Who is Change Healthcare and What Happened?

Change Healthcare, owned by UnitedHealth Group (UHG), is the United States’ largest processor of medical claims and payment cycle management.  In short, they connect payers, providers, and patients with the U.S. healthcare system, handling one in every third patient record. This company processes 15 billion dollars in healthcare transactions annually making it a clear target for outside threats.

On February 21, Change Healthcare discovered an unauthorized party had gained access to multiple of their IT systems. According to their public filing with The Securities and Exchange Commission, the company immediately took action, isolating the impacted systems.

That said, major damage was already done. Hackers had accessed patient data including social security numbers and encrypted company files. The group demanded a hefty ransom to decrypt these sensitive files and threatened to release the data if payment was not received. Since then, Change Healthcare has been offline, causing payment disruptions for tens of thousands of hospitals, physician groups, and other organizations.

The Fallout

Initial reports focused on pharmacies’ inability to fill medications, but three weeks later, the public saw the severity of the issue. The attack has impacted payments to hospitals, physicians, pharmacists, and other healthcare providers across the country. These providers have been left concerned about their ability to care for patients due to the cash flow and coverage uncertainty. However, this has not stopped them. Hospital systems have found workarounds, seeming to take a step back to the stone age of paper documentation. While this has allowed for essential patient care, likely, a significant amount of money won’t be paid out due to form misplacement and the lack of formal authorizations.

“Assuming that between 5% and 10% of U.S. health care claims are affected by the attack, providers are losing between $500 million and $1 billion in daily revenue.” Compass Point analyst Max Reale estimated the impact, “Cash-constrained operators will begin to feel the full brunt of the slowdown in payments for services between late March and early April, assuming it takes about 30 to 45 days to process a claim and receive payment.”

Update: The Response

After the attack on March 1, Optum, the compromised program of Change Healthcare, stepped in to help. They established temporary funding assistance for short-term cash flow needs.

The notice read, “We understand the urgency of resuming payment operations and continuing the flow of payments through the healthcare ecosystem. While we are working to resume standard payment operations, we recognize that some providers who receive payments from payers that were processed by Change Healthcare may need more immediate access to funding.”

Three weeks post-attack, The U.S. Department of Health and Human Services stepped in. They stated, “In a situation such as this, the government and private sector must work together to help providers make payroll and deliver timely care to the American people.”

Further government action ensued, The White House is moving to remove challenges for healthcare providers and address cybersecurity issues. They plan to distribute emergency funds to providers and suppliers facing cash flow issues. In their statement, they called on UnitedHealth and private sector leaders to do the same.

In addition, The Center for Medicare and Medicaid Services(CMS) has taken steps to reduce disruptions by expediting payments for Medicare providers and suppliers.  Specifically, the attack has resulted in a streamlined process for providers to change clearinghouses to ensure payments and insurance plans while preparing the necessary parties for paper claims and submissions. 

These efforts are aimed at supporting all providers, but specifically smaller systems that face existential concerns such as making payroll and supporting their most vulnerable patients.

As for the six terabytes of stolen data, the hackers held it hostage for a staggering price of 22 million dollars. Due to the sensitive nature of the data, the White House urged UnitedHealth Group to quickly give in to the hackers’ demands. While only time will reveal the true cost of this breach, it is clear it will alter the way the United States Medical associations manage their cyber resilience.

Update: The Hackers

Many have reported their suspicions about the hackers’ identity. UnitedHealth suspects the attack was nation-state-associated. The media supports this claim, pointing a finger at ALPHV, also known as BlackCat. This well-known ransomware group has had many names over the years claiming responsibility for other major attacks globally including universities, government agencies and companies in the energy, technology, manufacturing, and transportation sectors. A recent notable attack was the Colonial Pipeline shutdown in 2022. Their hack and rebrand practice has made them the target of law enforcement agencies worldwide. 

Since payment was posted, BlackCat has shut down all of its servers and ransomware sites. In fact, on March 4, when payment was processed, the group uploaded a fake law enforcement seizure banner.

Security researcher Fabian Wosar commented, “BlackCat did not get seized. They are ‘exit scamming’ their affiliates.” And exit scamming they were.

Assumed BlackCat actors claimed their associates screwed them over, and as a response, they intend to sell the ransomware’s source code for 5 million dollars. 

Update: On the Lookout

There is no real way to know if any of the stolen data was leaked or if the ransomware’s source code will be used again. This makes it vital to increase all organizations’ cyber resilience and keep on the lookout for ALPHV/BlackCat’s rebranded comeback.

