Reflecting on the Change Healthcare cyberattack, one year later

Transcript - Reflecting on the Change Healthcare cyberattack, one year later

Jill McKeon: Hello and welcome to Healthcare Strategies. I'm Jill McKeon, associate editor of Healthtech Security. Today we are joined by Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center, or Health-ISAC. And today we're talking about the Change Healthcare cyberattack. By the time this episode airs, it will have been just about one year since this incident first came to light. It was a cyberattack that really caused widespread disruptions across the U.S. healthcare system and resulted in the largest data breach ever reported to federal regulators, affecting 190 million individuals. So, Errol, welcome. Looking back on this major event, I'm sure there are so many lessons learned and important things to call out. So, I guess to start, let's go back to the beginning. Can you remind listeners the basics of the Change Healthcare cyberattack, what happened and some of the immediate impacts?

Weiss: Yeah, sure. Jill, thanks for having me here today. It's great to be here with you. Really appreciate it. Yeah, it was quite a first few days there for us back, as you said, coming up on a year now, February 21st, when we first learned about a large attack and system outages starting to impact Change Healthcare, only to learn in the coming days that it was a pretty large-scale ransomware attack that was happening. And to your point, we were immediately seeing major impacts to patients and people across the U.S. in every state. Everything from canceled procedures to delayed activities to delayed lab procedures. Procedures that had been previously approved were now suddenly not being available and really just making a major impact to any kind of patient healthcare. And then on top of that, it also impacted the ability for people to get prescriptions filled. Again, people across the States could not get prescriptions filled because of the lack of insurance information. And then, in the days following the attack, as well as the systems were still down and still in recovery mode, now we also saw that healthcare providers who were previously submitting insurance claims, now those insurance claims were not being processed, and now there was a cash flow issue causing severe economic issues to those healthcare providers as well. So, a pretty big disruption.

McKeon: For sure, and this affected patients and small and large providers. Really no one was untouched by this event.

Weiss: Right.

McKeon: Thank you for that overview. So, I know your organization, Health-ISAC, plays a key role in facilitating that peer-to-peer intelligence sharing across the sector. I'm curious how Health-ISAC responded to the attack and the approach to keeping your members in the loop, both at the onset of the attack and later on as the weeks and months went on.

Weiss: This is one of the main activities for an ISAC, especially Health-ISAC, for example. So, as we learned about the attack happening on that day, we immediately set up dedicated secure chat channels for our members to get together to be able to share advice, responses, strategies, et cetera. And there wasn't really much being said about what was happening, so there was just a lot of guesswork happening. So, it was great to be able to get our members in one place and start to be able to share really definitive information of what we really knew about what was going on.

And then, more importantly, being able to provide members information and best practices in terms of what they should be doing in terms of reacting to a potential ransomware event at a large-scale partner. And so, in the days that followed, we had about 700 individuals that were on those secure chat channels. I think there were over 1,600 messages that were posted in those days following the incident. The day of the incident itself, we had alerted members about it. We had provided resources to them that they could use in terms of incident response and recommendations on network connectivity as well. Because while Change Healthcare was down for the most part, other systems at the parent company, UnitedHealth Group, were still operating and are key parts of the healthcare industry. So again, we provided some advice there on what to maintain connectivity to. I know that there were some industry calls.

And then in the days that followed, on February 23rd, two days later, we were able to start to get some indicators of compromise from different partners. The next day we shared more indicators of compromise. On that Sunday, February 25th, we actually started getting those IOCs directly from UnitedHealth Group themselves, and we were able to share those with Health-ISAC members and then more broadly. So, by Monday, on February 26th, we were able to push those indicators out to other partners as well, including HHS and CISA, FBI and other partners of ours and other ISACs as well, for example, to really help them make sure that they were protected from this kind of an attack.

McKeon: With such an unprecedented event, I'm sure there were providers everywhere that had so many questions, and it's so useful to have a forum to be able to communicate and get reliable information. This cyberattack, it seems to have exposed a lot of cracks in the foundation of healthcare cybersecurity. Can you shed some light on some of those systemic vulnerabilities and weak points in terms of security in the US healthcare system that this attack revealed that maybe weren't given enough attention before?

