What the Change Healthcare Cyber Attack Means for the US Healthcare Industry

Written by Sherry Jones / 18.06.2024 /
Home » Blog » What the Change Healthcare Cyber Attack Means for the US Healthcare Industry

It’s time to get serious about securing healthcare systems, solutions, and data!

Cybersecurity in the health sector needs urgent care—followed by long-term therapy.  Cyber-attacks are on the rise in this vulnerable sector: wreaking financial havoc, posing national security concerns, even threatening patients’ lives. And many of these attacks are completely preventable.

The recent Change Healthcare cyber-attack is a case in point. The “most disruptive cyber-attack on US critical infrastructure to date” is now sounding a wake-up call among industry watchdogs. It led a US Congressional subcommittee to explore cybersecurity vulnerabilities in healthcare during a May 16 hearing. What it found: The healthcare industry treads on shaky cyber ground, facing more, and more dire, threats than ever before. In this article we conduct our own post-mortem of the Change Healthcare cyber-attack.

Healthcare: An Attack Magnet

The Change Healthcare cyber-attack made splashy headlines, but it was only one of a growing number of intrusions plaguing the sector with increasing frequency and severity. The number of hospital systems hit with ransomware nearly doubled in 2023, to 46, from 25 in 2022, the New York Times reports.

Nor is it only a US problem: Healthcare events globally nearly quadrupled in 2023 over the previous year, the European Repository of Cyber Incidents found. Hostile nation-states attack healthcare providers daily, the US House Energy and Commerce Committee Subcommittee on Health learned in its hearing.

Interconnectedness makes the healthcare system particularly attractive to cyberthieves. Physicians’ offices, clinics, hospitals, medical devices, laboratories, pharmacies, electronic health records, insurers, support services, and others affiliated with care form a vast, interlocking web of information that, once breached, can provide a treasure trove of valuable data.

Stolen health records pose an especially juicy target, selling on the dark web for 10 times more than stolen credit card numbers, the American Hospital Association notes.

Security in this sector is notoriously weak. The COVID-19 pandemic is partly to blame, the Lancet reports. To provide care during a time of quarantines and lockdowns, facilities rushed to adopt new digital technologies such as mHealth, telehealth, and AI-supported diagnostic tools. In their haste, they tended to give security short shrift.

And keeping up with technology updates costs time and money that many facilities don’t have. Instead, they use outdated technologies and software.

A single vulnerability is all malicious actors need to bring down an entire system, or even an ecosystem. And with lives at stake, medical providers are much more likely to pay the ransom for the sake of continuing care.

What the Change Healthcare Cyber Attack Means for the US Healthcare Industry

The Change Healthcare Cyber-Attack: What Went Wrong

The cyber-attack on Change Healthcare, one of the world’s biggest health payment processors, gave cybercriminals access to 4 terabytes of data, shut down healthcare facilities across the US, and cost UHC $22 million in ransom alone, not to mention legal fees, recovery costs, and other expenses expected to total at least $1.6 billion.

Why were the effects of this cyber-attack so devastating and far-reaching? Investigations are underway, but the known cybersecurity failures so far include:

  • Stolen credentials. Bad actors entered a software portal connecting to Change Healthcare’s systems using credentials stolen in a phishing expedition, UHC CEO Andrew Witty told a US Congressional subcommittee May 1. UHC believes the ransomware group purchased these stolen credentials on the dark web, he said.
  • An MFA snafu: The attackers entered through a systems software portal for which MFA had not been switched on.
  • Undetected lateral movement: The criminals moved laterally to exfiltrate data for nine days, undetected by security monitoring, before deploying ransomware.
  • Vulnerable backup systems: Change Healthcare was still using 40-year-old technologies to run its medical claims and payment processing systems, and storing data in on-premises servers, Witty said. (UHC, which purchased Change in late 2022, had begun modernizing and upgrading these systems, moving data and systems to the cloud.)

As a result, neither Change’s prime nor backup IT systems were isolated. The attack disabled both. Cloud-based servers were up and running again fairly soon, but legacy data centers have taken much longer to restore.

What the Change Healthcare Cyber Attack Means for the US Healthcare Industry

The damage to humans in a system designed to serve them

The Change Healthcare cyber-attack shut down medical claim and payment processing for more than one month. Cashflow problems mean that facilities may not be able to make payroll or pay for services, which in turn may compromise patient care.

Mortality rates rise at nearly one-quarter of organizations after suffering a cyber breach, the May 16 hearing found.

The effects of the attack have been widespread and long lasting. Nearly three months later, an American Medical Association survey found that:

  • 60% of respondents continued to face challenges in verifying patient eligibility.
  • 75% were having trouble submitting claims.
  • 79% still could not receive electronic remittance advice.
  • 85% continued to experience disruptions in claim payments.

Business impacts: Paying a higher price than in other sectors

Recovering from a data breach in the healthcare and public health sector averages $10 million per incident, far more than in any other sector, the Congressional subcommittee heard. Put another way, remediating health care breaches costs nearly three times more than the costs of remediating breaches in other sectors, according to the AHA: an average of $408 per stolen health care record versus $148 for non-health records.

Costs of the Change Healthcare cyber-attack in the first quarter alone totaled some $870 million, John Rex, President and Chief Financial Officer, said in an earnings call.

Some $595 million, he said, “were direct costs due to the clearinghouse platform restoration and other response efforts, including medical expenses directly relating to the temporary suspension of some care management activities.

“For the full year, we estimate these direct costs at $1 billion to $1.15 billion.” The disruption in Change Healthcare’s operations due to the cyber-attack was expected to cost another $350 million to $450 million, he said.

