A Landmark Ransom Attack On Healthcare

Uploaded on 2024-10-14 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-Health & Welfare, BUSINESS-Services-Financial

In February this year, Change Healthcare suffered a ransomware attack so large and complex that it was feared - according to estimates from Andrew Witty, CEO of parent company UnitedHealth Group (UHG) - to involve the data of up to 1 in 3 Americans.

Now six months later, and the full scale of the breach is still undetermined, with fallout continuing.

Change Healthcare has only recently (July 29) begun mailing written notices to individuals affected by the incident - which could take considerable time considering the 100s of millions potentially involved - while the financial implications are unfolding in the billions. UHG’s second quarter earnings report, released last month, reveals the total impact of the cyberattack will cost the company between $2.3 billion and $2.45 billion in 2024 (more than $1 billion higher than previously projected).

Suffice to say, it’s easy to see why this particular incident is being labelled the worst cyberattack to ever hit the US healthcare industry.

While it may be one of the worst, it’s certainly not a one-off. There’s no question that due to the growth of remote care, connected medical devices and complex IT environments, healthcare is facing an expanding attack surface, with these new technologies and processes creating more opportunities for cyberattacks. However, this situation is not exclusive to healthcare. Manufacturing, professional services, finance and technology all consistently remain among the top targeted industries for the same reasons.

So what can all types of businesses and organisations learn from this case going forward?

All organisations must strengthen their cybersecurity defences:  It may sound simple and somewhat obvious, but weak cybersecurity defences are often overlooked. With the Change Healthcare case, cybercriminals took advantage of a server that wasn’t protected by multi-factor authentication (MFA). MFA is not only a common and low-cost security measure, but is relatively easy to deploy. While MFA significantly enhances security and reduces the risk of unauthorised access in case passwords are compromised, it should also be part of a broader, multi-layered security strategy that includes encryption, robust firewalls, regular software updates, network monitoring and regular security audits to proactively identify and mitigate potential threats.

Be aware of vulnerabilities in widely-used enterprise software: The threat landscape is evolving, with threat actors increasingly targeting vulnerabilities in third-party software, such as managed file transfer (MFT) services. The recent attacks by the CL0P ransomware group on Fortra's GoAnywhere and Progress Software's MOVEit were a stark reminder of the potential impact of such exploits and led to the Cybersecurity Advisory (CSA)’s #StopRansomware efforts, which involved publishing advisories for network defenders that detail various ransomware variants and ransomware threat actors, as well as solid cyber hygiene advice.

Their advice includes the fact that businesses should be regularly updating and patching systems to address known vulnerabilities, especially in third-party software, as cyberattacks often exploit these weaknesses.

Implementing robust vendor risk management is also essential to ensure software providers prioritise security and provide timely updates, while proactive threat detection tools and strategies can help identify breaches early, reducing potential damage. 

Educate your workforce on the importance of security measures: Does everyone in your organisation know what MFA is and where it should be in place? Do they know how to recognise sophisticated phishing and social engineering attempts? Even for those who are more tech-savvy, recent advancements in GenAI have improved the format and grammar of phishing messages, making them extremely difficult to spot. More up-to-date education is needed alongside clear instructions on what internal security measures should be taken, such as double-checking the sender's email address or using MFA to prevent unauthorised access if your credentials are compromised. It’s also important to educate employees about the risks of third-party software vulnerabilities, as mentioned above, and ensure they follow best practices here too, to avoid security lapses.

Stay adaptable and prepared: Ransomware is a persistent and evolving threat, with a 30% global increase in the number of groups that focus on targeted ransomware and a 71% rise in attacks in 2023 compared to 2022. As authorities collaborate to disrupt more extensive operations, the ransomware ecosystem is fragmenting into smaller, more elusive groups. Threat actors are now adopting multi-extortion tactics, such as data theft and harassment, to pressure victims into paying - as we saw with Change Healthcare. Attackers are also moving at an alarming pace, often exfiltrating data within hours or days of the initial compromise. In a staggering 45% of cases in 2023, data was exfiltrated less than a day after the compromise, leaving incident response teams with little time to contain the threat. As such, organisations need to stay adaptable and be prepared with swift and efficient response measures, so that they’re ready to respond to new tactics as they emerge. Having reliable backup and recovery plans in place - that are frequently updated - is one of the best ways to minimise the impact of ransomware attacks. A good cyber incident response plan (IRP) should detail communication strategies, legal considerations, and recovery procedures. It should define the goals, scope, and types of incidents the IRP covers, and assign specific roles and responsibilities within the incident response team.

