A Landmark Ransom Attack On Healthcare

Uploaded on 2024-10-14 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-Health & Welfare, BUSINESS-Services-Financial

In February this year, Change Healthcare suffered a ransomware attack so large and complex that it was feared - according to estimates from Andrew Witty, CEO of parent company UnitedHealth Group (UHG) - to involve the data of up to 1 in 3 Americans.

Now six months later, and the full scale of the breach is still undetermined, with fallout continuing.

Change Healthcare has only recently (July 29) begun mailing written notices to individuals affected by the incident - which could take considerable time considering the 100s of millions potentially involved - while the financial implications are unfolding in the billions. UHG’s second quarter earnings report, released last month, reveals the total impact of the cyberattack will cost the company between $2.3 billion and $2.45 billion in 2024 (more than $1 billion higher than previously projected).

Suffice to say, it’s easy to see why this particular incident is being labelled the worst cyberattack to ever hit the US healthcare industry.

While it may be one of the worst, it’s certainly not a one-off. There’s no question that due to the growth of remote care, connected medical devices and complex IT environments, healthcare is facing an expanding attack surface, with these new technologies and processes creating more opportunities for cyberattacks. However, this situation is not exclusive to healthcare. Manufacturing, professional services, finance and technology all consistently remain among the top targeted industries for the same reasons.

So what can all types of businesses and organisations learn from this case going forward?

All organisations must strengthen their cybersecurity defences:  It may sound simple and somewhat obvious, but weak cybersecurity defences are often overlooked. With the Change Healthcare case, cybercriminals took advantage of a server that wasn’t protected by multi-factor authentication (MFA). MFA is not only a common and low-cost security measure, but is relatively easy to deploy. While MFA significantly enhances security and reduces the risk of unauthorised access in case passwords are compromised, it should also be part of a broader, multi-layered security strategy that includes encryption, robust firewalls, regular software updates, network monitoring and regular security audits to proactively identify and mitigate potential threats.

Be aware of vulnerabilities in widely-used enterprise software: The threat landscape is evolving, with threat actors increasingly targeting vulnerabilities in third-party software, such as managed file transfer (MFT) services. The recent attacks by the CL0P ransomware group on Fortra's GoAnywhere and Progress Software's MOVEit were a stark reminder of the potential impact of such exploits and led to the Cybersecurity Advisory (CSA)’s #StopRansomware efforts, which involved publishing advisories for network defenders that detail various ransomware variants and ransomware threat actors, as well as solid cyber hygiene advice.

Their advice includes the fact that businesses should be regularly updating and patching systems to address known vulnerabilities, especially in third-party software, as cyberattacks often exploit these weaknesses.

Implementing robust vendor risk management is also essential to ensure software providers prioritise security and provide timely updates, while proactive threat detection tools and strategies can help identify breaches early, reducing potential damage. 

Educate your workforce on the importance of security measures: Does everyone in your organisation know what MFA is and where it should be in place? Do they know how to recognise sophisticated phishing and social engineering attempts? Even for those who are more tech-savvy, recent advancements in GenAI have improved the format and grammar of phishing messages, making them extremely difficult to spot. More up-to-date education is needed alongside clear instructions on what internal security measures should be taken, such as double-checking the sender's email address or using MFA to prevent unauthorised access if your credentials are compromised. It’s also important to educate employees about the risks of third-party software vulnerabilities, as mentioned above, and ensure they follow best practices here too, to avoid security lapses.

Stay adaptable and prepared: Ransomware is a persistent and evolving threat, with a 30% global increase in the number of groups that focus on targeted ransomware and a 71% rise in attacks in 2023 compared to 2022. As authorities collaborate to disrupt more extensive operations, the ransomware ecosystem is fragmenting into smaller, more elusive groups. Threat actors are now adopting multi-extortion tactics, such as data theft and harassment, to pressure victims into paying - as we saw with Change Healthcare. Attackers are also moving at an alarming pace, often exfiltrating data within hours or days of the initial compromise. In a staggering 45% of cases in 2023, data was exfiltrated less than a day after the compromise, leaving incident response teams with little time to contain the threat. As such, organisations need to stay adaptable and be prepared with swift and efficient response measures, so that they’re ready to respond to new tactics as they emerge. Having reliable backup and recovery plans in place - that are frequently updated - is one of the best ways to minimise the impact of ransomware attacks. A good cyber incident response plan (IRP) should detail communication strategies, legal considerations, and recovery procedures. It should define the goals, scope, and types of incidents the IRP covers, and assign specific roles and responsibilities within the incident response team.

