The problem is that while everyone associates these hacks with big Russian companies or criminal gangs, this one happened because the server someone phished the credentials for didn't have 2FA, which wouldn't be hard for a layman to break into.
Well, from what I've heard, anyone could have gotten in. The security of the Change Healthcare application was pretty terrible. Having a jump server for remote access without the highest level of security is completely foolish. At the very least, multi-factor authentication should have been enabled and it should really only have been accessible via a one-time pass or some form of privileged access management. What Optum was trying to do was consolidate and rewrite the Change application, but they clearly didn't do any due diligence or a proper security risk assessment. They didn't even take corrective measures on security measures while migrating to new technology.
I believe this is not just a security failure, but also a failure of corporate governance. CSIOs are often given the leftovers and told to make do. The same goes for the size of the security team and the money they have to spend on it. The CEO and the board want to declare windfall profits that will increase stock options and dividends.
Can you elaborate on how you would prevent similar ransomware attacks? And why does it take so long to investigate after an attack?
First, you need to understand what information assets you have on your network and what risk each poses to other systems and to the integrity of the network as a whole. Take an inventory, assess the risks, and then remediate the risks. This clearly wasn't done at UHG-Optum. Maybe they overlooked some assets, maybe their risk assessments and penetration testing were insufficient, who knows?
Second, you need to identify the attack quickly and stop it from spreading across your network. That means you need monitors watching. The faster you stop the attack, the less damage you can do. This is called “containment,” isolating systems and preserving forensic evidence for future prosecution. You then need to investigate which systems were compromised — where did the hacker go and what data did he touch?
Now, from what we've heard, the hackers had been in the systems for quite some time before they actually pulled the trigger and started encrypting.
They reportedly had been in Change Healthcare's system for nine days.
Yep, nine days. I mean, they had nine days to troll through Change Healthcare's systems, so you can bet they were looking everywhere and sucking up all kinds of data from all kinds of places. A UBA (user behavior analytics) tool should have caught that activity and flagged it or blocked it outright.
From a digital forensics perspective, it takes a long time to actually track all the activity, make sure the logs weren't wiped, figure out what was touched, and figure out whose data was compromised. Then you can apologize, send letters to patients informing them that their data may have been accessed in error (HIPAA requirement), offer credit monitoring, and all that other stuff. That's the process.
We know that health care providers are concerned about whether HIPAA notices are being sent in a timely manner, and AMA research shows that Change Healthcare's outages are still impacting private practices and small hospitals, so what does this mean for them in the long term?
The impact of this breach is enormous. Some small hospitals will go out of business as a result. Hospitals will close and communities will be left without doctors, emergency rooms, stroke centers, and likely primary care practices. There are certainly many primary care physicians who will be greatly affected by this, and many small practices will never recover. And of course, patients are suffering, too. Some have not been able to get vital medications for months. Additionally, there are pharmacies that distributed medications to patients without insurance approval and are now trying to submit claims for payment manually.
This disruption will likely lead to further consolidation in health care services, because if these smaller hospitals go out of business, they will be bought up by larger companies.
Yes, that's true. Hundreds of small hospitals are closing. Over the past 15 years, more than 106 rural health systems have closed, and the pace is accelerating. In fact, I NHRA Rural Health Clinic Conference In September about this very thing.
We see patients who have to drive hours to get to the emergency department. We see stage 3 and 4 cancer patients who cannot receive radiation or chemotherapy because all of the local cancer centers have closed for financial reasons. High-risk pregnancies are being neglected simply because patients live in rural areas with poor medical services and cannot drive two hours each way to see their obstetric care team.
And the Change Healthcare breach will only make the problem worse: More healthcare providers will be pushed into oblivion, which will lead to many people having less access to care and less health as a result.