Reimagining Cyber - real world perspectives on cybersecurity

Change Healthcare Under Siege: Anatomy of a Cyberattack - Ep 89

March 20, 2024 Reimagining Cyber Season 1 Episode 89
Reimagining Cyber - real world perspectives on cybersecurity
Change Healthcare Under Siege: Anatomy of a Cyberattack - Ep 89
Show Notes Transcript

In this episode, the Rob and Stan delve into a recent cyber attack targeting Change Healthcare, a key player in the healthcare sector. They highlight the unprecedented nature of the breach, its implications, and the collaborative efforts undertaken to mitigate its impact.

Change Healthcare, based in Nashville, Tennessee, disclosed the cyber attack on February 21st, causing significant disruptions across the healthcare ecosystem. The breach impacted various services, including claims processing and clinical decision support, affecting hospitals, pharmacies, and patients alike.

The attackers, identified as the ransomware group BlackCat, operated on a ransomware-as-a-service model. The hosts discuss the complex web of ransomware operations and affiliate relationships, shedding light on the intricate nature of cyber threats facing the healthcare industry.

The breach triggered a swift response from government agencies, with the Medical Group Management Association requesting assistance from the Department of Health and Human Services (HHS). HHS issued statements and provided alternative electronic data interchange options to minimize disruptions in patient care.

Rob and Stan look at the critical need for cybersecurity resiliency in the healthcare sector. They discuss proposed measures, including the adoption of HHS cybersecurity performance goals and the streamlining of funding opportunities to bolster cybersecurity defenses.

Follow or subscribe to the show on your preferred podcast platform.
Share the show with others in the cybersecurity world.
Get in touch via

[00:00:00] Rob Aragao: Hello everyone. Welcome back to another episode of reimagining cyber Rob here with Stan and Stan, I think you want to kind of put a little note out there to the listeners.

[00:00:07] Stan Wisseman: I do Rob, because unfortunately there's some potential noise that I'll creep into the episode that I can't control. I'm having a new patio put into the backyard and.

[00:00:18] And it may actually generate some background noise as they saw through stone. It is the zoo back there. I think there are like six people working on this. So again, if, if our producer Ben is, is able to mitigate the sounds, that's great, otherwise we can just ignore it. And I'll be happy to share pictures of the finished product when it's done.

[00:00:39] Actually, I'd love to have you down for a beer sometime, Rob, but you know what? But you're in Boston and I'm down here and that's okay. 

[00:00:46] Rob Aragao: It doesn't matter. I mean, you have, you are having a fire pit put into, I assume, 

[00:00:50] Stan Wisseman: I am, I am. I have a fire pit too. 

[00:00:52] Rob Aragao: There you go. We like the fire and a couple, you know, drinks by the fire.

[00:00:56] There you go. Well, Stan, [00:01:00] enough about patio. Let's move on to today's conversation and Stan. Okay. We're going to cover a topic on an unfortunate breach that's occurred recently in the healthcare sector. You know, we, we typically haven't kind of delved into security breaches, specific ones in the past.

[00:01:17] We've touched on a couple, right? They'll come up in conversation, but this one's pretty pretty important in the ramifications and the, the impact it's had across so many different Parties and so much that's happened in collaboration to kind of get it on the right path and hopefully help warrants our attention, right?

[00:01:32] Stan Wisseman: 

[00:01:34] Rob Aragao: Yeah, hopefully help in the future for sure. For sure. So we're going to discuss is the cyber attack on change health care. And let me kind of kick things off and share with everyone a little bit of background. So, so this is right now it's being labeled by the American Hospital Association as the most significant and consequential incident against the U.

[00:01:53] S. healthcare system to date. That says a lot right in that statement from, again, the American Hospital Association. So [00:02:00] change healthcare, who are they? Right. So, so they're based in Nashville, Tennessee. They're a subsidiary of UnitedHealths. Optum division and their health information exchange, right?