Never stand still: The cyber landscape is evolving, not emerging, and so businesses’ approach to preparing, protecting and recovering from a cyberattack must also evolve at the same pace. So as well as continuously updating and auditing cybersecurity measures - not only to ensure nothing is missed, but to adapt to new threats and ensure compliance with the latest security standards - businesses should also be documenting incidents. What lessons can you take from past incidents affecting your business and others, what policies need updating, is training, including simulations for the incident response team, regular enough, is the contact information for your incident response team up-to-date?

Seek expert guidance/support where needed: In statements following the Change Healthcare attack, UnitedHealth said they started working closely with law enforcement and third parties like Palo Alto Networks and Google's Mandiant to assess the damage. Industry associations, crime prevention agencies and cyber insurance providers can all provide businesses with access to expert guidance.

Take cyber insurance providers, for example - as well as financial security, they have cybersecurity analysts and consultants trained in handling cyberattacks and the claims process on hand. These experts can also help victims navigate incident response and recovery.

Most cyber insurance providers also offer free risk prevention services, including vulnerability assessments, threat intelligence, and can assist with cybersecurity training. 

Claud Bilbao is RVP, Underwriting & Distribution UK with Cowbell

Image: Unsplash

You Might Also Read:

Cyber Insurance: What Businesses Need To Know:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« 2024 US Presidential Election Cyber Intrusion: Part 2 - Hostile Nation State Actors
CISOs Guide To Compliance & Cyber Hygiene  »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

International Security Management Association (ISMA)

International Security Management Association (ISMA)

ISMA is an international security association of senior security executives from major business organizations located worldwide.

Shinobi Cyber

Shinobi Cyber

Shinobi Defense System is an integrated security system that absolutely secures information with smart, automatic encryption and protects your endpoints by stopping any unauthorized actions.

Very Good Security (VGS)

Very Good Security (VGS)

VGS is the modern approach to data security. Our SaaS solution gives you all the benefits of interacting with sensitive and regulated data without the liability of securing it.

jobsDB.com

jobsDB.com

jobsDB Singapore is a search engine for jobs throughout Singapore.

YouWipe

YouWipe

Scandinavian Data Erasure Leader YouWipe is the number one choice of European Ministries, European Central Banks, Swiss Pharmaceuticals and Major Electronics Retail Chains.

Software Diversified Services (SDS)

Software Diversified Services (SDS)

SDS provides the highest quality mainframe software and award-winning, expert service with an emphasis on security, encryption, monitoring, and data compression.

Phakamo Tech

Phakamo Tech

Phakamo Tech offers a full set of governance, risk, compliance, cybersecurity and Microsoft Cloud services that include consulting, planning, implementation and cyber incident response.

ActZero

ActZero

ActZero’s security platform leverages proprietary AI-based systems and full-stack visibility to detect, analyze, contain, and disrupt threats.

Trianz

Trianz

Trianz Cybersecurity Services are Powered by One of the World’s Largest Databases on Digital Transformation. We Understand Evolving Risks, Technologies and Best Practices.

CACI International

CACI International

CACI is at the forefront of developing and delivering technological breakthroughs that transform and optimize government operations.

Protectt.ai Labs

Protectt.ai Labs

Protectt.ai Labs is India’s first mobile security start up building awareness & providing solutions for mobile app, device & transaction security.

Third Point Ventures

Third Point Ventures

Third Point brings deep technical expertise, a strong network of relationships, and decades of investing experience to add value to our partners throughout their journey from idea to IPO and beyond.

Mayer Brown

Mayer Brown

Mayer Brown is a global law firm. We have deep experience in high-stakes litigation and complex transactions across industry sectors including the global financial services industry.

Epic Machines

Epic Machines

Epic Machines is a Value Added Reseller and Managed Security Services provider offering Security Transformation using Cloud-native solutions to commercial and government markets.

InfoSecTrain

InfoSecTrain

InfoSecTrain are a leading training and consulting organization dedicated to providing top-tier IT security training and information security services to organizations and individuals across the globe

OpenZiti

OpenZiti

OpenZiti is the world’s most used and widely integrated open source secure networking platform. OpenZiti provides both zero trust security and overlay networking as pure open source software.