Weiss: Yeah, I think we knew how complicated the integrations are within hospital systems, for example, and certainly the number of partners and providers that are connected to that network path and just how complex it is to serve us all of these different aspects for the ecosystem to be able to provide healthcare to a patient. And so, I think we knew that, but I don't think it was generally known how central something like Change Healthcare was to the delivery of all of that. Unfortunately, because of the outage, everybody quickly learned how essential that was in providing those services. Some of the recommendations coming out of that were really to start to look at that from a risk management standpoint, was to really understand: What does that network really look like? Can anybody with the knowledge of all of these different intricacies help map that out so we can study where those single points of failure might be and try to help from a risk management standpoint to avoid those in the future?

So, could it be everything from maybe identifying alternative suppliers or helping to develop other suppliers, or at least understanding where those concentration risks are so that you can manage around those? The other aspect of it also was just discerning lessons learned and updating your own individual response plans. So, when something like this would happen, you had a better idea of some of the steps that you needed to take in order to protect your own business and livelihood, let's say, and still maintain the ability to deliver critical patient care. One of the major lessons learned there was just which connections were critical and which ones were okay to drop. Again, when a partner is suffering from a ransomware attack, things like exercises and even industry exercises across partners really helped to identify some of those problems. I'm a real advocate of doing those kinds of things in the future to help identify that.

McKeon: For sure. And I remember that coming up a lot, the single points of failure, that term came up a lot in the aftermath of that attack, providers realizing just how fragile things can be when you rely on a single vendor to provide a critical service like that.

Weiss: Right.

McKeon: So yeah, I also wanted to touch briefly on the general climate and the healthcare cyberthreat landscape in the last year beyond this attack. I know that Change Healthcare is a significant third-party vendor, as we were just saying, and this attack really highlighted that third-party risk. So what else has the industry learned about managing third-party risks in both the digital and physical supply chains? I know there's been a couple other notable supply chain attacks that have come to light in the past year.

Weiss: Yeah, supply chain is definitely another top-of-mind issue for CISOs and other risk management professionals in light of what you're alluding to here, that happened this year where we saw critical suppliers of blood and plasma supplies, for example, be impacted and really causing widespread regional catastrophic issues. I'll walk through each one of these real quick. But back in April of '24, we saw Octapharma get hit by a ransomware group called BlackSuit, and that impacted the ability of Octapharma to be able to provide blood plasma supplies to hundreds of hospitals across the U.S. And then a couple of months later in June, Synnovis was attacked by another ransomware group called Qilin, and that impacted the ability of NHS in the Greater London area to provide basic I'll say healthcare services, lab services were down. The ability to provide services, procedures for patients were impacted. I think there were like 900 procedures that were canceled that first day, for example, and caused, again, pretty widespread impact in that specific region.

And then lastly, the one I wanted to highlight was OneBlood, which is a blood supplier in the State of Florida and surrounding areas, in July, also got hit by another ransomware group. And it impacted the ability of them to be able to provide blood products to hospitals across Florida. And being here in Florida as well, just trying to keep up on what was going on, talking to some of the hospital CISOs that I knew and really trying to understand what the impact of that was. And they were pretty concerned about what was happening, but were able to keep services running from what I understood at that point. Coincidentally, each of those three ransomware events that I mentioned were all from Russian ransomware gangs. And it told me that maybe the ransomware actors have figured out that if they can go after key suppliers like these blood suppliers, plasma suppliers, for example, not only are they potentially vulnerable, but maybe they might be even more inclined to pay the ransomware because of how critical these services are. So, pretty scary.

McKeon: Definitely. Yeah, that's a really important call-out. These cybercriminals are going after the big vendors to have the biggest impact, which is certainly a scary thought. And reflecting back on the Change Healthcare cyberattack as well, which was another vendor that, an attack on that vendor had a major impact on the whole sector. I'm curious how else cyber threats have evolved since then. Are cybercriminals looking at the Change Healthcare cyberattack and feeling more emboldened given the success of that attack? And how are those tactics changing now compared to a year ago?

