The Change Healthcare ransomware attack has provoked calls to mandate baseline security standards for healthcare providers during Congressional hearings on Tuesday.
UnitedHealth Group (UHG) was criticized for its response to a February 2024 attack on its Change Healthcare subsidiary during a three-hour hearing before the House Energy and Commerce Committee.
The BlackCat/ALPHV ransomware group broke into Change Healthcare’s systems and encrypted its data before demanding an extortionate payment to restore access.
Change Healthcare operates the US’s biggest clearing house for medical claims. The disruption caused by the attack hit healthcare providers, hospitals, pharmacies, and patients across the US.
Impacted systems were taken offline in response to the attack. During an earnings call on Tuesday, United HealthGroup said it had already taken $872 million in dealing with the attack and the disruption it caused.
The aftershocks
Unconfirmed reports, based on payments to a Bitcoin wallet associated with ALPHV, suggest that Change Healthcare paid a $22m ransom to cybercriminals.
More recently, the self-styled RansomHub group claimed to have obtained stolen data from the Change Healthcare breach, threatening to leak this sensitive information unless it was paid off. The group published samples of stolen data in an effort to bolster its claims.
The US Department of Health and Human Services (HHS) this week launched an investigation into the ransomware attack on Change Healthcare, focused on whether a breach of protected health information occurred and Change Healthcare’s and UHG’s compliance with the HIPAA healthcare sector privacy regulations.
Over the last five years, there has been a 264% increase in ransomware attacks, according to HHS.
Hackers’ playground
UnitedHealth, which owns health insurance businesses, and Change Healthcare merged in 2022.
During the Congressional hearing, E&C chair Cathy McMorris Rodgers (R-WA) warned, “As our healthcare system becomes more consolidated, the impacts of cyberattacks – if successful – may be more widespread.”
Sub-committee member Anna Eshoo (D-CA) described the healthcare sector as a “hackers’ playground” with UnitedHealth a prime target because of its size.
“The attack shows how UnitedHealth’s anticompetitive practices present a national security risk because its operations now extend through every point of our health care system,” Eshoo said. “The cyberattack laid bare the vulnerability of our nation’s healthcare infrastructure.”
Requirements of specific minimum cybersecurity standards may be necessary for certain healthcare entities, Congressman Frank Pallone said. Pallone also raised questions about whether consolidation of health technology companies poses an unreasonable risk to healthcare systems.
Senator Mark Warner has proposed a bill to offer support payments to healthcare providers and vendors hit by cyberattacks providing they meet minimum security standards.
Consolidation danger
The consolidation in the healthcare sector more generally poses cybersecurity dangers, pointed out Raghu Nandakumara, head of industry solutions at Illumio.
“Consolidation clearly provides lots of benefits and economies of scale, but the high level of interconnectivity leads to considerable cyber risks if not managed properly and consistently,” Nandakumara said. “The only way to significantly reduce this risk is through regulation that compels all organizations to achieve the same baseline level of cybersecurity.”
The healthcare sector needs something akin to the EU’s Digital Operational and Resiliency Act (DORA), a set of regulations for the financial sector. “This harmonizes cyber security standards and mandates that all organizations within the sector implement the same basic level of security controls, such as network segmentation, to reduce risk and build resilience both within each organization and across the sector as a whole,” Nandakumara said.
Kim Wiles, senior product manager and government cyber security expert at Nominet blamed the breach on “poor cybersecurity preparedness” and “badly managed supply chain and industry consolidation risks.”
“We still don’t know how BlackCat breached Change Healthcare’s network, security testing, and tabletop exercises could have allowed UnitedHealthcare to avoid such a catastrophically systemic outcome from the breach of their new subsidiary. Governments should also expect these exercises to be done and reported to regulators to help them assess the viability of mergers in key industries,” Wiles said.
Incident response plan
The healthcare industry has proven to be a high-value target for cybercriminals, with organizations in possession of sensitive data such as patients’ medical information, hospital bills, and other financial documents.
Healthcare organizations must adopt a comprehensive incidence response plan to defend against growing ransomware threats, advised Azeem Aleem, MD of the UK and Northern Europe at Sygnia, an incidence response and ransomware negotiation consultancy.
“This involves mapping out critical data, defining key roles for breach alerts, safeguarding essential business operations, and reviewing third-party partnerships for potential data access risks,” Aleem said. “Regular testing of incidence response protocols through simulations and wargames helps refine processes, bolster backup strategies, and identify areas needing improvement.”
Kelly Indah, a tech expert and security analyst at Increditools, said that “robust security due diligence during merger planning rather than later” could have helped Change Healthcare.
She also recommended segmenting network access and credentials based on need-to-know, prioritizing security upgrades for legacy or outdated systems that may pose extra risks. “Achieving a robust security posture is no simple task, particularly when an organization experiences major changes like a large merger,” Indah said.