Lessons from Change Healthcare
Almost two months after the debilitating ransomware attack on Change Healthcare, the picture is becoming clearer on what exactly happened. Last Wednesday, UnitedHeath Group (UHG) CEO Andrew Witty testified before the Oversight and Investigations subcommittee. Based on years of experience guiding healthcare companies through catastrophic ransomwares, we highlight a few takeaways from the Change incident and what this could mean for the future of cybersecurity standards in the healthcare industry.
๐ท๐๐ก๐ ๐๐๐๐๐ (๐๐ฅ๐๐๐ค๐๐๐ญ) ๐ญ๐ก๐ซ๐๐๐ญ ๐๐๐ญ๐จ๐ซ๐ฌ ๐ ๐๐ข๐ง๐๐ ๐๐๐๐๐ฌ๐ฌ ๐ญ๐จ ๐๐ก๐๐ง๐ ๐'๐ฌ ๐๐ง๐ฏ๐ข๐ซ๐จ๐ง๐ฆ๐๐ง๐ญ ๐ญ๐ก๐ซ๐จ๐ฎ๐ ๐ก ๐๐ข๐ญ๐ซ๐ข๐ฑ ๐ฎ๐ฌ๐ข๐ง๐ ๐ญ๐ก๐ ๐๐จ๐ฆ๐ฉ๐ซ๐จ๐ฆ๐ข๐ฌ๐๐ ๐๐ซ๐๐๐๐ง๐ญ๐ข๐๐ฅ๐ฌ ๐จ๐ ๐๐ง ๐๐๐๐จ๐ฎ๐ง๐ญ ๐ญ๐ก๐๐ญ ๐๐ข๐ ๐ง๐จ๐ญ ๐ก๐๐ฏ๐ ๐ฆ๐ฎ๐ฅ๐ญ๐ข-๐๐๐๐ญ๐จ๐ซ ๐๐ฎ๐ญ๐ก๐๐ง๐ญ๐ข๐๐๐ญ๐ข๐จ๐ง (๐๐ ๐) ๐ข๐ง ๐ฉ๐ฅ๐๐๐, ๐๐จ๐ง๐๐ฎ๐๐ญ๐ข๐ง๐ ๐ซ๐๐๐จ๐ง๐ง๐๐ข๐ฌ๐ฌ๐๐ง๐๐ ๐๐จ๐ซ ๐ง๐ข๐ง๐ ๐๐๐ฒ๐ฌ ๐๐๐๐จ๐ซ๐ ๐ซ๐๐ง๐ฌ๐จ๐ฆ๐ฐ๐๐ซ๐ ๐ฐ๐๐ฌ ๐๐๐ฉ๐ฅ๐จ๐ฒ๐๐.
Having worked on a number of ransomware incidents attributed to different iterations of the BlackCat group, this attack methodology aligns with BlackCat and many other ransomware gangs' modus operandi. The BlackCat organization is known to obtain account credentials through targeted social engineering campaigns, then leverage those credentials to navigate victimsโ systems using sophisticated obfuscation techniques. Once the target organizationโs sensitive information and critical systems are identified, data is tactfully exfiltrated over a number of days or weeks prior to ransomware deployment. Common denominators in a number of our BlackCat matters include: (a) insufficient or non-existent MFA controls; (b) a significant period of time spent conducting reconnaissance in the victimโs network, followed by targeted exfiltration of sensitive data; and (c) successful efforts to corrupt and/or outright destroy some or all backup strategies.
As this and countless other cyber events demonstrate, failure to implement MFA across all critical platforms in your environment can be a costly, catastrophic mistake. Mr. Witty confirmed with lawmakers that as a result of the incident, MFA is now enabled "across the whole UHG, all of our external-facing systems."
Organizations should conduct a comprehensive risk assessment to identify which systems and platforms are critical for business operations and that contain sensitive information. Companies should prioritize implementation of MFA on systems and accounts that store or process legally protected information, business confidential information, intellectual property or trade secrets, and financial transactions, as well as those that provide remote access to internal networks. Additionally, the deployment of MFA should occur on administrative accounts, email systems, and collaboration platforms where a breach could lead to significant data loss or operational disruption.
