The cyber assault on healthcare: What the Change Healthcare breach reveals

The February 2024 ransomware attack on Change Healthcare put the state of healthcare cybersecurity in the headlines and in front of the US Congress, with aftershocks from the seismic event still being felt.

The monumental impact of the attack was evident nearly immediately. The ransomware group ALPHV (also known as BlackCat) hit Change Healthcare in February, stealing six terabytes of data — including sensitive personal information.

The hackers used compromised credentials to remotely access a Change Healthcare Citrix portal, technology that allowed remote access to desktops, on or around Feb. 12. Company officials have acknowledged that the portal was not protected with multifactor authentication, despite MFA being a now-standard enterprise security control.

Dealing with the incident will cost Change Healthcare’s parent company, UnitedHealth Group (UHG), more than $1 billion; that includes lost revenue, direct recovery costs and a $22-million Bitcoin payout to the hacker group.

Others suffered, too.

To stem the damage, Change Healthcare went offline, which in turn created a huge backlog of unpaid claims that left hospitals and doctors’ offices with serious cashflow problems and threatened patient access to care.

Damage from the Change Healthcare breach continues to mount

Change Healthcare is one of the largest health payment processing companies in the world and serves as a clearinghouse for 15 billion medical claims each year — some 40% of all claims, according to US government records.

The scope of damage and its cost has grown since the attack first happened. An American Medical Association survey found that 80% of clinicians lost revenue during the breach, 77% experienced service disruptions, 55% had to use personal funds to pay bills, and 44% were unable to buy supplies.

One clinician shared with the survey that the incident “may bankrupt our practice of 50 years in this rural community.”

Consequently, the attack — labeled “the most significant and consequential incident of its kind against the US healthcare system in history” by American Hospital Association President and CEO Rick Pollack — has prompted consumer anger and investigations as well as calls for more regulations and more rigorous evaluations of enterprise defense strategies.

“If the need to be more prepared, to become more resilience, wasn’t clear before, it certainly has been brought into focus by recent events,” says Lee Kim, senior principal of cybersecurity and privacy with the Healthcare Information and Management Systems Society (HIMSS), a nonprofit that promotes health information and technology.

Kim and other cybersecurity leaders say the attack is a wake-up call to executives in all sectors, stressing the escalating consequences and costs of breaches as the world becomes ever more connected.

The state of cybersecurity in healthcare

Research provides a telling look into the state of cybersecurity in the healthcare sector.

The 2023 HIMSS Healthcare Cybersecurity study, for example, found that 55% of respondents reported that their organization experienced a significant security incident in the prior 12 months and 12% had suffered a ransomware attack.

The “Study on Cyber Insecurity in Healthcare 2023” from Ponemon Institute, a nonprofit research organization, and security software maker Proofpoint found that 88% of organizations experienced an average of 40 attacks in the prior 12 months, with the average total cost of a cyberattack being almost $5 million.

It also found that 64% of organizations had suffered a supply chain attack in the prior two years, 63% had an average of 21 cloud compromises during the prior two years, and 54% experienced an average of four ransomware attacks during the prior two years. All organizations surveyed had at least one incident in which sensitive healthcare data was lost or stolen.

Yet despite such findings and the magnitude of the Change Healthcare breach, security officials do not consider the healthcare industry a cybersecurity laggard, with multiple sources saying that the sector has made significant improvements in its security posture over the past decade.

Findings from Statista, a German market and consumer data company, back up such assertions. It studied the distribution of cyberattacks across worldwide industries in 2023 and found that healthcare is in the middle, suffering 6.3% — compared to manufacturing at the top of the list with 25.7%.

However, security leaders say those numbers could shift, as healthcare institutions become a more popular target for hackers for multiple reasons.

Why do hackers go after healthcare?

To start, healthcare entities typically hold what hackers see as a treasure trove of data – including Social Security numbers and financial information, says David Brumley, a Carnegie Mellon University professor whose research focuses on software security and CEO of security software company ForAllSecure.

They also often have complex technology environments with both IT systems and operational technology (OT) as well as plenty of legacy tech. All of this creates an expansive attack surface and the potential for more ways in, says John Riggi, the American Hospital Association’s national adviser for cybersecurity and risk.

At the same time. healthcare entities vary in the resources they can invest in security, with small and rural organizations often lacking the money and staff needed to significantly beef up defenses, Riggi and others say.

Yet the healthcare sector is highly interconnected, as the Change Healthcare attack showed, with entities of all types — regardless of security maturity — sharing data, which Brumley says makes third-party attacks both more probable and more potent in healthcare than in other, less interconnected industries.

Moreover, the sector — like most others today — is highly reliant on software vendors to create, deliver and maintain secure products, even though healthcare IT and security leaders usually lack the ability to determine whether those products are truly secure by design, Brumley adds.

And because of the real life-and-death need to access systems and data, Brumley says healthcare entities have shown that they’re willing to quickly pay hackers during ransomware attacks — a fact that makes them a target for future attacks.

Attacks are rising as challenges abound

Indeed, attacks increased quarter over quarter in 2023, according to the 2023 Q4 Cybersecurity Trends and Threats in the Healthcare Sector report from Health-ISAC. The report showed that ransomware attacks against healthcare increased from just under 60 in Q1 to more than 140 in Q4.