[00:02:07] There are platform that provides services ranging from claims processing, appeals management, payments, as well as clinical decision support back out to obviously, you know, a multitude of different healthcare providers. And so back on the 21st of February, they disclosed that they were being impacted by a cyber attack.

[00:02:26] They, they were doing some really good things. We'll get into more of that as it related to collaboration. With you know, working with different law enforcement entities, as well as pulling in some cyber security expertise to help them with the investigation and get some isolation done was occurring in their environment.

[00:02:41] So let's talk 1st about, in essence, the impact. And we'll get into kind of what actually was happening. So the impact of basically change health care as an environment. Being held for ransom and locking things down really was quite dramatic, right? It ranges from pharmacies to hospitals and medical [00:03:00] claims that are coming in from patients.

[00:03:01] And so if you think of it this way, right, physicians and hospitals unable to issue prescriptions, pharmacies can't fill subscriptions, right? They can't get the information to do so. Individuals unable to make any health claims and obviously unable to get their prescriptions as well. So again, just think about that chain effect that actually took place because of what was happening at Change Healthcare.

[00:03:23] You know, when you look at their world at Change Healthcare and what we've kind of come to learn, some things through rumor mills, but other things kind of being, you know, more accurate as it's being disclosed. There, there's a perspective that, you know, that the unauthorized, unauthorized access to change health care you know, may have come in through a third party piece of software still to be determined that company's saying no.

[00:03:45] Which is not 

[00:03:45] Stan Wisseman: unusual, right? I mean, it takes a while sometimes to ferret out the details of how, what an incident really root cause was, right? 

[00:03:53] Rob Aragao: There's going to be quite some time that goes into the investigation for proper attribution. Now, now change health care as they're going through right now.

[00:03:59] [00:04:00] Now you have this unauthorized access, right? They're going through the different systems. They're locking things down, right? So now they're basically kind of getting pulled out where their operations are coming to a stand out. So, so what's change health care do? They at that point decided, hey, we're going to disconnect and they disconnected about 110 or so different services to help prevent, right?

[00:04:19] That kind of further propagation out to other environments throughout their ecosystem. 

[00:04:23] Stan Wisseman: And again, I mentioned kind of control the, the, the sort of like the, the impact of reduce 

[00:04:29] Rob Aragao: it, minimize it. Right. Absolutely. Absolutely. You know, I mentioned earlier that they were, they were very much quick to engage law enforcement and, and again, pulling a security company or a couple of security companies in that, in this case to investigate, try to figure out and contain this to your point.

[00:04:43] And so they did that, right. They were able to kind of get that going now, fast forward about a week. On the 28th of February. So here comes a ransomware group called Black Cat, and they are claiming responsibility for the actual attack. [00:05:00] So let's talk about who they are, right? So, so Black Cat, they operate as a ransomware as a service basically business model, right?

[00:05:06] Think back to episode 40, we're talking inside Cybercrime, Ravid Labe comes in. It's a business, perfect example of the type of business model that Black Cat actually is operationalizing. Right. And so what's kind of interesting in this case is that Blackhat has their affiliates, right? So they provide ransomware as a service.

[00:05:27] So they provide the ransomware back to the affiliates and say, Hey, go have at it, target different victims, and then you're going to get a share. Of what the ransom that's paid out is back to you. Now, now Black Cat is also who was affiliated with what just occurred late, late, or September, I guess, August timeframe with Caesars and MGM, right?

[00:05:49] The Vegas breaches, right? Get this, Stan, you'll, you'll appreciate this. They're also the group that actually filed a formal complaint with the SEC recently. [00:06:00] That one of their previous targets meridian link had failed to disclose a breach because of the SCC. Right, which we've discussed many times. So they're out there doing that.

[00:06:10] And by the way, it's rumored that they also were connected with the dark side ransomware group that was implicated as part of the colonial pipeline attack back in 2021. The clock keeps going on that same day. 28th of February the Medical Group Management Association comes out and this is a group that represents over 60, 000 medical practices and they request assistance from HHS, right?

