Healthcare ransomware incidents are far too common, but none have wreaked as much havoc as the recent Change Healthcare attack. Rick Pollack, President and CEO of the American Hospital Association stated that “the Change Healthcare cyberattack is the most significant and consequential incident of its kind against the U.S. healthcare system in history.” And congress members have said that “the breach of Change was tantamount to targeting the health care system in its entirety.”
In late February, the ALPHV/BlackCat ransomware gang claimed responsibility for hacking Change Healthcare, a subsidiary of UnitedHealth Group. The intruders disrupted operations and stole up to 4TB of data, including personal information, payment details, insurance records, and other sensitive information. This led to a non-verified ransom payment of $22 million.
Change Healthcare plays a pivotal role in managing clinical criteria for pre-authorization, verifying coverage, and processing patient claims to third parties. After the attack, Change Healthcare was forced to take key operations offline, and the rebooting of their systems has been patchy.
The incident jeopardizes the very survival of countless healthcare providers nationwide due to delays in patient care and reimbursement. The hack generated massive economic and legal shockwaves across the U.S. healthcare industry, from major industry players to small town rural physician practices.
If that wasn’t bad enough, fresh reports have surfaced that Change Healthcare is being extorted again by another ransomware group called RansomHub that claims to own sensitive data stolen in the breach.
How has this unprecedented cyber attack impacted security compliance? Let’s find out.
Change Healthcare cyber attack is detected. The company makes an announcement, disconnects networks, and takes operations offline.
Hospitals, health systems, and pharmacies report disruptions from the attack.
Ransomware group BlackCat claims responsibility for the attack.
The Department of Health and Human Services (HHS) warns hospitals to be wary of BlackCat hackers.
Change Healthcare confirms BlackCat is behind the attack. BlackCat claims to have stolen six terabytes of data from Change Healthcare, including patient Social Security numbers, medical records, and information on active military personnel.
Optum introduces a temporary assistance program for providers without adequate cash flow due to the attack.
BlackCat receives an unconfirmed bitcoin payment worth $22M.
The AHA deems Change Healthcare’s temporary funding program for affected providers inadequate, and US Senate Majority Leader Chuck Schumer asks Change Healthcare to speed up payments to hospitals. Large health systems lose more than $100M a day due to interruptions.
At least five federal lawsuits are filed against Change Healthcare’s parent company, UnitedHealth Group, over the cyberattack.
The AHA says it will take several weeks (or months) before hospitals and other healthcare organizations can fully recover from the attack.
The federal government initiates an investigation into UnitedHealth and Change Healthcare regarding HIPAA compliance in light of the cyberattack.
Change Healthcare’s electronic payments platform resumes operations, with payer implementations in progress. A survey conducted by the American Hospital Association reveals that nearly 94% of hospitals have experienced financial repercussions from the cyberattack.
UnitedHealth Group discloses that it has disbursed over $2B to healthcare providers and is rolling out new software to streamline medical claims preparation. The company successfully reinstates 99% of its pharmacy network services.
Senator Mark Warner (D-Va.) introduces a bill proposing cybersecurity-related conditions for Medicare accelerated and advance payments during cyberattacks.
Change Healthcare asks a U.S. court panel to consolidate at least 24 class actions accusing the payment processor of failing to protect personal data from February’s cyber hack.
Senators Josh Hawley (R-MO) and Richard Blumenthal (D-CT), send a letter to UnitedHealth Group Chief Executive Officer Andrew Witty demanding answers about the attack.
Reports surface that a relatively new ransomware group – RansomHub – issued a demand stating it had acquired the stolen data from a former ALPHV affiliate. RansomHub demands payment to prevent the data from being leaked. Screenshots are leaked that appear to be Change Healthcare data and files including patient data. The group claims it will sell the stolen data to the highest bidder if Change Healthcare and UnitedHeath refuse to negotiate payment.
A survey conducted by the American Medical Association (AMA) revealed a wide blast radius due to the Change Healthcare cyber incident. The numbers speak for themselves in percentage of surveyed practices affected:
Nearly half of respondents said they’ve been forced to enter new (and potentially costly) arrangements with alternative clearinghouses to conduct electronic transactions. While some practices have received advance payments, temporary funding assistance, and loans, issues persist with all of those measures. Meanwhile, UnitedHealth Group said it’s paid out more than $2B to help health-care providers who have been affected by the cyberattack.
The survey also quoted affected physician practices. Their words reveal the pain being felt across the country:
Due to the widespread damage of the ransomware attack, the Office for Civil Rights (OCR) at the Department of Health and Human Services decided to open a HIPAA compliance investigation of Change Healthcare.
In a “Dear Colleagues” letter, OCR Director Melanie Fontes Rainer said, “[W]e are reminding entities that have partnered with Change Healthcare and UHG of their regulatory obligations and responsibilities, including ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs as required by the HIPAA Rules.”