Since the hack, the company has been working diligently to safely return online. On March 7, the company restored 99% of Change Healthcare pharmacy network services and on March 15, Change Healthcare’s electronic payments platform began proceeding with payer implementations. The company has scheduled further network testing and software checks starting on March 18.

Protecting Your Organization

This hack reminds all of us how volatile our systems can be, and how important it is to remain proactive with security. Digital IT News received commentary from Netwrix’s VP of Security Research, Dirk Schrader regarding the best way to protect your organization from threat actors such as BlackCat.

“High dependency of our day-to-day living on proper functioning supply chains is our reality. High-profile attacks affect hundreds of thousands of individuals. Colonial Pipeline or MoveIT stories, attacks on IT service providers like Kaseya and Materna, to name a few, might vary in scale and vertical, but all of them prove the need for a coordinated approach to increase the cyber resiliency of vital services like healthcare, energy, water, transportation, etc. “The domino effect of an infiltration of the supply chain can be devastating. Cyber resilience is defined as the ability to deliver the intended outcome despite adverse cyber events, and critical infrastructure is not limited to internal security incidents.

He later outlined precautions, “Organizations that are part of a critical infrastructure should pay special attention to ensuring they might effectively operate under the ongoing attack and regularly assess the risks associated with their supply chain.” He recommended all third-party dependencies should implement, or reexamine a response plan to cover scenarios such as these. 

This hack has reminded the world how imperative strong cyber security truly is. Looking forward, we have sneaking suspicions this breach will permanently alter how healthcare needs will be processed and secured.

The post Status Update: Change Healthcare Cyber Attack appeared first on Digital IT News.

Trend Micro commissioned independent research specialist Vanson Bourne to conduct an on-line survey with 500 IT and OT professionals in the United States, Germany and Japan and found that over three-fifths (61%) of manufacturers have experienced cyber incidents, with most (75%) of them suffering system outages as a result. More than two-fifths (43%) said outages lasted more than four days.

These findings and more can be found in the report, “The State of Industrial Cybersecurity: Converging IT and OT with People, Process, and Technology.” A full copy of the report can be found at https://resources.trendmicro.com/Industrial-Cybersecurity-WP.html.

“Manufacturing organizations around the world are doubling down on digital transformation to drive smart factory improvements. The gap in IT and OT cybersecurity awareness creates the imbalance between people, process and technology, and it gives bad guys a chance to attack.” said Akihiko Omikawa, executive vice president of IoT security for Trend Micro. “That’s why Trend Micro has integrated IT and OT intelligence and provides a comprehensive solution from the shop floor to the office. We’re helping put visibility and continuous control back in the hands of smart factory owners.”

The results from all three countries showed that technology (78%) was seen as the biggest security challenge, although people (68%) and process (67%) were also cited as top challenges by many respondents. However, fewer than half of the participants said they’re implementing technical measures to improve cybersecurity.

Asset visualization (40%) and segmentation (39%) were the least likely of cybersecurity measures to be deployed, hinting that they are the most technically challenging for organizations to execute. Organizations with a high degree of IT-OT collaboration were more likely to implement technical security measures than those with less cohesion. There was a particularly big gulf between organizations with high IT-OT collaboration verses those with little to no IT-OT collaboration in the use of firewalls (66% verses 47%), IPS (62% verses 46%) and network segmentation (54% verses 37%).

Standards and guidelines were cited as the top driver for enhanced collaboration in the United States (64%), Germany (58%) and Japan (57%). The National Institute of Standards and Technology’s (NIST) Cyber Security Framework and ISO27001 (ISMS) were among the most popular guidelines.

The most common organizational change cited by manufacturers in all three countries was appointing a factory Chief Security Officer (CSO).

Trend Micro recommends a three-step technical approach to securing smart factories and keeping their operations running:

1. Prevention by reducing intrusion risks at data exchange points like the network and DMZ. These risks could include USB storage devices, laptops brought into a factory by third parties, and IoT gateways.
2. Detection by spotting anomalous network behavior like Command & Control (C&C) communication and multiple log-in failures. The earlier the detection, the sooner attacks can be stopped with minimal impact on the organization.
3. Persistence is crucial to protect smart factories from any threat that has evaded prevention and detection stages. Trend Micro TXOne Network’s industrial network and endpoint security solutions are purpose-built for OT environments. They work at a wide range of temperatures and are easy to use with minimal performance impact.

Image licensed by unsplash.com

Related News: 

Veritas Reports: 71% of Employees Globally Admit to Sharing Sensitive and Business-Critical Data

Synopsys Research Reveals Significant Security Concerns in Popular Mobile Apps Amid Pandemic

The post Smart Factory Cyber Attacks Knock Out Production for Days appeared first on Digital IT News.