Two weeks after a ransomware attack on Change Healthcare was first discovered, the organization is still struggling to bring its systems back online - and patients, healthcare providers and hospitals are receiving the brunt of the impact.
Change Healthcare, which merged with Optum Healthcare in 2022 and is owned by UnitedHealth, first detected the attack on Feb. 21 and has attributed it to the Blackcat/ALPHV ransomware group. The company, which has since been working with Mandiant and Palo Alto Networks, has reportedly paid a $22 million ransom.
The company said on Thursday that it expects key system functionalities to be restored by mid-March. Pharmacies are still unable to submit claims, with 10 percent of claims facing interruptions; and at the same time, UnitedHealth said a “small percentage” of providers have still been facing issues with the company’s payment systems. These systems that allow hospitals and pharmacies to fill prescriptions, submit insurance claims and receive payments are both reducing cash flow for hospitals and, most importantly, leading to delays in providing patient care.
The long-term impacts of the incident - what it means for the company itself, for the hospitals and providers that have been impacted by the attack, and for how healthcare cybersecurity is viewed as a whole - are still yet to be seen. However, what we do know is that the attack is incredibly widespread. Change Healthcare is the product of several acquisitions over the years that put it in a position to expand its services across the industry. The disruptions from the attack not only highlight this, but also paint a picture of the sheer interconnectedness of the public health system and modern critical infrastructure as a whole, said Beau Woods, founder and CEO of Stratigos Security.
“Obviously prescriptions are important, and pharmacies are important, but I don’t think most people think about the degree to which, A, pharmacological medicine is part of our day to day life, and B, how interconnected all of those systems are,” said Woods. “When you have disruption, you find out really quickly where the tendrils of those dependencies go, and this is one more such case where we weren’t looking at those interconnections as systemic risks, and all of a sudden we find ourselves faced with one, not through a deliberative process of finding them early, but because a bad actor took them down.”
Industry Calls For Help
Both healthcare organizations and lawmakers have called for measures to help assist the companies that are dealing with the fallout from this attack. Earlier this week, Senate Majority Leader Chuck Schumer (D-NY) sent a letter to the Centers for Medicare & Medicaid Services (CMS) urging it to use the Accelerated and Advance Payment Program - enabling CMS to make payments to hospitals before receiving claims from them - to help hospitals under financial duress due to the attack.
As a way to help providers impacted by the incident, the Department of Health and Human Services did announce some flexibilities, and UnitedHealth set up a Temporary Funding Assistance Program. However, groups like the American Hospital Association said that these efforts were hampered by challenges like limited eligibility, and instead called on the executive branch of the U.S. government to bring in legislation that would help at a wider scale.
“While health care providers continue to implement manual workarounds to mitigate the impact on patient care, we continue to press Congress, the Administration and UnitedHealth Group to step up their efforts to respond to this unprecedented incident,” said Rick Pollack, president and CEO of the American Hospital Association on Wednesday.
The company and incident will likely be scrutinized in the coming months. Change Healthcare’s parent company UnitedHealth, for its part, said in both its Form 8-K filed Feb. 22 and Form 10-K filed Feb. 28 that “as of the date of this report, we have not determined the incident is reasonably likely to materially impact our financial condition or results of operations.”
The determination of materiality, as outlined under the SEC’s cyber rule that went live late last year, would give a better sense of the type of impact of this incident. However, Merritt Baer, CISO and advisor to expanso.io and balkan.id, said that the company is leaving the materiality determination open for now, likely due to hesitation around making a definitive conclusion that would trigger other obligations and concerns.
“But whether this approach is effective to buy time, will come down to SEC enforcement,” said Baer. “UnitedHealth will need to make a call here and we will see if the SEC determines that it did so within the prescriptive standards they described in the cybersecurity rules.”
Healthcare Security Challenges
The incident shows the potential for crippling disruption that cyberattacks can have in the healthcare industry, which has already been seen in various attacks over the years. Some ransomware incidents have impacted the efficiency of healthcare processes, with hospitals being forced to divert patients away from their emergency departments or reschedule appointments and surgeries, for instance.
The healthcare space faces unique challenges in securing devices, with many organizations relying on legacy devices that in some cases are 10 to 20 years old. At the same time, the types of data at stake in cyberattacks is also potentially extra sensitive, ranging from data about medical conditions to personal identifiable information (PII), all of which can be sold on underground forums, used for insurance fraud or identity theft and other malicious activities.
For ransomware actors, this sector has been a lucrative space, with groups like Conti, Karma FIN12 and Hive targeting hospitals, providers and clinics over the years. U.S. government agencies in 2022 warned that the healthcare sector of this threat after a cybercrime group called Daixin Team launched ransomware attacks against organizations in the public health space, using security weaknesses around virtual private network (VPN) servers as an initial access vector.
Woods hopes that the Change Healthcare incident will help spread awareness and create a sense of urgency around these types of security challenges in the healthcare sector. Security teams should adhere to the cybersecurity basics in the healthcare sector - including patch management, avoiding default credentials and implementing multi-factor authentication - but access to resources across the sector is unevenly distributed.
“I hope that this will [help] create more of an ability to make that change, by maybe opening the eyes of people who haven’t been looking at these issues or haven’t had that sense of urgency,” said Woods.