Securing the Healthcare Industry: Insights from the Frontlines of Change Healthcare Attack

Why is the healthcare industry a lucrative target for cyber attackers?

As we look at moments like the recent Change Healthcare attack, one pressing question looms: why is the healthcare industry such a lucrative target for cyber attackers? 

I had the privilege to sit down with Yuval Wollman, President of CyberProof, and Cecil Pineda, CISO of R1 RCM, to break down this very question. The insights were compelling. 

The primary reason, as Cecil elaborates, is the vast amount of sensitive data healthcare systems manage.

Healthcare organizations are complex webs connecting health systems, electronic health records (EHRs), payers, clearinghouses, transcription services, and biotech firms.

With thousands of partnerships, the multitude of access points creates numerous opportunities for attackers to exploit.

1. Sensitive and Valuable Data

Healthcare organizations store vast amounts of sensitive personal data, including:

• Personal Identifiable Information (PII): Names, addresses, social security numbers.

• Protected Health Information (PHI): Medical histories, diagnoses, treatment information.

• Financial Information: Insurance details, payment information.

This data is highly valuable on the black market for identity theft, insurance fraud, and other malicious activities.

The average cost of a healthcare data breach is significantly higher than in other industries, reaching $10.93 million in 2023, compared to an average of $4.45 million across all industries.

2. Increasing Digitalization

The digital transformation in healthcare has led to widespread adoption of electronic health records (EHRs), telehealth services, and remote monitoring devices.

As Cecil highlighted, the healthcare ecosystem is a vast web of connectivity involving numerous partners, from health systems and EHRs to payers and biotech firms.

While these technologies and connections improve patient care and operational efficiency, they also expand the attack surface for cybercriminals.

The integration of cloud-based systems and IoT devices further increases vulnerabilities.

3. Poor Cybersecurity Practices

Historically, the healthcare industry has lagged in adopting cutting-edge cybersecurity measures compared to sectors like finance.

According to Cecil, many healthcare organizations are playing catch-up, complicating their defense mechanisms.

The sector typically spends only 6% to 10% of its IT budget on cybersecurity, which is lower than other critical industries. Common issues include:

• Phishing Attacks: The most prevalent threat, often leading to credential theft and unauthorized access.

• Lack of Preparedness: Many healthcare entities adopt a reactive rather than proactive approach to cybersecurity, making them ill-prepared for attacks.

• Third-Party Risks: Breaches often occur through vulnerabilities in third-party vendors and business associates.

In addition, the healthcare sector's heavy reliance on technology further exacerbates its vulnerability.

Any disruption, particularly through ransomware attacks, can cripple an organization's operations.

Yuval emphasized that healthcare is a critical infrastructure, and attackers leverage this to exert maximum pressure.

4. High Stakes and Urgency

Healthcare services are critical, and any disruption can have severe consequences for patient care.

This urgency makes healthcare organizations more likely to pay ransoms to restore operations quickly.

Ransomware attacks can cripple hospital operations, forcing patient diversions and delaying critical treatments.

5. Regulatory and Financial Pressures

Healthcare providers must comply with stringent regulations like HIPAA, which imposes heavy fines for data breaches and non-compliance.

The financial burden of breaches includes not only fines but also costs for remediation, legal fees, and loss of reputation.

The complexity and cost of compliance can sometimes lead to inadequate cybersecurity measures.

6. Historical Breach Data

The frequency and scale of healthcare data breaches have been increasing.

Notable incidents, such as the Anthem breach affecting 78.8 million individuals and the recent Change Healthcare ransomware attack impacting up to one-third of Americans, highlight the sector's vulnerability and the lucrative nature of such attacks.

Change Healthcare Attack by Black Cat: What happened?

One of the most striking examples discussed was the ransomware attack on Change Healthcare by the Black Cat group.

This attack had a widespread impact, shutting down significant portions of the U.S. healthcare system. 

The attackers employed a multi-layer extortion strategy, infiltrating the system early, extracting data, and initiating a ransomware demand.

Even after some ransom was paid, the data was transferred to other groups, perpetuating the cycle of extortion. 

