In a recent earnings call, United Health Group, the parent company of Change Healthcare, speculated on the overall data breach costs. When all is said and done, the total tally may reach $1B if not more.
During a hearing on May 1st, Andrew Witty, the CEO of United Health Group, testified that the threat actors behind the attack were able to use compromised credentials to remotely access a Change Healthcare Citrix portal on February 12th. Nine days later, they deployed ransomware! Witty also shared that the portal did not have multifactor authentication and once the threat actor gained access, they moved laterally within the systems and exfiltrated data.
The Incident
February 21st started out as just another day in the world of healthcare IT. Little did anyone know that a cybersecurity nightmare was about to unfold - one that would be dubbed the "most significant and consequential incident" against the U.S. healthcare system to date by the American Hospital Association.
Source: https://www.aha.org/
Change Healthcare, a subsidiary of healthcare giant UnitedHealth Group's Optum division, is a major Health Information Exchange platform providing services like claims processing, appeals management, payments, and clinical decision support. On this fateful day, they disclosed they were impacted by a devastating cyberattack.
The culprit? The notorious BlackCat ransomware group, who laid claim to the attack on February 28th. This Russian-based cybercrime syndicate operates a "Ransomware-as-a-Service" model, where affiliates carry out the attacks and share in the ransom profits.
The Fallout
As the hackers unleashed their malicious encryption across Change Healthcare's systems, the company was forced to take drastic measures – disconnecting a staggering 111 different services to prevent further damage from spreading.
But the fallout was already catastrophic:
- Physicians and hospitals found themselves unable to issue prescriptions
- Pharmacies couldn't access the information needed to properly fill prescriptions
- Individuals were blocked from making health claims and obtaining critical medications
The whole healthcare supply chain ground to a halt as Change Healthcare raced to engage law enforcement, cybersecurity firms, and ultimately paid a reported $22 million ransom demand in a desperate bid to restore operations.
Source: https://ideas2it-tech.medium.com/
Widespread Disruption
In the following days and weeks, the ripple effects reverberated across the entire healthcare sector:
- Hospitals and providers suffered immense financial losses from the service disruptions
- Patients faced delays in care and unforeseen out-of-pocket expenses
- Concerns mounted over the potential exposure of millions of Americans' sensitive health data
The White House convened crisis meetings with key industry leaders like insurance giants and medical associations. Everyone understood this was a wake-up call about the existential cyber risks facing our critically important healthcare infrastructure.
Building Resilience
Out of this chaos, a steadfast resolve emerged to bolster cyber defenses and prevent such catastrophes from recurring. Recommendations flooded in:
- Adopt robust cybersecurity frameworks like those from NIST and CISA
- Prioritize data security, privacy safeguards, and access controls
- Enhance threat detection and incident response capabilities
- Foster a culture of vigilance through security awareness training
- Collaborate across the industry on standardized cybersecurity practices
The road to a more cyber-resilient healthcare sector will be long. But the commitment from government, industry leaders, cybersecurity experts, and all stakeholders could not be clearer.
The Change Healthcare attack was a harsh reminder that in today's interconnected world, we are only as strong as our weakest digital links. Securing our healthcare institutions is a multi-front battle we cannot afford to lose.
Conclusion
There is always a need to consistently review and assess cybersecurity controls to identify gaps. Unfortunately, events like this one tend to shine the light on just how important it is to continuously evolve the maturity of a cyber program. Some may be in the early stages where they need the foundational elements put in place, such as MFA, PHI Data Discovery, Access Management, etc. while others may be a bit more mature and in need of solutions to help ensure their applications and data are properly secured. All need better visibility for what threats are lurking and preparing to target them. To help solidify your cybersecurity posture, it is important to ensure the following areas are considered:
- Application Security: Ensuring that healthcare applications are developed, tested, and maintained with security best practices to prevent vulnerabilities that could be exploited by cyber attackers.
- Identity and Access Management: Strengthening policies and technologies that ensure only authorized individuals can access sensitive healthcare systems and data, minimizing the risk of unauthorized access.
- Data Security and Privacy: Implementing robust data protection measures to safeguard sensitive health information against breaches and ensuring compliance with privacy regulations such as HIPAA.
- Signal Analytics: Enhancing the capabilities of SOCs within healthcare organizations to detect, respond to, and recover from cyber incidents more effectively.
- Digital Forensics: Investing in digital forensics capabilities to analyze cyberattacks, understand their impact, and improve defenses against future incidents.
- Detection and Visibility: Delivering unparalleled network detection and visibility to efficiently identify, hunt, and defend against threats to an organization.