A Landmark Ransom Attack On Healthcare

Uploaded on 2024-10-14 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-Health & Welfare, BUSINESS-Services-Financial

In February this year, Change Healthcare suffered a ransomware attack so large and complex that it was feared - according to estimates from Andrew Witty, CEO of parent company UnitedHealth Group (UHG) - to involve the data of up to 1 in 3 Americans.

Now six months later, and the full scale of the breach is still undetermined, with fallout continuing.

Change Healthcare has only recently (July 29) begun mailing written notices to individuals affected by the incident - which could take considerable time considering the 100s of millions potentially involved - while the financial implications are unfolding in the billions. UHG’s second quarter earnings report, released last month, reveals the total impact of the cyberattack will cost the company between $2.3 billion and $2.45 billion in 2024 (more than $1 billion higher than previously projected).

Suffice to say, it’s easy to see why this particular incident is being labelled the worst cyberattack to ever hit the US healthcare industry.

While it may be one of the worst, it’s certainly not a one-off. There’s no question that due to the growth of remote care, connected medical devices and complex IT environments, healthcare is facing an expanding attack surface, with these new technologies and processes creating more opportunities for cyberattacks. However, this situation is not exclusive to healthcare. Manufacturing, professional services, finance and technology all consistently remain among the top targeted industries for the same reasons.

So what can all types of businesses and organisations learn from this case going forward?

All organisations must strengthen their cybersecurity defences:  It may sound simple and somewhat obvious, but weak cybersecurity defences are often overlooked. With the Change Healthcare case, cybercriminals took advantage of a server that wasn’t protected by multi-factor authentication (MFA). MFA is not only a common and low-cost security measure, but is relatively easy to deploy. While MFA significantly enhances security and reduces the risk of unauthorised access in case passwords are compromised, it should also be part of a broader, multi-layered security strategy that includes encryption, robust firewalls, regular software updates, network monitoring and regular security audits to proactively identify and mitigate potential threats.

Be aware of vulnerabilities in widely-used enterprise software: The threat landscape is evolving, with threat actors increasingly targeting vulnerabilities in third-party software, such as managed file transfer (MFT) services. The recent attacks by the CL0P ransomware group on Fortra's GoAnywhere and Progress Software's MOVEit were a stark reminder of the potential impact of such exploits and led to the Cybersecurity Advisory (CSA)’s #StopRansomware efforts, which involved publishing advisories for network defenders that detail various ransomware variants and ransomware threat actors, as well as solid cyber hygiene advice.

Their advice includes the fact that businesses should be regularly updating and patching systems to address known vulnerabilities, especially in third-party software, as cyberattacks often exploit these weaknesses.

Implementing robust vendor risk management is also essential to ensure software providers prioritise security and provide timely updates, while proactive threat detection tools and strategies can help identify breaches early, reducing potential damage. 

Educate your workforce on the importance of security measures: Does everyone in your organisation know what MFA is and where it should be in place? Do they know how to recognise sophisticated phishing and social engineering attempts? Even for those who are more tech-savvy, recent advancements in GenAI have improved the format and grammar of phishing messages, making them extremely difficult to spot. More up-to-date education is needed alongside clear instructions on what internal security measures should be taken, such as double-checking the sender's email address or using MFA to prevent unauthorised access if your credentials are compromised. It’s also important to educate employees about the risks of third-party software vulnerabilities, as mentioned above, and ensure they follow best practices here too, to avoid security lapses.

Stay adaptable and prepared: Ransomware is a persistent and evolving threat, with a 30% global increase in the number of groups that focus on targeted ransomware and a 71% rise in attacks in 2023 compared to 2022. As authorities collaborate to disrupt more extensive operations, the ransomware ecosystem is fragmenting into smaller, more elusive groups. Threat actors are now adopting multi-extortion tactics, such as data theft and harassment, to pressure victims into paying - as we saw with Change Healthcare. Attackers are also moving at an alarming pace, often exfiltrating data within hours or days of the initial compromise. In a staggering 45% of cases in 2023, data was exfiltrated less than a day after the compromise, leaving incident response teams with little time to contain the threat. As such, organisations need to stay adaptable and be prepared with swift and efficient response measures, so that they’re ready to respond to new tactics as they emerge. Having reliable backup and recovery plans in place - that are frequently updated - is one of the best ways to minimise the impact of ransomware attacks. A good cyber incident response plan (IRP) should detail communication strategies, legal considerations, and recovery procedures. It should define the goals, scope, and types of incidents the IRP covers, and assign specific roles and responsibilities within the incident response team.

