Expert Q&A: Responding to the Change Healthcare Cyberattack

In late February, a cyberattack on UnitedHealth Group division Change Healthcare led to the shutdown of key systems, causing chaos for healthcare providers relying on those systems for payment, billing, prescription delivery, and other critical functions. The ransomware attack reportedly led to Change Healthcare paying $22 million to the hackers responsible, and further reports say the data stolen has now fallen into the hands of a second ransomware group.^1,2 The U.S. Department of Health and Human Services Office for Civil Rights has launched an investigation to determine if protected health information (PHI) was stolen and assess the company’s compliance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) rules.³ Recently, UnitedHealth admitted that PHI was indeed among the data targeted in the attack, though the company is still determining how much information was compromised.⁴

Ken Westin, field chief information security officer (CISO) at security monitoring company Panther Labs, shares his advice on how labs and other providers can deal with the continued impacts of the cyberattack and ensure they’re prepared for future incidents.

Q: How have your lab clients been affected by the Change Healthcare cyberattack? What are their key challenges?

A: I believe the Change Healthcare ransomware incident has many healthcare companies reassessing their risk models. This incident has not only been incredibly disruptive but has also had a direct impact on the finances of many organizations. The attackers targeted their payment systems and infrastructure, which has caused a bit of chaos affecting payment for prescriptions, payroll, and suppliers. 

Q: What is your advice to labs (and other healthcare providers) for dealing with these challenges? 

A: First is ensuring that they have visibility into all of their networks and assets; many healthcare organizations are understaffed and under-resourced and may not be ingesting logs from critical systems that would provide early warning signs of a breach. Once they have the right telemetry, they need to ensure they have the right detections in place to potentially block an incident before it becomes a larger issue. Ransomware groups are notorious for being persistent when gaining access to environments. In the Change Healthcare incident, the organization disabled key systems to stop the spread of ransomware, so it is a good time to also look at resiliency of systems, putting backup systems in place, for example. 

Q: What key steps can labs and other healthcare providers take to ensure they are prepared for possible future cyberattacks like this one?

A: I believe organizations need to be prepared for attacks—it isn’t an “if” but “when”—and there are so many variables at play it is impossible to cover all potential attack vectors. However, running red team activities, such as regular penetration tests where defenses and detections are tested, can help ensure an organization is prepared. Purple teaming activities have also been helpful where those writing code to detect cyberattacks test their defenses by leveraging adversary emulation tools. I think the more “real” you can make the testing of your infrastructure the better, whether it is a full penetration test, or even a tabletop exercise with security and business leadership. 

Q: What are your thoughts on how Change Healthcare is handling the situation?

A: It is difficult to throw stones when we don’t know all of the details. We know they brought systems offline to stop the attack’s progression, which indicates to me that they did have detection capabilities in place and have been able to take some steps to mitigate the threat. I am sure they will be reassessing the resiliency of the payment systems and hopefully have backup systems in place in case a similar incident occurs. Cybersecurity is difficult, and healthcare organizations often have underfunded security teams, while at the same time are dealing with unique challenges and compliance requirements. 

Q: Cyberattacks against the healthcare industry have been increasing in recent years. How do you expect this trend to develop going forward? Will we continue to see more attacks?

A: Part of this has been due to ransomware groups becoming more brazen. Many ransomware groups for example would not target schools, healthcare, or critical infrastructure, however, due to the nature of geopolitics, many of these restrictions have been removed. It is no accident that the payment systems of Change Healthcare were targeted, as the attackers knew where to inflict the most pain to demand their ransom.

Q: What major steps does the healthcare industry need to take to protect itself from such attacks?

A: I believe focusing on visibility into what is occurring on endpoints is critical, so deploying a proper endpoint detection and response (EDR) tool, for example, is important in the fight against ransomware. Also paying closer attention to identities and credentials is becoming critically important, ensuring that you have multi-factor authentication (MFA) for example, so you don’t fall victim to password spraying, phishing, or other attacks which compromise identities.

References:

1. 1. https://www.wired.com/story/alphv-change-healthcare-ransomware-payment/

1. 1. https://www.axios.com/2024/04/16/change-healthcare-data-leak-ransomware

1. 1. https://www.hhs.gov/about/news/2024/03/13/hhs-office-civil-rights-issues-letter-opens-investigation-change-healthcare-cyberattack.html

1. 1. https://www.unitedhealthgroup.com/newsroom/2024/2024-04-22-uhg-updates-on-change-healthcare-cyberattack.html

_______________________________________________________________________________________________________________________________________________________________________________________________

Ken Westin, field CISO at Panther Labs, has been in the cybersecurity field for over 15 years working with companies to improve their security posture, through detection engineering, threat hunting, insider threat programs, and vulnerability research. In the past, he has worked closely with law enforcement, helping to unveil organized crime groups. His work has been featured in Wired, Forbes, New York Times, Good Morning America, and others, and is regularly reached out to as an expert in cybersecurity, cybercrime, and surveillance.