Change Healthcare cyberattack underscores third-party risk management

When BlackCat ransomware actors targeted UnitedHealth Group’s Change Healthcare in February, they set off a chain of events that disrupted the US healthcare system and resulted in financial and operational strain for providers nationwide.

At the time of publication, UHG most recently reported that payment processing by Change Healthcare had been restored to approximately 86% of pre-incident levels. Prior to that, the company had advanced more than $6.5 billion to providers to compensate for some of the financial losses from downed systems.

But the recovery process for UHG and the thousands of impacted providers is far from over. One in five health centers surveyed by the National Association of Community Health Centers (NACHC) have had over half of their revenue impacted by the incident.

An American Medical Association (AMA) survey conducted in late March revealed that more than half of physicians have had to dip into personal savings to manage the financial strain caused by Change systems being unavailable.

At two federal hearings held on May 1, lawmakers grilled UHG CEO Andrew Witty about how the ransomware attack happened, the recovery efforts so far, and what UHG is doing to mitigate the effects of this large-scale ransomware attack.

The hearings yielded several key themes that align with ongoing healthcare cybersecurity trends, including the importance of third-party risk management (TPRM), the perils of not having multifactor authentication (MFA), and the effects of consolidation in healthcare.

Takeaways from the UHG CEO hearings
Witty testified at two hearings, one before the US Senate Committee on Finance and the other before the House Energy and Commerce Committee’s Subcommittee on Oversight and Investigations.

At both hearings, lawmakers asked Witty the question that providers and patients have been looking for answers to since ransomware was deployed on February 21: How did this happen?

“The American people—particularly the millions who rely upon Change’s services and those whose information was leaked—deserve answers,” said Rep. Cathy McMorris Rodgers (R-Wash.) during the hearing.

Witty’s testimony did answer several key questions, including how the attackers were able to access Change systems and who decided to pay the $22 million ransom.

Although the investigation is ongoing, Witty’s testimony revealed that threat actors were able to use compromised credentials to remotely access a Change Healthcare Citrix portal on February 12. Nine days later, the cybercriminals deployed ransomware.

“The portal did not have multifactor authentication,” Witty admitted. “Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data.”

Witty said that paying the ransom was “one of the hardest decisions” he had ever had to make.

During the testimony, Witty also explained it would likely take “several months of continued analysis” to determine who was impacted by the breach and to issue notifications. He also said that UHG is working with HHS to iron out the breach notification process.

“Those conversations are engaging and I hope we’ll be able to get to a simple solution which takes any of the anxiety notification off everybody else’s shoulders. We want to be able to do that,” Witty said.

Although Witty provided insight into how the attack occurred, many providers are still grappling with the aftermath of the attack.

To Brad Gingerich, VP of payer strategy at Ensemble Health Partners, UHG’s lack of communication about which payers have been impacted by the incident remains its biggest failure, putting operations and staff in jeopardy.

“Even today, months after the breach, many of our clients remain largely in a wait-and-see situation, forcing us to monitor for instances where claim payments or electronic remittance generation cease, which then requires us to pursue workarounds directly with the payers to ensure continued cash flow,” Gingerich said.

“UnitedHealth Group’s silence throughout this situation has already caused so much harm, both with the outcomes that we’ve begun to see and with what’s to come in the future.”

Change cyberattack underscores importance of TPRM
Prior to the Change Healthcare cyberattack, third-party risk management was already a popular topic of conversation among healthcare cybersecurity professionals. After all, the majority of the top ten largest healthcare data breaches reported to HHS in 2022 and 2023 stemmed from third-party vendors.

Considering that Change Healthcare is a critical vendor to healthcare organizations nationwide, the ransomware attack against Change further proved the importance of having effective TPRM strategies.

For example, Health First, an integrated delivery network in central Florida, was one of the many organizations impacted by the Change Healthcare cyberattack and credited its TPRM strategies for getting it through the incident. Health First CISO Kimberly Alkire previously told HealthITSecurity that its third-party security incident runbook was, unfortunately, one of its most used and relied upon runbooks.

Identifying single points of failure, maintaining vendor security assessments, and practicing incident recovery plans are crucial strategies for handling a security incident that originates at a third-party vendor. In light of the Change Healthcare cyberattack, these TPRM considerations will continue to be prevalent.

MFA Remains a crucial, foundational tool
Multifactor authentication is not new, but it remains one of the most effective tools that organizations can use to mitigate risk and prevent intrusions.

“This breach wasn’t caused by a sophisticated nation-state. It came down to a hacker stealing an identity and then, once inside, using that identity to move throughout an organization,” said Yaron Kassner, co-founder and CTO at Silverfort.

Kassner noted that the lack of MFA on the Change Healthcare Citrix portal was an oversight, and one that could have been mitigated.

“Attackers will go after anyone to steal credentials. Every person, not just some, should have MFA in place,” Kassner added.

The HHS Office for Civil Rights (OCR) released a newsletter in June 2023 highlighting the importance of MFA. The newsletter said several breaches could have been prevented had the victim implemented MFA.

“Multifactor authentication makes it more difficult for an attacker to gain unauthorized access to information systems, even if an initial factor such as a password or PIN is compromised, because the requirement of one or more additional distinct factors reduces the likelihood that an attacker will be successful,” OCR stated.

MFA is a long-held best practice, but the Change Healthcare cyberattack confirmed that it is still under-utilized.

Consolidation in healthcare faces scrutiny
In addition to highlighting core cybersecurity tenets such as TPRM and MFA, the Change Healthcare cyberattack fueled further scrutiny of UHG’s consolidation efforts.

“The Change hack is a dire warning about the consequences of ‘too big to fail’ mega-corporations gobbling up larger and larger shares of the health care system,” said Sen. Ron Wyden (D-Ore.) in his opening statement at the Senate hearing.

“It is long past time to do a comprehensive scrub of UHG’s anti-competitive practices, which likely prolonged the fallout from this hack.”

UHG completed its merger of Optum and Change Healthcare in 2022, creating a company that processes 15 billion healthcare transactions per year. Merger and acquisition (M&A) activity in healthcare requires cybersecurity due diligence, but it also makes the resulting company a bigger target for damaging cyberattacks.

“At these hearings, lawmakers made clear that cybersecurity is a shared responsibility for all parts of the health care sector. We completely agree. To protect the health care infrastructure we all depend on, it’s absolutely critical that third-party entities like Change Healthcare share in that responsibility,” stated Rick Pollack, president and CEO of the American Hospital Association (AHA).

“The hearings also rightly exposed the size and scope of UnitedHealth Group, the parent company of Change Healthcare, and how that has affected—and could further affect—the delivery of health care for our nation. We believe this examination is long overdue.”

The Department of Justice (DOJ) is actively investigating antitrust allegations against UHG, focused on Optum’s acquisition of multiple physician groups and how its provider-payer model might impact regulatory compliance. Top of Form

“How did consolidation in the health insurance industry reach such a state that a single ransomware attack on one company can cripple the flow of payments and claims for months?” asked Rep. Morgan Griffith, (R-VA) during the House hearing.

Given the effects of the cyberattack, lawmakers will likely continue to probe UHG about their outsized presence in the US healthcare sector, and what that means for patients and providers in the event of a cybersecurity incident. HealthITSecurity