A Landmark Ransom Attack On Healthcare

Uploaded on 2024-10-14 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-Health & Welfare, BUSINESS-Services-Financial

In February this year, Change Healthcare suffered a ransomware attack so large and complex that it was feared - according to estimates from Andrew Witty, CEO of parent company UnitedHealth Group (UHG) - to involve the data of up to 1 in 3 Americans.

Now six months later, and the full scale of the breach is still undetermined, with fallout continuing.

Change Healthcare has only recently (July 29) begun mailing written notices to individuals affected by the incident - which could take considerable time considering the 100s of millions potentially involved - while the financial implications are unfolding in the billions. UHG’s second quarter earnings report, released last month, reveals the total impact of the cyberattack will cost the company between $2.3 billion and $2.45 billion in 2024 (more than $1 billion higher than previously projected).

Suffice to say, it’s easy to see why this particular incident is being labelled the worst cyberattack to ever hit the US healthcare industry.

While it may be one of the worst, it’s certainly not a one-off. There’s no question that due to the growth of remote care, connected medical devices and complex IT environments, healthcare is facing an expanding attack surface, with these new technologies and processes creating more opportunities for cyberattacks. However, this situation is not exclusive to healthcare. Manufacturing, professional services, finance and technology all consistently remain among the top targeted industries for the same reasons.

So what can all types of businesses and organisations learn from this case going forward?

All organisations must strengthen their cybersecurity defences: It may sound simple and somewhat obvious, but weak cybersecurity defences are often overlooked. With the Change Healthcare case, cybercriminals took advantage of a server that wasn’t protected by multi-factor authentication (MFA). MFA is not only a common and low-cost security measure, but is relatively easy to deploy. While MFA significantly enhances security and reduces the risk of unauthorised access in case passwords are compromised, it should also be part of a broader, multi-layered security strategy that includes encryption, robust firewalls, regular software updates, network monitoring and regular security audits to proactively identify and mitigate potential threats.

Be aware of vulnerabilities in widely-used enterprise software: The threat landscape is evolving, with threat actors increasingly targeting vulnerabilities in third-party software, such as managed file transfer (MFT) services. The recent attacks by the CL0P ransomware group on Fortra's GoAnywhere and Progress Software's MOVEit were a stark reminder of the potential impact of such exploits and led to the Cybersecurity Advisory (CSA)’s #StopRansomware efforts, which involved publishing advisories for network defenders that detail various ransomware variants and ransomware threat actors, as well as solid cyber hygiene advice.

Their advice includes the fact that businesses should be regularly updating and patching systems to address known vulnerabilities, especially in third-party software, as cyberattacks often exploit these weaknesses.

Implementing robust vendor risk management is also essential to ensure software providers prioritise security and provide timely updates, while proactive threat detection tools and strategies can help identify breaches early, reducing potential damage.

Educate your workforce on the importance of security measures: Does everyone in your organisation know what MFA is and where it should be in place? Do they know how to recognise sophisticated phishing and social engineering attempts? Even for those who are more tech-savvy, recent advancements in GenAI have improved the format and grammar of phishing messages, making them extremely difficult to spot. More up-to-date education is needed alongside clear instructions on what internal security measures should be taken, such as double-checking the sender's email address or using MFA to prevent unauthorised access if your credentials are compromised. It’s also important to educate employees about the risks of third-party software vulnerabilities, as mentioned above, and ensure they follow best practices here too, to avoid security lapses.

Stay adaptable and prepared: Ransomware is a persistent and evolving threat, with a 30% global increase in the number of groups that focus on targeted ransomware and a 71% rise in attacks in 2023 compared to 2022. As authorities collaborate to disrupt more extensive operations, the ransomware ecosystem is fragmenting into smaller, more elusive groups. Threat actors are now adopting multi-extortion tactics, such as data theft and harassment, to pressure victims into paying - as we saw with Change Healthcare. Attackers are also moving at an alarming pace, often exfiltrating data within hours or days of the initial compromise. In a staggering 45% of cases in 2023, data was exfiltrated less than a day after the compromise, leaving incident response teams with little time to contain the threat. As such, organisations need to stay adaptable and be prepared with swift and efficient response measures, so that they’re ready to respond to new tactics as they emerge. Having reliable backup and recovery plans in place - that are frequently updated - is one of the best ways to minimise the impact of ransomware attacks. A good cyber incident response plan (IRP) should detail communication strategies, legal considerations, and recovery procedures. It should define the goals, scope, and types of incidents the IRP covers, and assign specific roles and responsibilities within the incident response team.

Never stand still: The cyber landscape is evolving, not emerging, and so businesses’ approach to preparing, protecting and recovering from a cyberattack must also evolve at the same pace. So as well as continuously updating and auditing cybersecurity measures - not only to ensure nothing is missed, but to adapt to new threats and ensure compliance with the latest security standards - businesses should also be documenting incidents. What lessons can you take from past incidents affecting your business and others, what policies need updating, is training, including simulations for the incident response team, regular enough, is the contact information for your incident response team up-to-date?

Seek expert guidance/support where needed: In statements following the Change Healthcare attack, UnitedHealth said they started working closely with law enforcement and third parties like Palo Alto Networks and Google's Mandiant to assess the damage. Industry associations, crime prevention agencies and cyber insurance providers can all provide businesses with access to expert guidance.

Take cyber insurance providers, for example - as well as financial security, they have cybersecurity analysts and consultants trained in handling cyberattacks and the claims process on hand. These experts can also help victims navigate incident response and recovery.

Most cyber insurance providers also offer free risk prevention services, including vulnerability assessments, threat intelligence, and can assist with cybersecurity training.

Claud Bilbao is RVP, Underwriting & Distribution UK with Cowbell

Image: Unsplash

You Might Also Read:

Cyber Insurance: What Businesses Need To Know:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.