[00:06:31] The health and human services. See, we need help. And what's occurring here. It's critically impacting many, many different practices across the country. So you get to March 1st. March 1st is now when allegedly the ransom is paid about 22 million is paid out. Okay. March 5th comes along, HHS comes out and formally issues a statement that says, here's the deal as it relates to what we're aware of with the attack.

[00:06:58] In a plan to help the [00:07:00] providers better serve their patients, or in some cases serve their patients at all worth alternative electric electronic data interchange options being provided to them so quickly, kind of helping move things along right to to again, minimize the impact of this other provider is an example of that a couple days later on the 7th of March, it's reported that change health care has the majority of their services back up and running for the prescription claims, at least in payments that are being restored.

[00:07:26] So again. A lot going on during that time and you know, a lot of collaboration going on between the industry HHS, FBI, CISA involved, of course. And then the White House gets pulled in, of course, as part of this as well, because it's such a major impact. Yeah. And we'll get 

[00:07:39] Stan Wisseman: more into that, right?

[00:07:40] That's right. But you know, just going back to the impact in general, I mean, this really, this incident really did shake things up, Rob. I mean, and it just shows how connected and, and fragile our healthcare system really is. I mean, it was a mess. Right. I mean, with every aspect of patient care getting hit hard and, and service delivery taking [00:08:00] a serious nosedive, I mean, hospitals, which were already pinching pennies, let's face it, they don't make a big margin, right?

[00:08:06] They found themselves in real financial peril. And we're, we're talking about possibly losing millions every day. You know, I found this stat that Jackson health system in Miami could have been out 30 million if they hadn't gotten fixed within a month. I mean, they just, I mean that kind of financial stress, you know, it wasn't just a hospital problem also.

[00:08:27] I mean, it really did trickle down throughout the whole healthcare supply chain and you know, patients. Ended up getting the short end of the stick as well because they had to pay out of pocket for meds and treatments because the usual processes for handling the insurance, they weren't working. I mean, that, I mean, they were, they were actually feeling the impact of a cyber attack directly, even though they didn't know why.

[00:08:51] Right? And, and you hear these stories about folks who were struggling to get their hands on the medications that they needed. And, and you can't help but see the real human side of this whole [00:09:00] mess. And then there's the worry about that, you know, personal health care data. And we've, we've talked about this in other contexts before.

[00:09:06] I mean, I think we had Lewis Lerman on in episode 47. Yes. Talking about healthcare and, and, and how as a CISO, he's trying to protect that data. Well, you know, all this information is out there that could be snatched by the, the hackers. And that could be a gold mine of data that could be used for years to come.

[00:09:24] And on top of that immediate mess, this whole situation, you know, certainly change healthcare in a tough spot legally, as well as reputation wise. Right. I mean, it's a big wake up call about the need to protect not just our data. But also trying to maintain that trust, you know, people have in the healthcare system.

[00:09:45] And I think that's why, you know, the White House. Got involved. Yeah, right. You know, so you're going to delve into that, that, that next step that that meeting was held at the White House. 

[00:09:55] Rob Aragao: Yes. So, so to your point on the 12th of March. So now the way us at [00:10:00] that point calls for this meeting to take place.

[00:10:01] It's amongst, you know, United Health, of course, and other healthcare leaders insurance companies, provider associations, and of course, Government agencies, HHS, of course and so, you know, they're going through and they're having these conversations as it relates to what's occurring. What can they do to obviously, you know, minimize that impact as well, but the bigger, broader view, just how vulnerable the healthcare sector is for cyber attacks, right?

[00:10:26] So how can we get ahead of this? One of the things that was kind of brought back up as a key area to focus their attention on was the emphasis of strengthening cyber resiliency, which obviously for you and I stand is a key theme of what we always discussed along, you know, the launch of the podcast.

