Understanding the Change Healthcare Cyber Attack: Implications for the Healthcare Industry and Beyond

Adam Pendleton
Chief Information Security Officer

April 12, 2024

What happened to Change Healthcare?

The healthcare industry was jolted by yet another cyber attack[1], this time targeting Change Healthcare, a large unit of the massive UnitedHealth Group, and a critical part of payment processing for the healthcare industry. The attack encrypted some of the company’s data and affected its operations, disrupting services for large portions of the healthcare sector[2]. UnitedHealth estimates that services will not be fully restored until March 18th, 2023[3].  The attackers demanded a ransom of $20 million to restore the data and stop leaking it online. Change Healthcare has not confirmed whether it paid the ransom or not, but industry experts have disclosed Bitcoin wallet transactions that are alleged to be a ransom payment to the threat actors.[4] Change Healthcare has indicated that it is working with law enforcement and cybersecurity experts to investigate and resolve the incident. This incident not only raises concerns about the security of sensitive patient data but also underscores the broader implications for healthcare companies, their partners, and ultimately, the end consumer. As we delve into the intricacies of this attack, it becomes evident that the repercussions extend far beyond just one organization, emphasizing the urgent need for comprehensive cybersecurity measures across the board.

Why should you care about this attack?

The Change Healthcare cyber attack is not an isolated incident. It is part of a growing trend of ransomware attacks targeting the healthcare industry, which is already under immense pressure due to the COVID-19 pandemic. Ransomware attacks can have devastating consequences for healthcare organizations and their customers. They can compromise patient data, disrupt critical services, damage reputation, and incur financial losses. Ransomware attacks can also have a ripple effect on the entire healthcare ecosystem, affecting providers, payers, suppliers, and consumers. The Change Healthcare attack impacted the processing of insurance claims, and the ability to obtain prescription refills, at both large hospitals as well as individual providers. The Ponemom Institute reports that 54% of healthcare organizations experienced on average four ransomware attacks in the past two years. 68% of healthcare organizations report that ransomware attacks have negatively impacted patient safety and care.[5]

Beyond the immediate operational disruptions and financial losses, healthcare companies must grasp the broader significance of cybersecurity in safeguarding public health, privacy, and trust. As custodians of sensitive patient information, they bear a moral and legal responsibility to uphold the highest standards of data protection and resilience against cyber threats. Failure to do so not only jeopardizes the well-being of patients but also exposes the organization to regulatory scrutiny, litigation, and irreparable damage to its reputation.

What can you do to protect yourself and your organization?

Considering the escalating threat landscape, healthcare companies must prioritize cybersecurity as a fundamental aspect of their operations. This entails implementing robust security protocols, conducting regular risk assessments, and investing in advanced threat detection and response mechanisms. Additionally, fostering a culture of cybersecurity awareness among employees is crucial in fortifying the organization’s defenses against evolving threats.

At a minimum, healthcare companies should implement the following security best practices:

  • Conducting regular risk assessments, tabletop exercises, and governance reviews.
  • Ensuring that all systems and software are updated with the latest patches and security updates.
  • Protecting yourself from Business Email Compromise (BEC) and phishing with an email security platform.
  • Using phishing-resistant multi-factor authentication for all user and administrator accounts
  • Ensuring business critical data is backed up, stored offline or in the cloud, and that all backups are immutable.
  • Training your staff and raising awareness about the risks and signs of phishing and other social engineering attacks.
  • Protecting all systems are with a next-gen anti-malware and Endpoint Defense and Response (EDR) platform.

[1] https://www.unitedhealthgroup.com/ns/changehealthcare.html

[2] https://www.nytimes.com/2024/03/05/health/cyberattack-healthcare-cash.html

[3] https://www.reuters.com/technology/cybersecurity/unitedhealth-says-online-platform-fully-functional-after-change-healthcare-hack-2024-03-08/

[4] https://twitter.com/ddd1ms/status/1764639329165406497

[5] https://www.proofpoint.com/us/resources/threat-reports/ponemon-healthcare-cybersecurity-report