8 critical lessons from the Change Healthcare ransomware catastrophe

Lessons are beginning to cohere from Change Healthcare’s disastrous ransomware attack that starkly illustrated the fragility of the healthcare sector, prompting calls for regulatory action.

The February attack disrupted insurance claims processing across the US, creating chaos for clinics, pharmacies, and patients left unable to fulfil pre-authorized prescriptions or medical treatments covered by insurance.

The flow of payments to healthcare providers processed by Change Healthcare was brought to an abrupt halt as systems were taken offline in response to the attack.

Smaller healthcare providers and rural pharmacies in particular experienced huge revenue losses because of the attack with some taken close to insolvency. In the end, the attack exposed personal data of potentially a third of all US citizens and cost parent company UnitedHealth Group (UHG) more than $872 million to deal with the attack and the disruption it caused.

Part of these costs has involved offering accelerated payments and no-interest, no-fee loans to thousands of providers. Another portion is earmarked for incident response and completely rebuilding Change Healthcare’s systems from the ground up. Revenue loss included, it is estimated that the attack will cost UHG over $1 billion.

In response to the attack, US politicians have called for mandated baseline cybersecurity standards in the health sector, as well as better information sharing. They have also raised concerns that industry consolidation is increasing cyber risk.

Overall, the ransomware attack on Change Healthcare, which UHG acquired for nearly $8 billion in 2022, illustrates how often poor security controls come up as a factor in ransomware attacks. Following is a look at several lessons learned in the wake of the attack.

MFA is essential

During Congressional testimony in early May (pdf), UHG CEO Andrew Witty said that criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, technology that allowed remote access to desktops, on or around Feb. 12. The portal was unprotected with multi-factor authentication (MFA), a basic enterprise security control.

While not entirely bullet-proof, MFA has long been considered a best practice for securing systems against credential attacks. It is highly likely that MFA not being enabled played a key role in attackers being able to remotely access the systems at Change Healthcare — making the incident highly avoidable and a massive failure to adopt even the most basic cybersecurity principals, according to Tony Anscombe, chief security evangelist at ESET.

“What we don’t know is the reason why there was no MFA; was it incompetence, a budget limitation, user demand, or something else?” Anscombe said.

Trevor Dearing, director of critical infrastructure at Illumio, commented: “Too often a lack of efficient security controls is a factor in a successful ransomware attack. Whether that is a lack of MFA controls, an unpatched web portal, or a DLP [Data Loss Prevention] system with an elapsed licence, any hole can create a massive breach.”

Segment your systems

Having gained a foothold on Change Healthcare’s systems, the attackers then moved laterally and exfiltrated data before deploying the ALPHV/BlackCat ransomware nine days later on Feb. 21.

As such, another issue raised in many post-breach reports is that Change Healthcare’s systems suffered from a lack of segmentation, which enables easy lateral movement of the attack. This leads to the exposure of critical assets to the attackers, according to Dearing.

Segmentation involves breaking down a large network of systems into smaller, isolated subsegments, making it easier for security teams to secure and monitor IT assets by preventing lateral attacks such as the one used against Change Healthcare. Segmentation has long been key part of defense-in-depth strategies.

M&A activity requires cyber due diligence

The Change Healthcare ransomware breach also offers lessons about due diligence post-merger of acquired systems.

UHG acquired Change Healthcare, the US’s biggest clearinghouse for medical claims, in October 2022, after a legal battle with the US Department of Justice, which argued the acquisition would harm competition in the markets for health insurance and technology used to process health insurance claims, giving UHG, the largest US health insurance provider, access to its competitors’ data.

As a result of the acquisition, Change Healthcare was merged with UHG’s Optum health services company, with Steven Martin, Optum’s CIO and CTO and UHG’s CISO, leading security operations.

Mergers and acquisitions create new cyber threats because they involve the integration of systems, data, and processes from different organizations, each with its own security protocols and potential vulnerabilities.

“During this transition, cybercriminals can exploit discrepancies in security measures, gaps in IT governance, and the increased complexity of managing merged IT environments,” Aron Brand, CTO of CTERA told CSOonline. “Additionally, the heightened sharing of sensitive information between parties provides more opportunities for data breaches.”

Given the complexity and risks involved, a comprehensive due diligence checklist is essential for both healthcare and non-healthcare organizations during mergers, Brand advised.

“This should include exhaustive security audits to evaluate the acquired company’s cybersecurity posture, identify vulnerabilities, and assess their incident response capabilities,” according to Brand. “For example, the breach at Change Healthcare might have been mitigated if thorough assessments had addressed the lack of robust MFA controls.”

Aaron Walton, a threat intel analyst at Expel, agreed.

“From the hearing, we didn’t learn what caused the delay, but it suggests that Change was not brought up to speed with all the same security policies as UnitedHealth Group,” he said. “Had Change implemented UnitedHealth’s upgrades, processes, and policies, it might have addressed some of the issues that led to the attack on Change Healthcare, such as the lack of MFA.”

‘Self-insure’ at your peril

In response to questions during Congressional hearings, UHG chief exec Witty admitted that the company was “self-insured” for cyber incidents.

Cyber insurance providers will mandate a high level of risk mitigation before they approve a policy. For many organizations, this alone provides incentive to ensure hardened systems. And for those who forego insurance, that goes double.

