Lessons from Change Healthcare

Written By Ryan Gallagher

Almost two months after the debilitating ransomware attack on Change Healthcare, the picture is becoming clearer on what exactly happened. Last Wednesday, UnitedHeath Group (UHG) CEO Andrew Witty testified before the Oversight and Investigations subcommittee. Based on years of experience guiding healthcare companies through catastrophic ransomwares, we highlight a few takeaways from the Change incident and what this could mean for the future of cybersecurity standards in the healthcare industry.

๐Ÿ”ท๐“๐ก๐ž ๐€๐‹๐๐‡๐• (๐๐ฅ๐š๐œ๐ค๐‚๐š๐ญ) ๐ญ๐ก๐ซ๐ž๐š๐ญ ๐š๐œ๐ญ๐จ๐ซ๐ฌ ๐ ๐š๐ข๐ง๐ž๐ ๐š๐œ๐œ๐ž๐ฌ๐ฌ ๐ญ๐จ ๐‚๐ก๐š๐ง๐ ๐ž'๐ฌ ๐ž๐ง๐ฏ๐ข๐ซ๐จ๐ง๐ฆ๐ž๐ง๐ญ ๐ญ๐ก๐ซ๐จ๐ฎ๐ ๐ก ๐‚๐ข๐ญ๐ซ๐ข๐ฑ ๐ฎ๐ฌ๐ข๐ง๐  ๐ญ๐ก๐ž ๐œ๐จ๐ฆ๐ฉ๐ซ๐จ๐ฆ๐ข๐ฌ๐ž๐ ๐œ๐ซ๐ž๐๐ž๐ง๐ญ๐ข๐š๐ฅ๐ฌ ๐จ๐Ÿ ๐š๐ง ๐š๐œ๐œ๐จ๐ฎ๐ง๐ญ ๐ญ๐ก๐š๐ญ ๐๐ข๐ ๐ง๐จ๐ญ ๐ก๐š๐ฏ๐ž ๐ฆ๐ฎ๐ฅ๐ญ๐ข-๐Ÿ๐š๐œ๐ญ๐จ๐ซ ๐š๐ฎ๐ญ๐ก๐ž๐ง๐ญ๐ข๐œ๐š๐ญ๐ข๐จ๐ง (๐Œ๐…๐€) ๐ข๐ง ๐ฉ๐ฅ๐š๐œ๐ž, ๐œ๐จ๐ง๐๐ฎ๐œ๐ญ๐ข๐ง๐  ๐ซ๐ž๐œ๐จ๐ง๐ง๐š๐ข๐ฌ๐ฌ๐š๐ง๐œ๐ž ๐Ÿ๐จ๐ซ ๐ง๐ข๐ง๐ž ๐๐š๐ฒ๐ฌ ๐›๐ž๐Ÿ๐จ๐ซ๐ž ๐ซ๐š๐ง๐ฌ๐จ๐ฆ๐ฐ๐š๐ซ๐ž ๐ฐ๐š๐ฌ ๐๐ž๐ฉ๐ฅ๐จ๐ฒ๐ž๐.

Having worked on a number of ransomware incidents attributed to different iterations of the BlackCat group, this attack methodology aligns with BlackCat and many other ransomware gangs' modus operandi. The BlackCat organization is known to obtain account credentials through targeted social engineering campaigns, then leverage those credentials to navigate victimsโ€™ systems using sophisticated obfuscation techniques. Once the target organizationโ€™s sensitive information and critical systems are identified, data is tactfully exfiltrated over a number of days or weeks prior to ransomware deployment. Common denominators in a number of our BlackCat matters include: (a) insufficient or non-existent MFA controls; (b) a significant period of time spent conducting reconnaissance in the victimโ€™s network, followed by targeted exfiltration of sensitive data; and (c) successful efforts to corrupt and/or outright destroy some or all backup strategies.

As this and countless other cyber events demonstrate, failure to implement MFA across all critical platforms in your environment can be a costly, catastrophic mistake. Mr. Witty confirmed with lawmakers that as a result of the incident, MFA is now enabled "across the whole UHG, all of our external-facing systems."

Organizations should conduct a comprehensive risk assessment to identify which systems and platforms are critical for business operations and that contain sensitive information. Companies should prioritize implementation of MFA on systems and accounts that store or process legally protected information, business confidential information, intellectual property or trade secrets, and financial transactions, as well as those that provide remote access to internal networks. Additionally, the deployment of MFA should occur on administrative accounts, email systems, and collaboration platforms where a breach could lead to significant data loss or operational disruption.