Never stand still: The cyber landscape is evolving, not emerging, and so businesses’ approach to preparing, protecting and recovering from a cyberattack must also evolve at the same pace. So as well as continuously updating and auditing cybersecurity measures - not only to ensure nothing is missed, but to adapt to new threats and ensure compliance with the latest security standards - businesses should also be documenting incidents. What lessons can you take from past incidents affecting your business and others, what policies need updating, is training, including simulations for the incident response team, regular enough, is the contact information for your incident response team up-to-date?

Seek expert guidance/support where needed: In statements following the Change Healthcare attack, UnitedHealth said they started working closely with law enforcement and third parties like Palo Alto Networks and Google's Mandiant to assess the damage. Industry associations, crime prevention agencies and cyber insurance providers can all provide businesses with access to expert guidance.

Take cyber insurance providers, for example - as well as financial security, they have cybersecurity analysts and consultants trained in handling cyberattacks and the claims process on hand. These experts can also help victims navigate incident response and recovery.

Most cyber insurance providers also offer free risk prevention services, including vulnerability assessments, threat intelligence, and can assist with cybersecurity training. 

Claud Bilbao is RVP, Underwriting & Distribution UK with Cowbell

Image: Unsplash

You Might Also Read:

Cyber Insurance: What Businesses Need To Know:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« 2024 US Presidential Election Cyber Intrusion: Part 3 - Hostile Nation State Actors
CISOs Guide To Compliance & Cyber Hygiene  »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

National Defence Radio Establishment (FRA) - Sweden

National Defence Radio Establishment (FRA) - Sweden

The National Defence Radio Establishment (Försvarets Radioanstalt), is the Swedish national authority for Signals Intelligence, also providing Information assurance services to government authorities.

Team8

Team8

Team8 is Israel’s most prestigious cybersecurity think tank and venture creation foundry.

SevenShift

SevenShift

SevenShift is a security consulting firm with a wealth of experience in the worlds of Cybersecurity and Internet of Things (IoT).

CyberSecurityTrainingCourses.com

CyberSecurityTrainingCourses.com

Cyber Security Training Courses is a portal to help candidates find the best courses to progress their career within the IT security industry.

Smart Contract Security Alliance

Smart Contract Security Alliance

The Smart Contract Security Alliance supports the blockchain ecosystem by building standards for smart contract security and smart contract audits.

European Cyber Security Conference

European Cyber Security Conference

EU Cyber Security Conference will debate what Europe’s response to evolving threats in a dynamic global risk landscape should look like and what the next steps for all actors of the ecosystem.

Jobsite

Jobsite

Jobsite is an award winning job board in the UK providing job listings in the key sectors of IT, Engineering and Finance.

Cyber Smart Defense

Cyber Smart Defense

Cyber Smart Defense is a specialist provider of penetration testing services and IT security audits.

Forum Systems

Forum Systems

Forum Systems is a global leader in API Security Management with industry-certified, patented, and proven products deployed in the most rigorous and demanding customer environments.

Viettel Cyber Security

Viettel Cyber Security

Viettel Cyber Security is an organization under the Military Telecommunication Industry Group, conducting research and developing information security solutions for domestic and foreign customers.

Imageware

Imageware

Imageware is a leader in biometric cybersecurity. Protect against costly, damaging ransomware hacks by employing biometric cybersecurity solutions.

Focus Digitech

Focus Digitech

Focus Digitech helps you with your digital transformation journey with our main core offerings of Cloud, Cybersecurity, Analytics and DevOps.

Covenant Technologies

Covenant Technologies

Make Covenant Technologies the only choice for your IT and cybersecurity recruitment needs. We deliver quality candidates at the forefront of the cybersecurity and IT industry.

ADNET Technologies

ADNET Technologies

ADNET Technologies is a SOC 2, Type II Compliant IT management and cybersecurity firm.

Verastel

Verastel

Specializing in the niche space of proactive cyber-defense, and adaptive resilience, team Verastel is bolstering enterprise digital security like never before.

CASwell

CASwell

Caswell is an industry-leading OEM/ODM specializing in networking, security, SD-WAN, NFV, telecommunication and IoT applications.