Healthcare cybersecurity advocate fears damage from Change Healthcare breach has only begun
That’s the thing, everyone associates these hacks with big Russian firms or crime syndicates, but this one was the result of a lack of 2FA on a server that someone phished the credentials for. It wouldn’t be difficult for an amateur to break in.
Well, anyone could have broken in, from what I hear. The security in the Change Healthcare application was pretty disastrous. And having a jump server—for remote access, without the highest levels of security, is plain stupid. At the very least this should have had multi-factor authentication enabled, and really it should have been only accessible via a one-time pass or some form of Privileged Access Management. What Optum was trying to do was to assimilate the change application and rewrite it, but they plainly hadn’t done due diligence or a proper security risk assessment. They failed to even put remedial security measures in place, while they were migrating to new technology.
This was not just a failure of security but a failure in corporate governance, I suspect. CSIOs (Chief Information Security Officers) often get the scraps thrown at them and told to make do. That goes for the size of the security team and the money it has to spend. CEOs and boards would much rather declare windfall profits which boosts their stock options and dividends.
Can you detail how a similar ransomware attack can be thwarted? And why is the post-attack investigation so time-consuming?
First, you need to understand what information assets you have on your network and what risks each of those poses to other systems and the integrity of the entire network. You inventory and risk assess, then you do risk remediation—something that evidently wasn’t done at UHG-Optum. Maybe they missed some assets, maybe they did a lousy risk assessment and pen test. Who knows.
Secondly, you have to identify an attack quickly, so you can stop the attack in its tracks to prevent it spreading laterally across the network. That means eyes on glass, and folks watching what is happening. If you stop the attack quickly, you limit the damage. It’s called ‘containment,’ meaning, you isolate systems, you preserve forensic evidence for a future prosecution—and then you need to investigate what systems were compromised, in other words ‘where did the hackers go and what data did they touch?’
Now, from what we are told, the hackers were in the system for quite a while before they actually pulled the trigger and started encrypting stuff.
They were inside Change Healthcare’s systems for nine days, reportedly.
Yeah, nine days. So they had nine days to roam around in Change Healthcare’s systems, and you can guarantee that they were looking everywhere and siphoning all kinds of data from various places. A UBA (User Behavioral Analysis) tool should have caught that activity and flagged it, if not outright blocked it.
From a digital forensics perspective, it takes a long time to actually trace all the activity, to make sure that logs haven’t been erased, and figure out what was touched so that they know whose data has been compromised. Then they can apologize, send out letters—which is a HIPAA requirement—to notify patients that their data may have been inadvertently accessed, to provide credit monitoring, and everything else. That’s the process.
I know providers are concerned about the HIPAA notifications being sent out in a timely manner. The AMA had a survey that showed Change Healthcare being down is still impacting independent physicians and smaller hospitals. What does this mean for them long-term?
Oh this breach is hugely impactful. There are small hospitals that will go bankrupt because of this. They will close their doors—and communities will be without doctors, without emergency rooms, without stroke centers, maybe primary care practices. There are certainly a lot of primary care physicians who are massively impacted by this, and a lot of smaller providers will never recover. And of course, patients have suffered too. Patients who were unable to get their life-sustaining drugs for a couple of months! Then there are the pharmacies who gave out drugs to patients without gaining insurance approval and are now trying to submit payment requests manually.
It seems like this chaos will result in more consolidation of healthcare services, because now—if these small hospitals go out of business—they’re going to be purchased by larger firms.
Exactly. There are hundreds of small hospitals going out of business. More than 106 rural health systems have closed in the past 15 years and the pace is accelerating. In fact, I’m hoping to give a presentation to the NHRA Rural Health Clinic Conference in September on this very subject.
We’re seeing patients having to drive several hours to get to an emergency room. We’re seeing stage three, stage four cancer patients that can’t get to radiotherapy and chemotherapy because they can’t get to a hospital with those services, because all the local cancer centers are closed down for financial reasons. We are seeing high-risk pregnancies go unaddressed, simply because patients reside in rural settings without proper healthcare services and can’t drive 2 hours each way to see their obstetric care team.
And the Change Healthcare breach is going to exacerbate the problem. It’s going to push more providers to the very edge of oblivion. This is going to make healthcare less accessible for a lot of people, and their health will suffer as a result.