Moreover, Mr. Witty's admission that Change had to rebuild the company's technological infrastructure from scratch indicates that a complete restoration of the environment was impossible or infeasible. โ€œThe attack itself had the effect of locking up the various backup systems which had been developed inside Change before it was acquired. Thatโ€™s really the root cause of why itโ€™s taken so long to bring it back,โ€ said Witty. To mitigate the scope and severity of a cyber incident, healthcare organizations must pressure test incident response, business continuity and disaster recovery plans no less than on an annual basis, ideally through tabletop exercises in conjunction with experienced cybersecurity counsel. Recovery time objectives (RTOs) and recovery point objectives (RPOs) look great on paper but are meaningless without focused, independent testing and validation.

๐Ÿ”ท ๐‚๐จ๐ง๐Ÿ๐ข๐ซ๐ฆ๐š๐ญ๐ข๐จ๐ง ๐ญ๐ก๐š๐ญ ๐”๐‡๐† ๐ข๐ง๐๐ž๐ž๐ ๐ฉ๐š๐ข๐ ๐š ๐ซ๐š๐ง๐ฌ๐จ๐ฆ.

While previous reports speculated that UGH had paid a ransom, Mr. Witty stated the decision to do so stemmed from "the overriding priority to do everything possible to protect peoples' personal health information." When our clients decide to pay a ransom, the reasons for doing so vary but most often include: the determination that a decryption key is the fastest or only means by which to restore critical systems and data; to soften public perception and demonstrate the organizationโ€™s commitment to protect customer/consumer information; to discontinue the bad actorsโ€™ harassment and extortion techniques, which can impact business leadership, employees, customers, business partners and others; to prevent the release or publication of stolen information, i.e., payment comes with a promise from the bad guys that they won't post or sell exfiltrated data; or a combination of all the above.

Experienced cybersecurity counsel brings valuable perspective to organizations facing the unenviable decision around whether to pay a ransom or not. Clients often question whether the bad actor's promise to suppress data is reliable and if paying a ransom nullifies legal reporting obligations. Change still has a legal responsibility to notify impacted individuals that their information was compromised, a process that Mr. Witty said could take several months to complete. As for payment having potentially been predicated upon data suppression, BlackCat affiliates associated with the attack have threatened to post the exfiltrated data on the dark web after purportedly not receiving their portion of the ransom payment. With the proliferation of ransomware as a service (RaaS) -- a growing business model between operators and affiliates whereby affiliates launch malware developed by operators-- stolen data may be maintained by a number of different parties involved in the attack, each with varying degrees of accountability and interest in the outcome.

๐Ÿ”ท ๐„๐ฌ๐ญ๐š๐›๐ฅ๐ข๐ฌ๐ก๐ฆ๐ž๐ง๐ญ ๐จ๐Ÿ ๐ฆ๐ข๐ง๐ข๐ฆ๐ฎ๐ฆ ๐ฌ๐ž๐œ๐ฎ๐ซ๐ข๐ญ๐ฒ ๐ฌ๐ญ๐š๐ง๐๐š๐ซ๐๐ฌ ๐Ÿ๐จ๐ซ ๐ญ๐ก๐ž ๐ก๐ž๐š๐ฅ๐ญ๐ก๐œ๐š๐ซ๐ž ๐ข๐ง๐๐ฎ๐ฌ๐ญ๐ซ๐ฒ.

Mr. Witty offered this attack as an impetus for change (no pun intended) in how healthcare providers view cybersecurity in the provision of patient care, going so far as to say that "[UHG] support[s] mandatory minimum security standards."

The Security Rule is flexible, scalable, and technology-neutral. For that reason, there is no one single compliance approach that will work for all regulated entities. This publication presents guidance that entities can utilize in whole or in part to help improve their cybersecurity posture and assist with achieving compliance with the Security Rule.

Ironically enough, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST) had published revised guidance (SP 800-66 Revision 2) for healthcare entities to implement the Health Insurance Portability and Accountability Act (HIPAA) Security Rule seven days before the Change ransomware attack took place. As reflected in the above quote from SP 800-66 Revision 2, the HIPAA Security Rule does not include mandatory technical standards. With the help of lawmakers, this could soon change. In a concept paper published by HHS in December of last year, HHS reiterated its desire to work with Congress to "enforce new cybersecurity requirements," that if unheeded, would result in "the imposition of financial consequences."

Healthcare companies shouldn't wait for security measures to become mandatory, but rather implement or enhance HIPAA Security Rule compliance in accordance with what is provided in SP 800-66 Revision 2 and other supplemental NIST guidance such as SP 800-53.

For more information about the Change Healthcare incident and how the resulting industry and regulatory developments may affect your organization, please reach out to a Ritter Gallagher attorney at contact@rittergallagher.com.

Ryan Gallagher
Next

The SECโ€™s New Cybersecurity Rules: Overview and Considerations