Change Healthcare Ransomware Attack Shines Light on Third-party Risk and Exposure

Recent research found that 88% of surveyed healthcare organizations experienced an average of 40 cyber attacks in 12 months. Those attacks cost the healthcare industry an average of $4.99 million—a staggering 13% increase over the previous year. Few incidents, however, have been as devastating within the healthcare industry as the recent ransomware attack on Change Healthcare.

---

Timeline of Change Healthcare Ransomware Attack

• February 21, 2024: Change Healthcare detected service outages and, shortly after, confirmed it had been hit by a ransomware attack. It promptly took its systems offline in an attempt to contain the event
• February 22, 2024: Parent company UnitedHealth Group identified the threat actors who had gained access to Change Healthcare, later confirmed as BlackCat/ALPHV. 
• February 22, 2024: The American Hospital Association (AHA) advised all healthcare organizations that rely on Change Healthcare, and fellow UnitedHealthcare subsidiary Optum Solutions, to disconnect their systems from both companies to mitigate the rippling risks of the ransomware attack.
• March 1, 2024: Security researchers uncovered a payment of 350 bitcoins, equivalent to $22 million, made to a Bitcoin cryptocurrency wallet associated with BlackCat/ALPHV. Experts speculate that UnitedHealth Group paid the ransom to regain access to the encrypted data and systems held by BlackCat.
• May 1, 2024: During a U.S. Senate hearing, the CEO of UnitedHealth Group confirmed that the ransomware attack is due to stolen credentials and lack of multifactor authentication (MFA).

---

The full extent of the Change Healthcare attack has yet to be seen, but has already hindered patient care including clinical decision support, eligibility verifications and pharmacy needs. The attack also disrupted care providers and care facilities, which were unable to receive payments, send bills and offer services, resulting in immediate financial strain and the inability to provide care to their communities.

While some Change Healthcare services were restored by March 7, the company only began processing its $14 billion in backlogged medical claims on March 24—a full month after the attack. To offset money lost by healthcare systems and help affected providers in the weeks following the ransomware attack, UnitedHealth paid over $2.5 billion in financial assistance.

Nonetheless, Change Healthcare is facing a litany of class action lawsuits from patients, legal challenges filed by several providers and a call for an investigation by the U.S. Department of Health & Human Services Office of Civil Rights.

The incident poses a direct threat to critically needed patient care and essential operations of the healthcare industry.

U.S. Department of Health & Human Services Office of Civil Rights

Aside from the financial toll the attack had on Change Healthcare and the companies it supports, a fog of uncertainty and distrust around the healthcare industry will linger for an undetermined amount of time. This event serves as a crucial reminder for not only healthcare organizations, but all companies, to stay vigilant to the changing cyber landscape and identify threats and critical events as they emerge and evolve. As risks increase for organizations—as well as their third parties—it becomes vital to adopt a broader approach to cybersecurity.

The Change Healthcare incident wasn’t an anomaly. It was the culmination of warning signs, including an increased velocity of attacks in healthcare over the last five years—underscoring the imperative to establish a strong cybersecurity culture. When this culture is firmly integrated within organizations, cybersecurity teams can maintain risk visibility to better identify, anticipate and prepare for potential attacks. This is particularly important in industries such as healthcare, where the consequences of cyber attacks can be life threatening. 

Change Healthcare communicated regular updates about the ransomware attack once it was made known, but questions are being asked about whether more could have been done to prevent it, such as regularly analyzing risks, running vulnerability evaluations and assessing connected third parties. To avoid a similar incident, other organizations can take proactive action based on lessons learned from the Change Healthcare attack.

Lessons learned from the Change Healthcare ransomware attack

Ensure a holistic view of risk 

As the rate of cyber-physical threats rise, cybersecurity teams must partner closely with their corporate security counterparts to ensure a holistic view of risk across the organization. The Change Healthcare attack demonstrates how quickly a cyber threat can create risks and disruptions in the physical world, such as access to patient care. 

Build stronger defenses 

Strengthening potential vulnerabilities, blocking common entry points, segmenting networks and tightening system access are effective and should be prioritized before threats occur. The same holds true for legacy technology, which reportedly amplified the Change Healthcare ransomware attack.

“The attack itself had the effect of locking up the various backup systems which had been developed inside Change before it was acquired. That’s really the root cause of why it’s taken so long to bring it back,” said UnitedHealth Group CEO Andrew Witty during his May 1 testimony in front of the U.S. Senate Finance Committee. 

