Recently, the healthcare industry faced a significant threat in the form of a cyberattack on Change Healthcare, a prominent clearinghouse in the field. This event not only disrupted services but also exposed critical vulnerabilities in the cybersecurity practices of healthcare institutions. Understanding what caused the Change Healthcare cyberattack is crucial for preventing future incidents and enhancing the security of sensitive healthcare data.
The Root Cause of the Cyberattack
The cyberattack on Change Healthcare, which began unfolding around February 12th, was primarily triggered by an absence of stringent security measures in remote access systems. Investigations reveal that the incident was largely due to the lack of adequate remote access authentication. Specifically, it was found that multi-factor authentication (MFA) controls were absent on an application that allowed staff to remotely access systems. This oversight contradicts industry best practices and left a critical application exposed to cyber threats.
“I think it’s clear that if United had stronger defenses like multifactor authentication, then this could have gone very differently,” Sen. Bob Casey (D-Pa.) said when questioning Witty.
Lack of Multi-Factor Authentication
Multi-factor authentication serves as a cornerstone of modern cybersecurity protocols. It requires users to provide two or more verification factors to gain access to a system, significantly reducing the risk of unauthorized access.
The absence of MFA in Change Healthcare’s remote access systems provided an easy entry point for cybercriminals. These attackers exploited this vulnerability by using compromised credentials to access the healthcare technology company’s systems undetected.
The Cybercriminals’ Tactics
Once inside the system, the cybercriminals did not immediately launch their attack. Instead, they loitered within the US health provider’s networks for nine days. This period of undetected presence allowed them to navigate through the network, identify valuable data, and strategize their next moves without raising alarms. The culmination of this covert operation was the theft of sensitive data followed by the execution of a ransomware attack, encrypting the organization’s files and demanding a ransom for their release.
Financial and Operational Impact on UnitedHealth
UnitedHealth, the parent company of Change Healthcare, reported staggering financial losses due to the cyberattack. The total costs attributed to addressing the repercussions of the February cyberattack during the first calendar quarter of 2024 amounted to an astounding $872 million. Furthermore, to support care providers crippled by the disruption, UnitedHealth extended more than $6 billion in advance funding and interest-free loans, showcasing the profound financial and operational impacts of the cyberattack on the healthcare sector.
Compliance and Regulatory Repercussions
In the aftermath of the attack, UnitedHealth has been navigating complex regulatory waters. Despite the magnitude of the incident, a formal breach notification to the Health and Human Services (HHS) has not yet been made. UnitedHealth Group (UHG) has proposed to handle breach notifications on behalf of its affected customers to simplify the reporting obligations. However, the Office for Civil Rights (OCR) at HHS emphasized the responsibility of all covered entities impacted by the cyberattack to file their own breach notifications in compliance with HIPAA regulations.
Conclusion: Lessons Learned and Moving Forward
The Change Healthcare cyberattack serves as a stark reminder of the vulnerabilities that exist within the healthcare industry’s cybersecurity practices. It highlights the critical need for stringent security measures such as multi-factor authentication and continuous monitoring of access points. As the industry learns from these incidents, it is imperative that healthcare providers not only implement robust security measures but also adhere to compliance and regulatory standards to safeguard against future cyber threats. The journey towards enhanced cybersecurity is ongoing, and it requires diligence, investment, and a proactive approach to security and compliance.
In understanding what caused the Change Healthcare cyberattack, the industry gains valuable insights into how best to protect itself against similar vulnerabilities and ensure the security and privacy of patient data against increasingly sophisticated cyber threats.