Weiss: Yeah, I have to agree. I think when you see criminal groups being paid a $21 million ransom, of course, it just reinforces that business model, unfortunately. And then we just see larger ransom demands in the future and more of it. So, it's just really an unfortunate situation and horrific to see the lengths that these criminal groups are willing to go to in order to make a dollar. To answer the question really, I see two concerning trends that started to emerge in 2024, and I think we'll certainly see these this year and for the near-term future as well, was continuing on that ransomware extortion issue. We've also seen these criminal gangs. We know they're trying to extort the hospitals for as much as they can, but we've also seen the criminal gangs actually go after the patients themselves. So, they're able to steal a copy of the data while they're doing the ransomware before they start shutting all the systems down. And now that they've got the data, they can actually go through the patient medical records and start to go after each of those individuals and say, "Hey, I'm going to release sensitive photos of you, or maybe sensitive medical records about you maybe seeing a therapist, a psychologist, whatever."

It could be very sensitive information that people obviously would not want to be in the general public. We've seen these kinds of extortion attempts, maybe thousands of dollars to an individual, for example, in order again to make a buck. So, it's really unfortunate to see that kind of trend. And then, the other thing I would just highlight is with all of the wonderful things that we see coming from generative AI, the bad guys use it, too. And so the adversarial use of AI, we'll only continue to see more of it. It will be more innovative attacks, very convincing attacks leveraging AI, everything from deep-fake attacks, so using audio or video to convince someone that they're talking to somebody that maybe they trust, or maybe even more convincing phishing emails that are written in a language that really resonates with the recipient. So, not only am I talking about maybe English versus Spanish or German, but I'm also talking about whatever discipline that person is in. So, if it's a cybersecurity professional or a teacher or a reporter, they can write a custom email that really resonates with the potential victim.

McKeon: It's really interesting and unfortunate to see these cybercriminals, they're going after big companies like Change Healthcare and then, also, individual patients. It shows the importance of cybersecurity on all levels really. So, on a more positive note, I'm sure there are a lot of lessons learned from the Change Healthcare event that will hopefully translate to better security for the whole sector in the future. I'm curious, in your point of view, what progress has been made in the last year or so in securing healthcare organizations? And honestly, to double down on that, do you believe that the sector is better equipped to handle a similar event today?

Weiss: Yeah, I think it's always a game of improving the defenses, and while the offense is also improving their game as well. So, can we catch up at any point? It's definitely a tough battle. To try to chip away and answer the question, I think, as I mentioned, after the incident after Change Healthcare, for example, and there were other large-scale ransomware attacks that we saw happening this year, unfortunately, as well, as I mentioned, some of the takeaways from all of that was looking at those systemic risks across the sector, understanding what the data flows look like, and try to identify where the key suppliers were, where the concentration risks were and try to come up with some other mitigating controls that the industry could use or help improve security or resilience at those organizations.

And, the Health Sector Coordinating Council has definitely done some work in that in partnership with HHS, for example, working together to identify those points of failure and those other key critical points in the network. And so, there's been some really good work done there, and I'm really looking forward to that work continuing to help improve that. And I mentioned it, and I think one of the keywords coming out of 2024 is going to be resilience. And we learned that lesson on July 19th when that faulty CrowdStrike update happened. In the beginning stages of that, with hospitals losing critical Microsoft Windows systems, for example, it almost felt a ransomware response. Unfortunately, some of the hospitals who were practicing ransomware responses had their act together during the CrowdStrike disruption so that they could continue to provide key medical and healthcare services. But the reason I wanted to bring it up is it's not just the security anymore. We're also concerned about the ability to continue to function to ensure that the critical hospital functions will continue to operate even while major IT systems are down. So, that term resilience now is something that everybody is taking near and dear to them and looking to see how we can improve those functions, even facing major downtime.