Never stand still: The cyber landscape is evolving, not emerging, and so businesses’ approach to preparing, protecting and recovering from a cyberattack must also evolve at the same pace. So as well as continuously updating and auditing cybersecurity measures - not only to ensure nothing is missed, but to adapt to new threats and ensure compliance with the latest security standards - businesses should also be documenting incidents. What lessons can you take from past incidents affecting your business and others, what policies need updating, is training, including simulations for the incident response team, regular enough, is the contact information for your incident response team up-to-date?

Seek expert guidance/support where needed: In statements following the Change Healthcare attack, UnitedHealth said they started working closely with law enforcement and third parties like Palo Alto Networks and Google's Mandiant to assess the damage. Industry associations, crime prevention agencies and cyber insurance providers can all provide businesses with access to expert guidance.

Take cyber insurance providers, for example - as well as financial security, they have cybersecurity analysts and consultants trained in handling cyberattacks and the claims process on hand. These experts can also help victims navigate incident response and recovery.

Most cyber insurance providers also offer free risk prevention services, including vulnerability assessments, threat intelligence, and can assist with cybersecurity training. 

Claud Bilbao is RVP, Underwriting & Distribution UK with Cowbell

Image: Unsplash

You Might Also Read:

Cyber Insurance: What Businesses Need To Know:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« 2024 US Presidential Election Cyber Intrusion: Part 3 - Hostile Nation State Actors
CISOs Guide To Compliance & Cyber Hygiene  »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Planit Testing

Planit Testing

Planit is a leader in Quality Assurance and a specialist in software testing and training services.

Cloudbric

Cloudbric

Cloudbric is a cloud-based web security service, offering award-winning WAF, DDoS protection, and SSL, all in a full-service package.

Information-Technology Promotion Agency (IPA) - Japan

Information-Technology Promotion Agency (IPA) - Japan

IPA is an implementing agency in Japan with a role to address Information Security, IT Systems Reliability and IT Resource Development.

Security Network Munich

Security Network Munich

Security Network Munich brings together leading players in the field of information and cyber security through joint research and innovation projects.

VigiTrust

VigiTrust

VigiTrust is a security firm specializing in cloud based eLearning programs, security compliance portals and providing security assessments.

Physec

Physec

Physec offers innovative security products and solutions for the Internet of Things ecosystem.

CERT.lu

CERT.lu

CERT.lu is an initiative to enhance cyber security practices and techniques, and support security professionals in Luxembourg.

CyBOK - University of Bristol

CyBOK - University of Bristol

CyBOK is a comprehensive Body of Knowledge to inform and underpin education and professional training for the cyber security sector.

Center for Infrastructure Assurance and Security (CIAS)

Center for Infrastructure Assurance and Security (CIAS)

CIAS is developing the world's foremost center for multidisciplinary education and development of operational capabilities in the areas of infrastructure assurance and security.

Conseal Security

Conseal Security

Mobile app security testing done well. Conseal Security are specialists in mobile app penetration testing. Our expert-led security analysis quickly finds security vulnerabilities in your apps.

Secuna Software Technologies

Secuna Software Technologies

Secuna is the most trusted Cybersecurity Testing Platform in the Philippines. Our pool of vetted security researchers will find and ethically report security vulnerabilities in your product.

Cyber Proud

Cyber Proud

Cyber proud is leading a talent revolution to promote and create an inclusive skilled cyber workforce.

vpnMentor

vpnMentor

We started vpnMentor to offer users a really honest, committed and helpful tool when navigating VPNs and web privacy.

Liberty Technology

Liberty Technology

Liberty Technology has a host of highly trained, certified experts who assist our clients with immediate remote support as well as on-site service.

Rapifuzz

Rapifuzz

At Rapifuzz, our goal is to help organizations test and secure their APIs enabling trust, innovation and Seamless Secured Digital Experiences.

Creative Network Innovations (CNI)

Creative Network Innovations (CNI)

Creative Network Innovations is a leader in providing advanced IT and cybersecurity solutions.