Meanwhile, security leaders within the healthcare sector have faced — and continue to contend with — significant and sometimes sector-specific challenges to solving for those factors that make them a target and that can up the chances of a successful attack.

Many security leaders report that they don’t have adequate resources to implement the needed security measures because they’re often competing with pricey life-saving medical equipment for the limited funds available to spend, Kim says.

Furthermore, he says their complex technology environments can make applying and creating security in depth not only more challenging but more costly, too. That, in turn, makes it less likely for CISOs to get the resources they need.

Security teams in healthcare also have more challenges in updating and patching systems, Riggi explains, as the sector’s need for 24/7 availability means organizations can’t easily go offline — if they can go offline at all — to perform needed work.

Healthcare security leaders also have a rapidly expanding tech environment to secure, as both more partners and more patients with remote medical devices become part of the sector’s already highly interconnected environment, says Errol S. Weiss, chief security officer at Health-ISAC.

Such expansion heightens the challenges, complexities and costs of implementing security controls as well as heightening the risks that a successful attack against one point in that web would impact many others.

“The amount of complexity, the interconnectedness, the number of external partners and providers that are part of this giant ecosystem all make the task of securing healthcare systems so difficult and so enormous,” Weiss says.

Healthcare is taking steps to improve security

As is the case in other industries, the healthcare sector is working to improve its security posture.

For example, 55% of respondents to the HIMSS survey reported that their 2023 security budgets were higher than the previous year’s budget. (That’s up from the 52% who saw a year-over-year increase in the 2022 survey.) Looking ahead, 58% of respondents said they expected their budgets for 2024 to be higher than their 2023 budgets.

The HIMSS survey also found that security is now a board-level concern, with 62% saying their boards oversee cybersecurity risk and 68% saying their directors get regular briefings on cybersecurity risk.

“Today healthcare CEOs are talking about attack surface and risk. That’s a conversation that five or 10 years ago that would never have happened,” says Nitin Natarajan, a deputy director at the US Cybersecurity and Infrastructure Security Agency (CISA).

Natarajan and others highlight additional steps the healthcare sector is taking to boost security, citing as examples the US Food and Drug Administration’s 2023 guidelines for secure-by-design medical devices and the increasing level of information-sharing that happens via various channels such as the Health-ISAC. In fact, Health-ISAC’s Threat Operations Center (TOC) published 1,044 targeted alerts in 2023 to member and nonmember organizations — a 281% increase over the number of alerts sent in 2022.

“The industry is investing more in security; they’re stepping into the problem. We could argue they should have been doing it sooner, but they are making progress,” says Robert Booker, chief strategy officer at HITRUT, an organization that delivers data protection standards and certification programs, and chair of the Healthcare Third-Party Risk Management Alliance.

The Change Healthcare attack is pushing the industry to make even more improvements, security officials say.

Booker, a former CISO at UnitedHealth Group, says the attack also serves as a blaring reminder to healthcare organizations to “make sure you focus on the basics and essential security measures, like multifactor authentication, have them where you need them, which is everywhere, and have a way to know that what you’re doing is right, have an assurance capabilities that shows your stuff is working.”

Calls for more healthcare organizations to tighten security

Authors of the HIMSS report also called for more to be done, for instance, writing that “while almost two-thirds of respondents indicated that their board of directors are regularly briefed regarding cybersecurity risk, this number needs to be higher. Ideally, more healthcare organizations will embark upon the proactive journey of regularly briefing their boards of directors.”

The authors additionally called out the need for more supply chain risk management: “Less than half of respondents (41.92%) to this survey indicated that their organization has established a cybersecurity supply chain risk management program. The remainder of respondents (58.08%) indicated that they either did not have such a program or were unsure. The risk of not having a robust cybersecurity supply chain management program is that there may be too much dependency on one vendor or supplier.”

And HIMSS officials advocated for healthcare entities to adopt the NIST Cybersecurity Framework Version 2.0 and the recently released US Department of Health and Human Services’ voluntary cybersecurity performance goals (CPGs).

Others agree that such moves need to happen — and happen fast.

Sen. Ron Wyden, a Democrat representing Oregon and one of many US lawmakers calling for more scrutiny of UHG in the aftermath of the attack, has criticized the slow pace of action. He has faulted the Biden administration’s timeline for putting healthcare cybersecurity regulations — saying the yearend goal is too far out.

“Every new devastating hack hammers home the need for mandatory cybersecurity standards in the healthcare sector, particularly when it comes to the largest companies that millions of patients depend on for care and medicine,” Wyden says in a statement to CSO. “Without action, patients’ access to care and their personal health information will be compromised and ransomed by hackers over and over again.”

Weiss says healthcare security leaders and other sector executives got that message and they are working to learn lessons from the Change Healthcare incident and to implement additional security measures to improve their own security posture and their own resilience.

Benjamin Luthy, program director of cybersecurity and an adjunct professor at Champlain College Online, says it’s a worthwhile exercise: “Everyone can learn a lesson; anyone who leads a security or information technology program can learn from this.”