[00:10:41] And this came out of again, HHS basically promoting, Hey, listen, You really should be looking at implementing our cyber performance goals. So they've got this all laid out. You can go look at it online. We can post it in our show notes, of course, as well. But just trying to put more emphasis and focus on what people should be doing within this sector to be [00:11:00] more cyber resilient.

[00:11:01] The other thing that they were able to quickly move through and agree to was the Just the state that things were in at that point in time, they agreed, we're going to reduce, you know, the, the red tape involved in getting approvals put into place. We're going to provide accessible funding opportunities to deal with these advanced payments, right?

[00:11:17] They're going to try to get in front of this as much as possible while they're still dealing with it. And that's what they ultimately did. So I think that the key for me is it was a good example of very positive collaboration, right? Between government and industry coming together just because of everything we've been 

[00:11:32] Stan Wisseman: hearing.

[00:11:32] Yeah. On the stakeholders, right? I mean, it pulled people together and I think they were willing to act, you know, more readily than otherwise, because now the recognition of the fragility of the system. You know, and in addition to some of the things dealing with the actual, you know, payment solutions and easing the whole billing requirements process and things like [00:12:00] that immediate needs for attention to alleviate some of those pressures on the providers and, and, and how you maintain patient care on the cybersecurity front.

[00:12:08] One of the participants was the White House deputy national security advisor for cyber and emerging technologies, Ann Neuberger. And she emphasized that. interconnected nature of the healthcare ecosystem and underscore that, as you said a second ago, that whole need for cyber resiliency, right?

[00:12:26] And then, and that was great to have somebody really pushing that in that meeting and that theme that we've been, that beat that drum on for so many episodes, right? As far as the need for cyber resiliency. And she, she recommended adoption of the Department of Health and Human Services Healthcare and Public Health Cyber Performance Goals.

[00:12:50] as well as the Department of Labor's cybersecurity best practices. Now, when it comes to the HHS cybersecurity performance goals, or CPGs, I had not heard of [00:13:00] those before. Have you run across that before in any other context? Nope, this was the first time. Chances are our listeners haven't heard of them either, and I'll just go through that real quick.

[00:13:10] But the CPGs are currently a voluntary subset. Other cyber security practices for health care organizations and health care delivery organizations in particular. And so this set of, you know, again CPGs are intended to strengthen cyber preparedness there and trying to improve that cyber resiliency that we're just talking about and ultimately protect patient health information and safety, but it's voluntary.

[00:13:37] And they were, they're built off of some of the CPGs that CISA has. propagates, but they're trying to directly address some of the common attack vectors or patterns that we're seeing in hospitals. As identified, there was this HHS 405 D program again. I hadn't heard of this before, but that program released a report last year on [00:14:00] hospital cyber resiliency landscape analysis.

[00:14:02] And so based on that report, their specific vectors of attack In this context of the healthcare system, you know, again, this set of CPGs sort of represents what you need to do to mitigate those, right? And so, again, coming out of that White House meeting and moving forward, there seems to be a unanimous agreement on the need for healthcare organizations to ramp up their cybersecurity defenses and shift from a voluntary guideline kind of approach to more of a robust, enforceable standards.

[00:14:34] Thank you very much. Approach leveraging what's already been published. There may be some tweaking and stuff like that based on new tack data, right? But you know, the, the, the strategic pivot in my mind, what I'm seeing there is that, you know, they're, they're aiming to, to try to shift it more like the financial sector where you're seeing.

[00:14:51] A lot more, you know, mandatory requirements to financial institutions in that sector. Whereas healthcare outside of HIPAA and high [00:15:00] tech has primarily been voluntary based on what they think they can do and budget is tight. So they can only do so much blah, blah, blah. But, you know, this collaboration with government and private sector, you know, is sort of.