And in addition to the $22 million the company paid in ransom to unlock its systems, another group appears to have demanded a second ransom payment to stop leaking the data stolen in the attack, it seems that the criminal group supplying the ransomware kit made off with the entire ransom rather than giving the affiliate who performed the attack their cut. Lawsuits and other legal fees and fines will most likely follow, as well.

Stepping up Your Cyber Game: Now a Must in Healthcare

“This hack could have been stopped with cybersecurity 101,” Sen. Ron Wyden (D-Ore.) reportedly said during the hearing into the Change Healthcare cyber-attack.

Indeed, the health sector “lags far behind most essential infrastructure sectors … on research to understand the risks and develop specific plans to protect, respond, and recover from cyberattacks,” The Lancet reports.

But with investigations underway and more hearings perhaps pending, it’s a given that the industry will need to step up its cyber game. To get started, here are some measures we recommend putting in place:

Security awareness training

A phishing email tricked someone into entering their login credentials, which were then sold on, starting the chain of events that led to the Change Healthcare cyber-attack. This is usually the way attacks begin: human error accounts for 95% of all cybersecurity incidents, the World Economic Forum reports.

Next steps: A little education can go a long way. Hornetsecurity’s next-gen Security Awareness Service trains employees using realistic spear phishing simulations and AI-powered e-training, heightening awareness of cyber security risks and threats. Employees learn effectively how to protect themselves and their company. The service is fully automated and easy to use.

What the Change Healthcare Cyber Attack Means for the US Healthcare Industry

MFA

Change Healthcare’s MFA policy applied to every external-facing system, but it was never enabled on the software that hackers used to gain access.

Next steps: Check and double-check all your systems and software to ensure that added layer of authentication is working to stop unauthorized entry into your systems and software.

Robust backup and recovery systems

It’s not a matter of “if” you’ll be attacked, but “when,” particularly in healthcare. Being able to recover swiftly—resilience—is key to minimizing costs, damage, and downtime.

Next steps: Modernize your backup system with Hornetsecurity’s 365 Total Backup Solution. Among its features:

  • Automatic backup of Microsoft 365 data multiple times a day;
  • Protection from ransomware attacks as well as third-party disruptions via backup storage and security on Hornetsecurity infrastructure, independent of Microsoft;
  • Easy search and recovery;
  • Hassle-free, unlimited storage;
  • Centralized management; and
  • Data storage in local, secured, robust and redundant Hornetsecurity data centers, granting control over data jurisdiction.

Protected patient data privacy and security

Have safeguards in place for storing, accessing, and sharing sensitive personal health information, and adopt a zero-trust model with Hornetsecurity’s 365 Permission Manager tool. Using it, you can

  • Perform bulk actions to manage permissions at scale;
  • Use Quick Actions to fix permissions on multiple sites at once;
  • Assign out-of-the-box best practice policies, or create custom defined compliance polices for SharePoint sites, Teams, or OneDrive accounts;
  • Receive alerts for critical shares or policy violations; and
  • Use the Audit function to approve or reject policy violations.

To properly protect your healthcare environment, use Hornetsecurity Security Awareness Service to educate your employees on how to secure your critical data.

To keep up with the latest articles and practices, visit our Hornetsecurity blog now.


Conclusion – An Ounce of Prevention

Don’t wait for a crisis: get your checkup and preventative care now. If you’re in the healthcare sector, your organization is especially vulnerable to breach by criminals emboldened by the success of the cyber-attack on Change Healthcare. Truly, it’s not a matter of if your healthcare organization will be hit, but when. Predators prey on the weak; make sure you’re not seen as an easy target. Fortunately, as outlined above, there are several simple ways to bolster your defenses and the time to act is now.

FAQ

What factors make the healthcare sector particularly vulnerable to cyber-attacks?

The healthcare sector is especially vulnerable to cyber-attacks due to its high interconnectedness and the valuable nature of the data it handles. Healthcare providers, including physicians’ offices, clinics, hospitals, and insurers, form a vast, interlocking web of information. Once breached, this network can provide a treasure trove of sensitive data, including personal health records, which can sell for ten times more than stolen credit card numbers. Additionally, the rapid adoption of digital technologies during the COVID-19 pandemic often led to security being overlooked, leaving many systems outdated and unprotected.

What were the main security failures that contributed to the severity of the Change Healthcare cyber-attack?

The Change Healthcare cyber-attack was exacerbated by several key security failures:
Stolen Credentials: Cybercriminals gained access using credentials stolen in a phishing expedition.
Disabled MFA: Multi-Factor Authentication (MFA) was not enabled on the software portal through which the attackers entered.
Undetected Lateral Movement: The attackers moved laterally within the system for nine days undetected, exfiltrating data before deploying ransomware.
Outdated Backup Systems: Change Healthcare relied on 40-year-old technologies for its medical claims and payment processing systems, with data stored on vulnerable on-premises servers. These outdated systems and a lack of proper isolation for backup systems resulted in both primary and backup IT systems being compromised.

How can healthcare organizations improve their cybersecurity posture to prevent similar attacks?

Healthcare organizations can enhance their cybersecurity by implementing several measures:
Security Awareness Training: Educate employees about cybersecurity risks and phishing attacks using realistic simulations and AI-powered e-training to heighten awareness and reduce human error.
Enable MFA: Ensure that Multi-Factor Authentication is enabled and functioning on all systems and software to add an extra layer of security.
Modernize Backup Systems: Use modern backup solutions that include automatic, frequent backups, ransomware protection, and easy data recovery.
Protect Patient Data Privacy and Security: Implement robust safeguards for storing, accessing, and sharing sensitive health information and adopt a zero-trust model to manage permissions and detect policy violations.