“The option to self-insure and accept the risk, the stance Change Healthcare appears to have adopted, should not be at the expense of cybersecurity measures,” ESET’s Anscombe told CSOonline. “I think it unlikely that insurance was not available due to the increased risk — everything is insurable; it’s just about the cost of the premium.”

Anscombe added: “Not insuring as premiums would be too high due to the risk because of non-compliant cybersecurity measures is unforgivable as it puts the business, customers, partners and many others at risk unnecessarily.”

Businesses should adopt a stance of being cyber risk insurance compliant or better still compliant with a recognized cybersecurity framework, Anscombe advised.

Living with the enemy

The attackers loitered on the Change Healthcare systems for over a week (nine days) before deploying ransomware.

This kind of delay is by no means atypical in enterprise attacks, according to experts. The time taken for attackers to escalate privileges and move laterally in compromised networks does not mean there’s a higher chance of being discovered. This is because attackers take pains to disguise their activities, for example by abusing legitimate programs and commands that will easily blend in with regular, expected traffic.

Silobreaker’s Baumgaertner commented: “Ransomware groups typically spend a very long time within a victim’s system, taking the time to move laterally within the network to cause the most amount of damage possible. In addition, the longer they stay undetected within a network, the more time they have to find and steal sensitive data.”

While it is hard to say whether Change Healthcare could have detected the attackers on their systems as they escalated their movements, these facts about how ransomware attacks progress should be taken under advisement when devising strategies to combat them.

Double jeopardy — and the debate over ransom payments

UHG chief exec Witty confirmed during his congressional testimony that the healthcare conglomerate had paid the equivalent of $22M in Bitcoin as ransom to cybercriminals from the BlackCat/ALPHV ransomware group.

BlackCat/ALPHV subsequently pulled off an exit scam and disappeared with the money, reportedly cheating its affiliate Nichy out of its share.

That Change Healthcare paid the ransom has reignited the wider debate of whether it’s permissible to pay out on the extortionate demands of cybercriminals, especially as paying the ransom does not guarantee attackers will delete stolen data or refrain from future attacks.

ESET’s Anscombe commented: “The decision to pay a ransomware demand should be made by a court, in the same way some medical decisions are taken by the courts.

“However, it would appear the decision in most payment cases is purely financial, reducing business disruption and the ongoing task of rebuilding systems to recover,” he concluded.

CTERA’s Brand told CSOonline: “Recent surveys show that double extortion — where attackers demand a ransom and threaten to release stolen data — is part of 77% of ransomware attacks. Ransom payments can also incentivize cybercriminals to target other organizations too, creating the ethical dilemma of perpetuating the cycle of ransomware attacks.”

In the end, paying the ransom failed to protect UHG from secondary attempts at extortion.

In April, cybercriminals from the RansomHub group threatened to leak portions of 6TB of sensitive data stolen from the breach of Change Healthcare, and obtained through Nichy, according to an analysis by security vendor Forescout. An estimated one in three Americans had their sensitive data exposed as a result of the attack.

Healthcare increasingly under attack

Such secondary scams are becoming increasingly commonplace and healthcare providers are particularly at risk, according to compliance experts.

Victoria Hordern, a partner at international law firm Taylor Wessing’s technology, IP, and information team, told CSOonline: “A health data leak is a tantalizing prospect for a cybercriminal intending to carry out a ransomware attack since they know that a healthcare body will be paralyzed if it can’t access data to provide patient care.”

Hordern continued: “Where there is a multiplication of systems and a variety of different parties involved (i.e. patients, healthcare providers, tech support), there are also more points of weakness and vulnerability where bad actors can seek to gain entry into and control systems.”

The US Department of Health and Human Services (HHS) is investigating whether a breach of protected health information occurred in assessing whether either UHG or Change Healthcare violated strict healthcare sector privacy regulations.

This investigation remains ongoing.

The Change Healthcare attack has coincided with a number of attacks on healthcare companies of late, including Ascension, London Drugs, Cencora, and Synnovis.

Ransomware as vibrant as ever

ALPHV’s apparent exit scam and the emergence of RansomHub has done little to change the fundamental drivers in the lucrative ransomware-as-a-service (RaaS) market, according to experts.

Hannah Baumgaertner, head of research at Silobreaker, said: “ALPHV’s exit scam took place around the same time as the law enforcement action that took down LockBit, resulting in the two most-active ransomware-as-a-service groups no longer being operational.”

Baumgaertner warned: “While one might expect this to mean fewer ransomware attacks will occur, this has not been the case.”

Due to the nature of RaaS operations, any affiliates that previously worked with ALPHV will only have gone on to find a new operation to work with. Meanwhile the principal players behind ALPHV will likely work on a new project under a different name, according to Baumgaertner.

There has been more than a threefold (264%) increase in ransomware attacks over the past five years, according to the HSS. Meanwhile, ransomware now tops the list of CISO’s biggest perceived threats, according to Proofpoint’s recent Voice of the CISO survey.

CSOonline invited UHG to comment on lessons it has learned from its investigation into the Change Healthcare ransomware attack. We’re yet to hear back but will update this story as soon as more information comes to hand.