[00:15:14] Shifting us to be more of a mandatory status and and, you know, really driving resiliency into the system. So I hope it, you know, is a good outcome of a terrible attack. You know, if we can embrace. This kind of approach and, and, and ensure that these, this, the system and the supply chain takes advantage of some of the technology we know is available.

[00:15:40] It's just honestly, you know, they can't necessarily afford it. And I, I, I think that, let's face it, going back to the point I made earlier about the budgets being tied on on these entities in the, in the healthcare sector, they're going to have to get some help on that infrastructure and some of the upgrades and technology in the context [00:16:00] of cyber.

[00:16:01] I, I don't know if that's going to come from the government, you know, that's kind of a broken system as well, as well, as far as trying to find funding. Right. But, you know, if, if they, if they shift us to mandatory, you know, the, the, the difference on finances. And the healthcare sector, healthcare priority is always patient care first, it should be.

[00:16:20] It's just, you know, how you balance that budget priority between like cyber and patient care. I mean, it's, it's going to be difficult. I don't know how 

[00:16:29] Rob Aragao: they would be able to do it without some sort of government funding. I really don't because Yeah. Their margin is just so, so tight. You're absolutely 

[00:16:36] Stan Wisseman: right.

[00:16:36] But you're talking about such a broad ecosystem too that you need to shore up. It's not just like, Oh, we need to do this in the health, you know, hospitals. No, it's also in the context of insurance and the triple anyway. Yeah, for 

[00:16:50] Rob Aragao: sure. Now let's just kind of talk about as we bring it together some different thoughts, right.

[00:16:54] And how they can become more, more resilient. And this, this goes back to the point you were just talking about, take [00:17:00] this bad situation. And turn it into some sort of positive. The positive is basically you evolve, right? Which is the goal of the cyber resiliency framework. You evolve to improve.

[00:17:09] Improvement does require funding, of course, but just in some general practices, right? They can go in and make some changes that they're probably not necessarily doing across the board today. So if we think about some different things, potentially, right? That could be tied into, Maybe some approaches and how they're looking at the different software applications that they're developing, right?

[00:17:27] We had some conversations in the past around product security within the medical space. So brett harris devices, right? Yeah, brett harris with siemens health and airs We talked about that that world and again, how are you ensuring that it's properly coded and for security and safety? Of course, right you think about The proper policies in place and technologies to ensure that the authorized individuals are the ones that are gaining access to the sensitive health care information sets that are out there in system environments, right?

[00:17:55] This was another issue here. Goes back to unauthorized. Unauthorized access. So [00:18:00] dealing with that as part of your identity access management strategy looking for where those particular gaps are filling those gaps as part of that big aspect, of course, and you talked about it that potential future negative ramification, of course, could be the PHI information that's going to be out there and available.

[00:18:16] So how do you properly have visibility to understand where that data actually resides? And is it being properly protected? Right? So again, looking at it from a data security and privacy scope, and then ultimately kind of the umbrella over the top, right? The right type of visibility to understand what's actually occurring the right type of intelligence to be aware of what might be actually coming back your way impacting other, you know you know, hospitals.

[00:18:39] Healthcare providers, anything within the ecosystem of healthcare, and and being able to quickly detect these things, quickly respond to them, and quickly recover, of course, is all a key aspect 

[00:18:50] Stan Wisseman: of the principles. And to your point, I think that whole supply chain risk, And whether you put it into a formal program like a cyber software supply [00:19:00] chain risk management program or not, you do need to look at the whole ecosystem that you're working with, because these bad actors are leveraging the weakest link in that ecosystem to actually launch these attacks.

[00:19:13] For sure. 

[00:19:14] Rob Aragao: And I think the other thing is we talk about it again, this is part of the educational process, right? So educating more so within the healthcare space, the professionals that are behind the scenes and you know, what the risks are and not that they're not aware of them, but you continue to have to uplevel them and what they're doing and some of the things that they can be doing better.