Here's a summary of what happened during the BlackCat/ALPHV ransomware attack on Change Healthcare:

1. Initial Attack: On February 21, 2024, the BlackCat/ALPHV ransomware group launched a cyberattack against Change Healthcare, a major healthcare technology company owned by UnitedHealth Group.

2. System Disruption: The attack forced Change Healthcare to take its systems offline, causing widespread disruptions to healthcare operations across the United States. This affected prescription processing, claims management, and other critical healthcare services.

3. Data Theft: BlackCat claimed to have stolen approximately 6 terabytes of sensitive data, including personal health information, payment details, and insurance records.

4. Ransom Payment: Reports suggest that Change Healthcare paid a $22 million ransom to BlackCat in an attempt to prevent the release of stolen data and regain access to their systems.

5. Ongoing Impact: The attack caused significant financial and operational damage, with UnitedHealth Group estimating costs to exceed $1 billion. Many healthcare providers, especially smaller practices, faced severe cash flow issues due to disrupted payment processing.

6. Security Vulnerabilities: The incident revealed that Change Healthcare lacked proper security measures, including multi-factor authentication on some critical systems.

7. Aftermath: Despite the ransom payment, BlackCat allegedly reneged on the deal, leading to further complications. The group later disbanded, potentially due to internal conflicts and law enforcement pressure.

8. Secondary Attack: In a surprising turn of events, a second ransomware group called RansomHub emerged, claiming to have access to Change Healthcare's data and attempting another extortion scheme.

Yuval explained that this attack brought to light the vulnerability of healthcare clearinghouses, which process a large volume of claims.

The incident underscored the need for diversification in clearinghouse partnerships to mitigate risks.

What is sound, prescriptive advice for security professionals in the healthcare industry looking to prepare for future attacks?

For security professionals looking to bolster their defenses and prepare effectively, Cecil and Yuval offer the following strategies:

1. Enhance Incident Response Plans

• Regularly test and update IR plans to ensure all team members know their roles and responsibilities.

• Conduct frequent tabletop exercises to simulate real-world incidents and ensure a swift, coordinated response.

2. Foster a Strong Security Culture

• Encourage open communication and transparency within the team. Employees should feel comfortable speaking up about potential vulnerabilities or issues.

• Lead by example. Ensure that top executives prioritize cybersecurity and instill its importance throughout the organization.

3. Invest in Training and Education

• Provide continuous learning opportunities for cybersecurity teams to stay updated on the latest threats and technologies.

• Cross-train teams to ensure broad coverage of skills and knowledge, reducing reliance on key individuals.

4. Implement Layered Security Approaches

• Instead of relying on a single platform, adopt a defense-in-depth strategy with multiple layers of security measures.

• Utilize a diverse set of tools to ensure redundancy and catch threats that may slip through one layer.

5. Strengthen Partnerships

• Maintain strong relationships with partners and vendors who can provide timely support during incidents.

• Share knowledge and best practices with other organizations to build a collaborative defense network.

How can cybersecurity vendors assist security professionals?

Cybersecurity vendors play a crucial role in helping healthcare organizations manage and respond to cyber threats. Here are some key ways vendors can enhance their support:

1. Build Long-term Partnerships

• Move beyond transactional models and focus on developing deep, long-lasting relationships with clients.

• Understand the unique needs and challenges of healthcare organizations to provide tailored solutions.

2. Provide Comprehensive Support

• Be available and ready to assist during incidents, offering expertise and resources to address issues swiftly.

• Offer ongoing training and support to help organizations maximize the effectiveness of the tools and technologies they use.

3. Develop Scalable Solutions

• Create products that cater to both large enterprises and smaller healthcare providers, ensuring that everyone can access robust security measures.

• Ensure interoperability and seamless integration with existing systems to enhance overall security posture.

4. Foster Communication and Collaboration

• Facilitate forums and communities where practitioners can share insights, challenges, and solutions.

• Engage with organizations regularly to gather feedback and continuously improve service offerings.

5. Stay Ahead of Emerging Threats

• Invest in research and development to stay on the cutting edge of cybersecurity innovation.

• Proactively update clients about new threats and recommended countermeasures, helping them stay resilient in a rapidly changing landscape.

For more insights and support, consider reaching out to experts at CyberProof, who are dedicated to guiding organizations through these challenging times.

Until next time,
Dani