The recent ransomware attack on Change Healthcare, a subsidiary of UnitedHealth Group (UHG), has shown the vulnerabilities in healthcare cybersecurity. This event illustrates the consequences of such breaches and provides beneficial lessons for preventing similar incidents.
What happened
Healthcare organizations across the U.S. were thrown into disarray on February 21, 2024, when Change Healthcare fell victim to an unprecedented cyberattack. The attack resulted in the shutdown of over 100 applications necessary to healthcare operations, including those related to pharmacy, medical records, clinical, dental, patient engagement, and payment services.
Initially suspected to be the work of a "nation-state associated cyber security threat actor," further investigations revealed the ransomware group BlackCat as the perpetrator of the attack. Known for its sophisticated ransomware-as-a-service model, BlackCat's highly advanced and elusive techniques posed significant challenges to traditional detection methods, exacerbating the attack's impact and compromising as much as one-third of all Americans' health data.
The repercussions were swift and far-reaching, causing delays in claims processing and disruptions to revenue management services. This prompted Change Healthcare to provide real-time updates via UnitedHealth Group's website, as healthcare providers and pharmacies grappled with the aftermath of the attack.
What can we learn
Multi-factor authentication is non-negotiable
One of the glaring issues in Change Healthcare’s security was the lack of multi-factor authentication (MFA) on its Citrix portal. MFA, though not foolproof, provides an additional layer of security by requiring multiple forms of verification. Its absence likely made unauthorized access much easier for attackers. This oversight shows the need to prioritize basic yet important security measures in any organization’s infrastructure.
Network segmentation limits damage
Once attackers breached the system, they moved laterally with little resistance, exposing the lack of effective network segmentation. Dividing networks into isolated sub-networks can restrict an attacker’s ability to spread malware or access sensitive data. While implementing segmentation requires planning and maintenance, it can reduce the scope of a breach.
Mergers and acquisitions demand cybersecurity diligence
The breach occurred shortly after UnitedHealth Group acquired Change Healthcare, proving the need for rigorous cybersecurity diligence during mergers and acquisitions. Acquirers inherit not only the assets but also the cybersecurity risks of the acquired entity. A thorough assessment of security infrastructure, policies, and vulnerabilities should be a standard part of any merger process to avoid such weaknesses.
Self-insurance for cyber incidents comes with risks
UHG’s decision to self-insure for cyber incidents sparked discussion about its risk management strategy. While self-insurance can work for some risks, it requires careful evaluation and substantial financial resources. Cyber insurance provides financial coverage and incentivizes organizations to implement stronger security measures, as insurers often require compliance with specific protocols.
Detecting extended dwell times
The attackers were inside Change Healthcare’s systems for nine days before deploying ransomware, using this time to escalate privileges, move laterally, and identify data. Modern attacks often involve extended dwell times, making early detection fundamental. Advanced threat detection tools, monitoring systems, and proactive threat hunting can help organizations identify suspicious activity before it escalates.
Ransom payments don’t solve the problem
UHG paid a $22 million ransom, but this didn’t end the ordeal. Additional threats emerged from other cybercriminal groups, showing that paying a ransom offers no guarantees. Moreover, such payments encourage further attacks and may breach legal or regulatory guidelines. Organizations need incident response plans that include legal, ethical, and strategic considerations around ransom payments.
The healthcare sector is increasingly vulnerable
Healthcare has become a target for cybercriminals due to the value of its data and the nature of its services. The interconnected systems, high volume of sensitive data, and potential for disrupting patient care create significant vulnerabilities. To address these risks, healthcare organizations must prioritize security measures such as regular system updates, thorough staff training, and frequent security audits.
Ransomware-as-a-Service remains a resilient threat
The attack by the ALPHV/BlackCat group showcases the persistence of the ransomware-as-a-service (RaaS) model. Even when major ransomware groups are disrupted, affiliates often continue operations under new names. This resilience requires a multi-layered cybersecurity approach that includes preventive measures, advanced detection capabilities, and well-prepared incident response plans.
FAQs
Who was hacked?
Change Healthcare, a unit of UnitedHealth Group (UHG), was impacted by a cyberattack in late February. The attack was carried out by a ransomware group known as ALPHV or BlackCat. The attack led to significant disruptions in Change Healthcare's operations, impacting various aspects of the healthcare industry and millions of Americans who rely on these services.
Who owns who?
Change Healthcare was acquired by insurer UnitedHealth Group’s Optum division in 2022. As a unit of UnitedHealth Group, Change Healthcare provides technology and services to the healthcare sector, including payment and billing, prescription processing, and data analytics.
Who was affected?
The cyberattack on Change Healthcare had far-reaching impacts, affecting millions of Americans who use Change Healthcare's platform either directly or indirectly. The following parties were significantly impacted by the cyberattack:
- Physicians and hospitals, impact their ability to bill, manage, and issue prescriptions and healthcare procedures.
- Pharmacies were unable to get information and properly fill prescriptions.
- Individuals looking to make health claims and fill prescriptions were also affected by the breach.
- Numerous healthcare organizations, health systems, health plans, and vendors were impacted, leading to disruptions in revenue management services, prescription fulfillment, and delayed payment processing.
Farah Amod