[00:19:30] The collaboration to me, I think is another positive outcome that we're starting to see out of this, right? That how quick they moved to come together, that that was a great example of that you hate that. An event like that has to happen for something to occur, but, you know, sometimes again, it's a, it's a lesson learned as long as they're going to be very proactive going forward.

[00:19:49] And then ultimately, you know, we go back to this theme of cyber resiliency, but it really is. The key aspect of, you know, where the stakeholders across the ecosystem have to come to bear and understand that [00:20:00] it's important to really go through and follow those principles to achieve those cyber resiliency goals and you will be that much better off from these types of situations, potentially having such a major impact to you in the future.

[00:20:12] Stan Wisseman: Yeah, I, I think that again, to bolster our, our healthcare systems defenses. You know, if we can identify, you know, as you just did, and act on actionable things to actually help organizations build that resiliency and foster that, that culture of being more villagent They don't make a difference.

[00:20:35] It's just, do we have the time? It is, it is a, it is a cargo ship of great magnitude trying to turn in the channel. You know, healthcare has, has a history of not necessarily spinning where it needs to on cybersecurity. And again, their priority is The patient care as opposed to I. [00:21:00] T. And many times they put a, you know, cyber security in the I.

[00:21:03] T. Budget. So to your point, I'm hopeful that, you know, given the wake up call and given the collaboration, there'll be action. But I still wonder where the money is coming from. And again, it's not like it's going to rain. It's not going to rain from the government. I mean, they're not going to get the.

[00:21:22] The, the, the big, the big bucks to be able to pull that off. So they'll have to shift some priorities. That they will, that they 

[00:21:29] Rob Aragao: will. But you know, good topic conversation, something obviously very fresh in the news as to what we're seeing out there. I'll tell you what they'll stand. I mean. Again, it goes back to what August, September timeframe, the massive Caesars and MGM breach.

[00:21:42] Beginning of the year, I think we did an episode on the mother of all breaches in January launch in the air. Right, right. Here we are, you know, within a mid March timeframe. And this one, this one's really critical again, you, you mentioned earlier, it goes down to the patient. It goes down to making it personal.

[00:21:56] You 

[00:21:56] Stan Wisseman: know, they, they, they recently last month, they took down lock bit, you [00:22:00] know, speaking of ransomware as a service operators. That was a big one. that they've been targeting for a while. I, I wonder, you know, if they're, they're going to have any success as far as the Alpha Black Cat, you know, targeting and takedown.

[00:22:15] I mean, some of these folks, I mean, even if you takedown primary actors, they, they, they may have others that will pick it up. But this certainly would be a threat actor that you would think would be in the crosshairs of, of our, our friends at FBI and 

[00:22:31] Rob Aragao: CISA. And they could be in the crosshairs of the bad guys too, because I don't know if you saw this, that the affiliate that supposedly was behind the scenes using Ransomware as a Service from Black Cat is not getting paid, did not get paid, and was actually going out there and outing them and saying, hey, this is part of your model.

[00:22:47] Pay up. Wow. 

[00:22:49] Stan Wisseman: I did not see that. Wow, interesting. 

[00:22:52] Rob Aragao: Yeah, we shall see. Stand until next time. 

[00:22:54] Stan Wisseman: Great discussion. Okay Rob, see you next time.[00:23:00] 

[00:23:32] Yeah.

[00:23:37] Oh yeah. Oh 

[00:23:38] Rob Aragao: yeah.[00:24:00] 

[00:24:00] So the first thing is the patient health, right? Not getting the prescriptions, not being get that, but then back to the whole impact change health, right? Are there lawsuits coming at them? Probably now, don't forget what I said earlier too. So they were able to, the HHS was able to help quickly move to pivot to other providers, basically competitors of theirs.

[00:24:23] Right. So they could go and actually issue, you're going to get those back. So another. Yeah.

[00:24:39] Yeah.

[00:24:44] Problem.[00:25:00] 

[00:25:12] Exactly. It's going to come back out of your pocket. Exactly.