierarchy for information security managers (chief information security officers and other nomenclatures), facts like this show that there is an unavoidable need to bring discussions about cyber-risk to the boards of directors. It is no longer possible to ignore the fact that this type of risk, if poorly managed, can have irreversible consequences for business continuity.
A shot in the dark
Unfortunately, even with this evidence of the importance of cybersecurity and its managers, there are still few boards where there is a seat for a cyber specialist: in most micro, small and medium-sized companies, this specialist is within the IT structure and subordinate to the CIO. In other words, there is no guarantee that senior management will receive information directly from him.
Despite this situation, research and statistics carried out around the world on the subject have shown an evolution in cyber maturity, at the same time as the digitalization of companies is accelerating: all directors and shareholders know that business depends – to varying degrees – on systems that cannot stop. They also know that they can’t give up on making the company more and more digital.
In other words: digitization is inexorable. But without the protection of cybersecurity, it’s a night flight without instruments.