Moreover, Mr. Witty's admission that Change had to rebuild the company's technological infrastructure from scratch indicates that a complete restoration of the environment was impossible or infeasible. โThe attack itself had the effect of locking up the various backup systems which had been developed inside Change before it was acquired. Thatโs really the root cause of why itโs taken so long to bring it back,โ said Witty. To mitigate the scope and severity of a cyber incident, healthcare organizations must pressure test incident response, business continuity and disaster recovery plans no less than on an annual basis, ideally through tabletop exercises in conjunction with experienced cybersecurity counsel. Recovery time objectives (RTOs) and recovery point objectives (RPOs) look great on paper but are meaningless without focused, independent testing and validation.
๐ท ๐๐จ๐ง๐๐ข๐ซ๐ฆ๐๐ญ๐ข๐จ๐ง ๐ญ๐ก๐๐ญ ๐๐๐ ๐ข๐ง๐๐๐๐ ๐ฉ๐๐ข๐ ๐ ๐ซ๐๐ง๐ฌ๐จ๐ฆ.
While previous reports speculated that UGH had paid a ransom, Mr. Witty stated the decision to do so stemmed from "the overriding priority to do everything possible to protect peoples' personal health information." When our clients decide to pay a ransom, the reasons for doing so vary but most often include: the determination that a decryption key is the fastest or only means by which to restore critical systems and data; to soften public perception and demonstrate the organizationโs commitment to protect customer/consumer information; to discontinue the bad actorsโ harassment and extortion techniques, which can impact business leadership, employees, customers, business partners and others; to prevent the release or publication of stolen information, i.e., payment comes with a promise from the bad guys that they won't post or sell exfiltrated data; or a combination of all the above.
Experienced cybersecurity counsel brings valuable perspective to organizations facing the unenviable decision around whether to pay a ransom or not. Clients often question whether the bad actor's promise to suppress data is reliable and if paying a ransom nullifies legal reporting obligations. Change still has a legal responsibility to notify impacted individuals that their information was compromised, a process that Mr. Witty said could take several months to complete. As for payment having potentially been predicated upon data suppression, BlackCat affiliates associated with the attack have threatened to post the exfiltrated data on the dark web after purportedly not receiving their portion of the ransom payment. With the proliferation of ransomware as a service (RaaS) -- a growing business model between operators and affiliates whereby affiliates launch malware developed by operators-- stolen data may be maintained by a number of different parties involved in the attack, each with varying degrees of accountability and interest in the outcome.
๐ท ๐๐ฌ๐ญ๐๐๐ฅ๐ข๐ฌ๐ก๐ฆ๐๐ง๐ญ ๐จ๐ ๐ฆ๐ข๐ง๐ข๐ฆ๐ฎ๐ฆ ๐ฌ๐๐๐ฎ๐ซ๐ข๐ญ๐ฒ ๐ฌ๐ญ๐๐ง๐๐๐ซ๐๐ฌ ๐๐จ๐ซ ๐ญ๐ก๐ ๐ก๐๐๐ฅ๐ญ๐ก๐๐๐ซ๐ ๐ข๐ง๐๐ฎ๐ฌ๐ญ๐ซ๐ฒ.
Mr. Witty offered this attack as an impetus for change (no pun intended) in how healthcare providers view cybersecurity in the provision of patient care, going so far as to say that "[UHG] support[s] mandatory minimum security standards."
The Security Rule is flexible, scalable, and technology-neutral. For that reason, there is no one single compliance approach that will work for all regulated entities. This publication presents guidance that entities can utilize in whole or in part to help improve their cybersecurity posture and assist with achieving compliance with the Security Rule.
Ironically enough, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST) had published revised guidance (SP 800-66 Revision 2) for healthcare entities to implement the Health Insurance Portability and Accountability Act (HIPAA) Security Rule seven days before the Change ransomware attack took place. As reflected in the above quote from SP 800-66 Revision 2, the HIPAA Security Rule does not include mandatory technical standards. With the help of lawmakers, this could soon change. In a concept paper published by HHS in December of last year, HHS reiterated its desire to work with Congress to "enforce new cybersecurity requirements," that if unheeded, would result in "the imposition of financial consequences."
Healthcare companies shouldn't wait for security measures to become mandatory, but rather implement or enhance HIPAA Security Rule compliance in accordance with what is provided in SP 800-66 Revision 2 and other supplemental NIST guidance such as SP 800-53.
For more information about the Change Healthcare incident and how the resulting industry and regulatory developments may affect your organization, please reach out to a Ritter Gallagher attorney at contact@rittergallagher.com.