The ransomware attack on Change Healthcare serves as a stark reminder of the vulnerabilities within the healthcare sector. From fundamental security mistakes and strategic shortcuts to emerging industry trends, this incident provides ample fodder for thought on how not to become the next high-profile victim. The lessons emerging from Change Healthcare’s disastrous ransomware attack, which starkly illustrated the fragility of the healthcare sector, have prompted calls for regulatory action.
The Immediate Impact: Chaos and Disruption
The February attack disrupted insurance claims processing across the United States, creating chaos for clinics, pharmacies, and patients who were left unable to fulfill pre-authorized prescriptions or medical treatments covered by insurance. The flow of payments to healthcare providers processed by Change Healthcare was brought to an abrupt halt as systems were taken offline in response to the attack. Smaller healthcare providers and rural pharmacies, in particular, experienced huge revenue losses because of the attack, with some coming close to insolvency. Ultimately, the attack exposed personal data of potentially a third of all US citizens and cost parent company UnitedHealth Group (UHG) more than $872 million to deal with the attack and the disruption it caused.
The Financial Fallout
Part of these costs involved offering accelerated payments and no-interest, no-fee loans to thousands of providers. Another portion was earmarked for incident response and completely rebuilding Change Healthcare’s systems from the ground up. Revenue loss included, it is estimated that the attack will cost UHG over $1 billion. In response to the attack, US politicians have called for mandated baseline cybersecurity standards in the health sector, as well as better information sharing. They have also raised concerns that industry consolidation is increasing cyber risk.
The Essential Role of Multi-Factor Authentication (MFA)
During Congressional testimony in early May, UHG CEO Andrew Witty revealed that criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, a technology that allowed remote access to desktops, on or around February 12. The portal was unprotected with multi-factor authentication (MFA), a basic enterprise security control. While not entirely bullet-proof, MFA has long been considered a best practice for securing systems against credential attacks. The lack of MFA played a key role in attackers being able to remotely access the systems at Change Healthcare, making the incident highly avoidable and a massive failure to adopt even the most basic cybersecurity principles.
“What we don’t know is the reason why there was no MFA; was it incompetence, a budget limitation, user demand, or something else?” said Tony Anscombe, chief security evangelist at ESET. Trevor Dearing, director of critical infrastructure at Illumio, commented: “Too often a lack of efficient security controls is a factor in a successful ransomware attack. Whether that is a lack of MFA controls, an unpatched web portal, or a DLP (Data Loss Prevention) system with an elapsed license, any hole can create a massive breach.”
The Importance of System Segmentation
After gaining a foothold on Change Healthcare’s systems, the attackers moved laterally and exfiltrated data before deploying the ALPHV/BlackCat ransomware nine days later on February 21. Another issue raised in many post-breach reports is that Change Healthcare’s systems suffered from a lack of segmentation, which enables easy lateral movement of the attack. Segmentation involves breaking down a large network of systems into smaller, isolated subsegments, making it easier for security teams to secure and monitor IT assets by preventing lateral attacks. Segmentation has long been a key part of defense-in-depth strategies.
Cyber Due Diligence in Mergers and Acquisitions (M&A)
The Change Healthcare ransomware breach also offers lessons about due diligence post-merger of acquired systems. UHG acquired Change Healthcare, the US’s biggest clearinghouse for medical claims, in October 2022, after a legal battle with the US Department of Justice, which argued the acquisition would harm competition in the markets for health insurance and technology used to process health insurance claims. As a result of the acquisition, Change Healthcare was merged with UHG’s Optum health services company, with Steven Martin, Optum’s CIO and CTO and UHG’s CISO, leading security operations.
Mergers and acquisitions create new cyber threats because they involve the integration of systems, data, and processes from different organizations, each with its own security protocols and potential vulnerabilities. Aron Brand, CTO of CTERA, advised that a comprehensive due diligence checklist is essential for both healthcare and non-healthcare organizations during mergers. This should include exhaustive security audits to evaluate the acquired company’s cybersecurity posture, identify vulnerabilities, and assess their incident response capabilities.
The Risks of Self-Insuring Against Cyber Incidents
In response to questions during Congressional hearings, UHG chief exec Witty admitted that the company was “self-insured” for cyber incidents. Cyber insurance providers mandate a high level of risk mitigation before they approve a policy, providing an incentive to ensure hardened systems. ESET’s Anscombe criticized the decision to self-insure, stating, “The option to self-insure and accept the risk, the stance Change Healthcare appears to have adopted, should not be at the expense of cybersecurity measures.”
Early Detection and Monitoring of Threats
The attackers loitered on the Change Healthcare systems for over a week before deploying ransomware. This kind of delay is not atypical in enterprise attacks, according to experts. The time taken for attackers to escalate privileges and move laterally in compromised networks does not mean there’s a higher chance of being discovered. Attackers disguise their activities by abusing legitimate programs and commands that blend in with regular traffic. Silobreaker’s Baumgaertner commented that ransomware groups typically spend a long time within a victim’s system to cause the most damage possible.
The Debate Over Ransom Payments
UHG chief exec Witty confirmed that the healthcare conglomerate had paid the equivalent of $22 million in Bitcoin as ransom to cybercriminals from the BlackCat/ALPHV ransomware group. BlackCat/ALPHV subsequently pulled off an exit scam, cheating its affiliate Nichy out of its share. The decision to pay the ransom has reignited the wider debate of whether it’s permissible to pay out on the extortionate demands of cybercriminals, especially as paying the ransom does not guarantee attackers will delete stolen data or refrain from future attacks. Recent surveys show that double extortion is part of 77% of ransomware attacks. Ransom payments can incentivize cybercriminals to target other organizations, creating the ethical dilemma of perpetuating the cycle of ransomware attacks.
The Heightened Risk for Healthcare Providers
Secondary scams are becoming increasingly commonplace, and healthcare providers are particularly at risk. A health data leak is a tantalizing prospect for cybercriminals intending to carry out a ransomware attack, knowing that a healthcare body will be paralyzed if it can’t access data to provide patient care. The US Department of Health and Human Services (HHS) is investigating whether a breach of protected health information occurred in assessing whether either UHG or Change Healthcare violated strict healthcare sector privacy regulations. This investigation remains ongoing.
The Persistence of Ransomware as a Service (RaaS)
ALPHV’s apparent exit scam and the emergence of RansomHub have done little to change the fundamental drivers in the lucrative ransomware-as-a-service (RaaS) market. Hannah Baumgaertner, head of research at Silobreaker, noted that the law enforcement action that took down LockBit resulted in the two most-active ransomware-as-a-service groups no longer being operational. However, this has not resulted in fewer ransomware attacks. There has been more than a threefold (264%) increase in ransomware attacks over the past five years, according to the HHS. Ransomware now tops the list of CISO’s biggest perceived threats.
Conclusion
The Change Healthcare ransomware catastrophe serves as a critical reminder of the need for robust cybersecurity measures, particularly in the healthcare sector. The lessons learned from this incident emphasize the importance of multi-factor authentication, system segmentation, cyber due diligence during mergers and acquisitions, the risks of self-insuring against cyber incidents, early detection and monitoring of threats, the debate over ransom payments, the heightened risk for healthcare providers, and the persistence of ransomware as a service. These lessons should prompt organizations to reevaluate their cybersecurity strategies and take proactive measures to protect against future attacks. The healthcare sector, in particular, must adopt stringent cybersecurity standards to safeguard sensitive patient data and ensure the continuity of essential services.