Moreover, providing users with prior warnings, such as if a vulnerability has been detected, enables them to build stronger defenses against ransomware delivery through the installation of anti-malware programs. In Change Healthcare’s case, users could have swiftly transitioned to an independent system or implemented offline backup file creation and storage processes.

Leverage the business continuity and disaster recovery plans

A robust business continuity and disaster recovery plan is essential as backups are only one part of a comprehensive cybersecurity protection plan. When Change Healthcare providers were unable to send bills, receive payments and/or collect insurance reimbursements, their staff had to resort to manual processes. 

Prioritizing the restoration of the most essential functions in the business continuity and disaster recovery plan will minimize such disruptions.

Make external threat detection a key part of the cyber plan

Organizations’ layered cybersecurity plans must incorporate external threat intelligence, robust detection systems, firewalls, data encryption and thorough employee training. Relying on just one or two lines of defense against cyber attacks is insufficient. 

The Change Healthcare ransomware attack demonstrated how easy it is for an attack on one organization to affect partners and suppliers and their ability to operate. It’s a critical reminder for all organizations to focus on threat detection beyond their walls as a priority.

Ensure communication protocols are in place

Along with data backups and recovery procedures, an effective defense needs communication protocols for stakeholders, alternative methods for business functions and routine disaster recovery testing. The duration of post-cyber attack recovery is unpredictable, so organizations should plan for the worst-case scenario. 

For example, estimates put the recovery period for some Change Healthcare customers at one year. Preparation can minimize the impact prolonged disruptions have on critical business functions and communication channels.

Assess third-party exposure and knock-on risks  

Cyber attacks carry the potential for a “domino effect,” endangering not only the primary target but also the customers and users connected to its systems. The Change Healthcare attack quickly revealed the severe impact vendors can have on users. 

This underscores the importance of organizations taking a broad approach and evaluating all conceivable angles when assessing the threat landscape, including vendor vulnerabilities and crafting preparedness plans.

Maintain real-time situational awareness of cyber risks

Early identification of potential security threats is essential. This includes monitoring both within and beyond the walls of the organization. Often, unusual activities on a company’s network or systems precede attacks, and these early indicators serve as warnings of a potential cyber attack.

While carefully monitoring and defending against these indicators is vital, it is not enough. Companies can better mitigate risk with comprehensive visibility into trending ransomware attacks and other threat actor activities, vulnerabilities and emerging cyber-physical risks.

With an increasing volume of threats and data to monitor, organizations can significantly enhance their capacity to prevent or mitigate cyber attacks by leveraging real-time information discovery platforms that analyze billions of daily public data signals to identify potential risks.

Even companies that implement rigorous cyber safety protocols and take every precaution available can occasionally overlook a vulnerable spot. In these instances, that tiny chink in the armor can serve as the gateway to a full-blown crisis.  

For example, the threat actors behind the Change Healthcare cyberattack used legitimate credentials that had been stolen to access the company’s systems through a Citrix portal used for desktop remote access. It is Change Healthcare’s policy to utilize multi-factor authentication (MFA) on all external-facing systems, but for reasons that are currently under investigation, MFA was not turned on and thus the server was compromised.

As the BlackCat hackers’ route came to light, Dataminr conducted a retrospective analysis of its data. This analysis revealed early alerts pertaining to zero-day vulnerabilities (CVE-2024-1709:CVSS 10.0) in the remote management tool. This vulnerability, enabling MFA bypass, was ultimately exploited to initiate the Change Healthcare ransomware attack.

In situations where a cyber attack has occurred, maintaining situational awareness of the event as it unfolds is critical to preventing further escalation. Following the Change Healthcare attack, for example, Dataminr surfaced more than 2,500 real-time source alerts between February 21 – March 8. 

The trending alert coverage for parent companies such as UnitedHealth Group and Optum, as well as other healthcare and pharmacy organizations affected by the attack, provided these entities with valuable intelligence needed to make well-informed decisions that directly impacted the overall health of their business.

With greater visibility of the cyber risk landscape, cybersecurity teams have more time to plan for and respond to threats and vulnerabilities—and are better able to reduce business disruptions and improve resilience. 

When a ransomware attack occurs, Dataminr Pulse for Cyber Risk helps organizations accelerate responses and mitigate potential impact.