3 lessons learned from the Change Healthcare ransomware attack

Cyber Attack A10
image: ©matejmo | iStock

As the fallout from Change Healthcare’s recent ransomware attack continues, Claud Bilbao, Cowbell’s RVP, Underwriting & Distribution UK, discusses the valuable lessons businesses and regulatory bodies can take from the incident

In late February this year, Change Healthcare – a subsidiary of global health company UnitedHealth Group (UHG) – suffered a cyberattack so catastrophic that UHG CEO Andrew Witty estimated the data breach would impact approximately one-third of Americans.

Testifying in front of the Subcommittee on Oversight and Investigations in May, Witty told lawmakers that UnitedHealth paid a ransom of $22 million in Bitcoin to cybercriminals to protect sensitive data associated with over 100 million patients.

Alongside the financial blow, shutting down the affected server left many doctors temporarily unable to fill prescriptions or get paid for their services. Even now, despite paying the ransom, UHG cannot guarantee that more patients’ information will not be leaked, with Witty admitting he “cannot affirmatively say” that the hackers didn’t make copies of protected or personal data to upload them to the Internet or dark web at a later date.

Unfortunately, this particular case is not exclusive to the USA or the healthcare sector but is affecting all industries and all regions. Just this year in the UK, for example, a ransomware group put an estimated three terabytes of data stolen from NHS Dumfries and Galloway on the dark web, while a more recent cyberattack impacting NHS pathology labs in London hospitals has left General Practitioners fearing delays to test results and the impact of cancelled hospital appointments.

While the Change Healthcare attack serves as a stark reminder of the risks and costs associated with conducting business in today’s evolving digital era – for businesses, regulatory bodies and insurers alike – there are a number of positive lessons we can take from the incident moving forwards:

Lesson 1 – Cybersecurity measures need enhancing

Cybercriminals accessed Change Healthcare through a server that was not protected by multi-factor authentication (MFA). A common security measure that requires multiple forms of identification to access systems or data, MFA is a relatively easy-to-deploy and cost-effective way to significantly enhance security and reduce the risk of unauthorised access in case passwords are compromised. With this in mind, insurers and regulators must encourage businesses to:

  • Educate users about the importance of MFA and other security measures and how to recognise sophisticated phishing and social engineering attempts. For organisations with a less tech-savvy workforce, providing clear instructions and support here is even more crucial.
  • Ensure that MFA is part of a broader, multi-layered security strategy that includes encryption, robust firewalls, regular software updates, network monitoring and regular security audits to proactively identify and mitigate potential threats.
  • Continuously update and audit cybersecurity measures, not only to ensure nothing is missed but to adapt to new threats and ensure compliance with the latest security standards
  • Consider adaptive or risk-based MFA that evaluates the context of the login attempt (e.g., location, device, behaviour) and adjusts the authentication requirements accordingly.

Lesson 2 – Incident response preparedness should be promoted

Rep. Cathy McMorris Rodgers, chair of the House Energy and Commerce Committee, said that UnitedHealth’s handling of the cyberattack will probably be “a case study in crisis mismanagement for decades to come.” This comment highlights the importance of having a well-defined cyber incident response plan (IRP) in place so that in the event of a cyberattack, clear steps including communication strategies, legal considerations, and recovery procedures are laid out. Businesses developing and maintaining a comprehensive IRP should consider:

  • Defining the goals, scope, and types of incidents the IRP covers to ensure clarity and focus.
  • Assigning specific roles and responsibilities within the incident response team and maintaining up-to-date contact information for all members.
  • Implementing tools for detecting incidents, establishing reporting channels, and outlining immediate response actions to contain and mitigate impacts.
  • Defining strategies for isolating threats, removing them from the environment, and restoring systems to normal operations, including thorough testing.
  • Documenting incidents and lessons learned, updating policies accordingly, and ensuring regular training and simulations for the incident response team to improve readiness.

Lesson 3 – Utilise support and expert guidance

Following Change Healthcare’s ransomware attack, UnitedHealth started working closely with law enforcement and third parties like Palo Alto Networks and Google’s Mandiant to assess the damage. But it’s also worth noting that there are further resources available to help businesses. Industry associations, crime prevention agencies and cyber insurance providers can all provide businesses with access to expert guidance. Cyber insurance providers, for example, can offer – alongside a financial safety net – the expertise of cybersecurity analysts and consultants trained in handling cyberattacks and the claims process. These experts can also help victims navigate incident response and recovery. Most cyber insurance providers offer free risk prevention services, including vulnerability assessments, threat intelligence, and cybersecurity training.

While the exposures and losses in the realm of cyber risk might not fundamentally change, underwriters, carriers and ultimately the broader market will need to evolve to meet this new evolution of cyber risk. For example, using a more holistic approach to cyber risk management, which incorporates continuous monitoring and real-time data to dynamically refine risk assessments and insurance offerings.

Also, the anticipated introduction of more stringent regulations on personal data collection, usage and disclosure will likely shape the crafting and pricing of cyber insurance policies as insurers will seek to integrate protections to address increased risks and responsibilities. The very essence of underwriting has always been about adaptation and responsiveness to new market dynamics (especially in the cyber market) – that’s why insurance is foundational to a healthy economic system.

Regulatory bodies can also play a crucial role in updating regulations and guidelines regularly to keep pace with evolving cyber threats and establishing mechanisms for businesses to provide feedback on regulatory measures, ensuring they are practical and effective.

We must be constantly improving our cyber security

For businesses, it’s important to remember not to stand still. The cyber landscape is evolving, not emerging, and so businesses’ approach to preparing, protecting and recovering from a cyberattack must also evolve at the same pace.

By staying vigilant and continuously reviewing and assessing exposures and policy language, together policymakers, insurers and businesses can better understand, anticipate, and mitigate evolving risks.

LEAVE A REPLY

Please enter your comment!
Please enter your name here