McKeon: As these cyberattacks continue to ramp up across the sector, that will definitely prove to be crucial being able to continue providing that care even during that event. Lawmakers have taken a big interest in the Change Healthcare incident in particular. Do you feel that the Change Healthcare cyberattack moved the needle in the regulatory space when it comes to improving healthcare cybersecurity? Are there any specific initiatives that you're keeping an eye on for the future?

Weiss: Even in 2024, there have been several bipartisan efforts in Congress to push forward different improvements in cybersecurity in healthcare. We'll see what happens in the 2025 Congress now as well and see if any of that continues to move forward. I'm encouraged because, again, all the efforts that I saw in the past were all bipartisan, so maybe we'll still have some promise of those continuing this year. The other thing that we've been tracking is the proposed new HIPAA rules in cybersecurity that we saw come out late December and then formally released in January. I see a lot of really good things in that HIPAA proposal, but I want to provide some cautions there as well. I'm glad to see things like recommendations around the use of multifactor authentication and more risk analysis and incident response plans. I was thrilled to see the mentioning about participating in something like an Information Sharing and Analysis Center like an ISAC, but implementing many of these recommendations is going to be very difficult and is going to have enormous costs for it. I think about the smaller healthcare providers across the U.S. that don't necessarily have full-time cybersecurity staff, or they have very thin IT operating staff, and that organization is already working on a razor-thin budget as it is. And will they be able to have the resources in order to implement what's being talked about in here? So, I've got a lot of concerns about it, how you would actually fund something like this. So, I think that needs to be looked at as well. I'd love to see something like a virtual CISO program talked about. There's some great promise in there, but we need some help when it comes to the implementation side of it.

McKeon: For sure. Yeah, there's a lot of interesting legislative proposals on the horizon, but we'll see how that all plays out. So, for some final thoughts, what would you say is the most critical takeaway for healthcare organizations on the one-year anniversary of the Change Healthcare cyberattack?

Weiss: I'll split it up into long-term, short-term. I think for the long-term, I'd love to see that work that I mentioned continue about identifying the systemic risks across the healthcare network, really working with the public and private sectors together to be able to identify all that, look for concentration risks, single-source providers, other issues like that, and either help develop alternative providers or figure out some other risk controls or risk mitigations that can be put in place for that. For the short term, I think my suggestions are always about following good cybersecurity practices, cybersecurity hygiene. If you held me down to three, I would say patch, make sure you're patching, keeping up to date, back your systems up and make sure that those backups work. And then three, using multifactor authentication. If you're ready for the bigger list, you can follow some of the guidance that came out from HHS now a year ago, the Cybersecurity Performance Goals or CPGs. And I can provide a link to that in the show notes here for this.

And then I'd also recommend folks would participate in an information sharing community. Much like what we read in those new HIPAA recommendations, it talks about how you can learn from the network, how you can learn from the community, stay up to date on threats, and implement best practices by learning from your peers. So, it's a great avenue to share. And if you're listening to me now and you're in the healthcare sector, we'd love to have you join Health-ISAC, but there are lots of other ISACs and information sharing organizations that are out there. So, I would encourage you to find something in your community that you can participate in. And the last thing I would mention is we did publish the Health-ISAC Annual Cyber Threat Landscape Report. And so that report is available on our website now. And, again, I'll provide the link for that in the show notes, and you can check that out and see what some of the big issues were from last year, some of the forecasts that we have about 2025, and what you can better do to protect your organization. And I think more importantly, use the information in there to help prioritize efforts for protecting your organization, your cybersecurity program going forward into 2025 and beyond.

McKeon: Awesome. Thank you so much. And that's great advice, staying connected with your peers in the healthcare space as this cyber threat landscape continues to evolve. Super crucial. So thank you so much, Errol, for sharing your insights and for joining us on this week's episode.

Weiss: Thanks again for having me.

Kelsey Waddill: And thank you, listener, for tuning in. If you liked what you heard, head over to Spotify or Apple and drop us a review. We will be choosing some of our reviews to be read on the show in appreciation. So, keep listening through to the end because you might get name-dropped. See you next time. Music by Kyle Murphy and production by me, Kelsey Waddill. This is an Informa TechTarget production.