What the Change Healthcare Cyber Attack Means for the US Healthcare Industry

The cyber-attack on Change Healthcare, one of the world’s biggest health payment processors, gave cybercriminals access to 4 terabytes of data, shut down healthcare facilities across the US, and cost UHC $22 million in ransom alone, not to mention legal fees, recovery costs, and other expenses expected to total at least $1.6 billion.

Why were the effects of this cyber-attack so devastating and far-reaching? Investigations are underway, but the known cybersecurity failures so far include:

• Stolen credentials. Bad actors entered a software portal connecting to Change Healthcare’s systems using credentials stolen in a phishing expedition, UHC CEO Andrew Witty told a US Congressional subcommittee May 1. UHC believes the ransomware group purchased these stolen credentials on the dark web, he said.
• An MFA snafu: The attackers entered through a systems software portal for which MFA had not been switched on.
• Undetected lateral movement: The criminals moved laterally to exfiltrate data for nine days, undetected by security monitoring, before deploying ransomware.
• Vulnerable backup systems: Change Healthcare was still using 40-year-old technologies to run its medical claims and payment processing systems, and storing data in on-premises servers, Witty said. (UHC, which purchased Change in late 2022, had begun modernizing and upgrading these systems, moving data and systems to the cloud.)

As a result, neither Change’s prime nor backup IT systems were isolated. The attack disabled both. Cloud-based servers were up and running again fairly soon, but legacy data centers have taken much longer to restore.

The Change Healthcare cyber-attack shut down medical claim and payment processing for more than one month. Cashflow problems mean that facilities may not be able to make payroll or pay for services, which in turn may compromise patient care.

Mortality rates rise at nearly one-quarter of organizations after suffering a cyber breach, the May 16 hearing found.

The effects of the attack have been widespread and long lasting. Nearly three months later, an American Medical Association survey found that:

• 60% of respondents continued to face challenges in verifying patient eligibility.
• 75% were having trouble submitting claims.
• 79% still could not receive electronic remittance advice.
• 85% continued to experience disruptions in claim payments.

Recovering from a data breach in the healthcare and public health sector averages $10 million per incident, far more than in any other sector, the Congressional subcommittee heard. Put another way, remediating health care breaches costs nearly three times more than the costs of remediating breaches in other sectors, according to the AHA: an average of $408 per stolen health care record versus $148 for non-health records.

Costs of the Change Healthcare cyber-attack in the first quarter alone totaled some $870 million, John Rex, President and Chief Financial Officer, said in an earnings call.

Some $595 million, he said, “were direct costs due to the clearinghouse platform restoration and other response efforts, including medical expenses directly relating to the temporary suspension of some care management activities.

“For the full year, we estimate these direct costs at $1 billion to $1.15 billion.” The disruption in Change Healthcare’s operations due to the cyber-attack was expected to cost another $350 million to $450 million, he said.

And in addition to the $22 million the company paid in ransom to unlock its systems, another group appears to have demanded a second ransom payment to stop leaking the data stolen in the attack, it seems that the criminal group supplying the ransomware kit made off with the entire ransom rather than giving the affiliate who performed the attack their cut. Lawsuits and other legal fees and fines will most likely follow, as well.

“This hack could have been stopped with cybersecurity 101,” Sen. Ron Wyden (D-Ore.) reportedly said during the hearing into the Change Healthcare cyber-attack.

Indeed, the health sector “lags far behind most essential infrastructure sectors … on research to understand the risks and develop specific plans to protect, respond, and recover from cyberattacks,” The Lancet reports.

But with investigations underway and more hearings perhaps pending, it’s a given that the industry will need to step up its cyber game. To get started, here are some measures we recommend putting in place:

A phishing email tricked someone into entering their login credentials, which were then sold on, starting the chain of events that led to the Change Healthcare cyber-attack. This is usually the way attacks begin: human error accounts for 95% of all cybersecurity incidents, the World Economic Forum reports.

Next steps: A little education can go a long way. Hornetsecurity’s next-gen Security Awareness Service trains employees using realistic spear phishing simulations and AI-powered e-training, heightening awareness of cyber security risks and threats. Employees learn effectively how to protect themselves and their company. The service is fully automated and easy to use.

It’s not a matter of “if” you’ll be attacked, but “when,” particularly in healthcare. Being able to recover swiftly—resilience—is key to minimizing costs, damage, and downtime.

Next steps: Modernize your backup system with Hornetsecurity’s 365 Total Backup Solution. Among its features:

• Automatic backup of Microsoft 365 data multiple times a day;
• Protection from ransomware attacks as well as third-party disruptions via backup storage and security on Hornetsecurity infrastructure, independent of Microsoft;
• Easy search and recovery;
• Hassle-free, unlimited storage;
• Centralized management; and
• Data storage in local, secured, robust and redundant Hornetsecurity data centers, granting control over data jurisdiction.

Have safeguards in place for storing, accessing, and sharing sensitive personal health information, and adopt a zero-trust model with Hornetsecurity’s 365 Permission Manager tool. Using it, you can

• Perform bulk actions to manage permissions at scale;
• Use Quick Actions to fix permissions on multiple sites at once;
• Assign out-of-the-box best practice policies, or create custom defined compliance polices for SharePoint sites, Teams, or OneDrive accounts;
• Receive alerts for critical shares or policy violations; and
• Use the Audit function to approve or reject policy violations.

Don’t wait for a crisis: get your checkup and preventative care now. If you’re in the healthcare sector, your organization is especially vulnerable to breach by criminals emboldened by the success of the cyber-attack on Change Healthcare. Truly, it’s not a matter of if your healthcare organization will be hit, but when. Predators prey on the weak; make sure you’re not seen as an easy target. Fortunately, as outlined above, there are several simple ways to bolster your defenses and the time to act is now.