This is an usual move by the OCR, but “the breach warrants swift investigation to determine if Change Healthcare and its parent company were fully compliant with the HIPAA Rules,” commented Steve Alder, Editor-in-Chief, The HIPAA Journal.
Long before the recent attack, Change Healthcare had earned HITRUST certification status for its enterprise infrastructure and Change Healthcare Platform. The company’s website says, “HITRUST Risk-based, 2-year (r2) Certified status demonstrates that the organization’s major implemented systems and platforms have met key regulations and industry-defined requirements and is appropriately managing risk. This achievement places Change Healthcare in an elite group of organizations worldwide that have earned this certification.”
The HITRUST certification is meant to send a signal to regulators, customers, and stakeholders that they can trust the strength of a certified organization’s cybersecurity and data protection program. While it would be unreasonable to expect any cybersecurity strategy to be infallible, one wonders how solid Change Healthcare’s defenses actually were if they suffered such a crippling attack.
HITRUST not only provides comprehensive security controls and data security improvement, it’s also the only guaranteed way to achieve HIPAA compliance. In the wake of the Change Healthcare incident, many organizations are scrambling to adopt the HITRUST framework, and for good reason. The HITRUST 2024 Trust Report revealed the HITRUST Assurance Program™ dramatically reduces information breaches, resulting in incredibly low occurrence of breaches — just 0.64%.
The HITRUST framework is widely accepted as a gold standard for compliance, and it’s currently unclear how Change Healthcare may not have fully complied with HITRUST procedures and recommendations. All this has lawmakers posing serious questions to the healthcare service provider.
On April 1, Senators Josh Hawley (R-MO), ranking member of the Senate Judiciary Subcommittee on Privacy, Technology and the Law, and Subcommittee Chair, Richard Blumenthal (D-CT), wrote a scathing letter to UnitedHealth Group Chief Executive Officer Andrew Witty demanding information about the attack.
The letter states that, “While we recognize that UHG was indeed the victim of an outside attack, the entire sector is now the victim of UHG’s lack of preparedness and built in redundancies, which could have potentially mitigated the widespread impact of the breach.”
The senators stated that Change Healthcare was part of U.S. healthcare critical infrastructure processing 15 billion transactions and $1.5T in healthcare claims annually. The company handled as many as one of every three patient records in the country. From the senators’ point of view, “The result of UnitedHealth Group’s failure to properly safeguard against cyber threats and the subsequent, extended outage of its services has been dire.”
Some questions being posed to the company by the lawmakers include:
As the fallout from the Change Healthcare cyberattack continues, coincidentally, the Cybersecurity and Infrastructure Security Agency (CISA) recently published a draft of landmark regulation outlining how organizations will be required to report cyber incidents to the federal government.
CISA’s 447-page Notice of Proposed Rulemaking (NPRM) is now open for public feedback through the Federal Register. According to the NPRM, covered critical infrastructure organizations, such as healthcare, will be required to report incidents within 72 hours after a cyberattack has occurred. Ransomware payments must be reported within 24 hours of being made. However, if payment is accompanied by an incident, the organization has 72 hours to comply with reporting.
CISA was tasked to develop the NPRM by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). With this document, CISA aims to enhance the government’s capacity to monitor incidents and ransomware payments. CIRCIA intends to enable a coordinated, informed U.S. response to the foreign governments and criminal organizations conducting these attacks.
As the saga of the Change Healthcare cyber attack continues, the overall impact on the industry remains to be seen. Undoubtedly, the company will conduct damage control for some time as well as in-depth forensic investigation into the exact vulnerability that was exploited in the attack. Meanwhile, the healthcare industry will likely increase its reliance on certifications like HITRUST.
The massive scale of the Change Healthcare incident invites the entire sector to do some serious soul searching. If an organization with such a large footprint was hacked, leading to historical levels of damage, what measures should be implemented to prevent future incidents? Perhaps Red Team testing — where cyber teams act as attackers to find vulnerabilities — will rise in demand. One can only imagine how this would impact the cost of security. Either way, faithfulness towards compliance will undoubtedly become even more of a priority.
Security has increasingly become a central player in business decision making. Still, many CEOs seem to have been hedging their bets, either through cyber insurance plans or simply minimizing the problem to their peril. But due to the damage resulting from the Change Healthcare incident, cyber might catapult to become the most important issue in the hearts and minds of business leaders today.
In the aftermath of the Change Healthcare cyber attack, the government campaign for stricter compliance will take on even more importance. We can expect more stringent regulation, tiger controls, and stiffer penalties for non-compliance, which comes as no surprise as the stakes have never been higher.
The post Understanding the Change Healthcare Breach and Its Impact on Security Compliance appeared first on Hyperproof.
*** This is a Security Bloggers Network syndicated blog from Hyperproof authored by Hyperproof Team. Read the original post at: https://hyperproof.io/resource/understanding-the-change-healthcare-breach/