Enterprise Risk Management

Lessons learned from the Change experience

June 2, 2024 6:56 am

As is now well known, Change Healthcare, a 2022 acquisition by UnitedHealth Group (UHG), was hacked this past February. For nine days, hackers were able to gain access to and maneuver through Change Healthcare’s files at will before it became clear that the system had been compromised. According to a report from the Congressional Research Service, a ransomware group called ALPHV (or Black Cat) claimed responsibility for the attack.a

The intrusion occurred using compromised credentials in Change Healthcare that did not fully rely on multifactor authentication, which has become the norm for companies using best practices in cybersecurity.b Ultimately, UHG paid a ransom of $22 million to have its files released and returned to its control.

Change Healthcare’s vulnerability

Change Healthcare is a company that many individuals had not heard of before the cyberattack . It covers large numbers of transactions — about 15 billion per year — accounting for about 30% of health records.c

It was the combination of being a “back-room” company, which means it was providing services to other companies to help them run their businesses, and being relatively unknown before the intrusion. It is the number of records that were affected and by a company that most people had never heard of that has caused so much consternation among the public and in Congress. That — along with the rapid growth in acquisitions that UHG has been pursuing — brought the company more attention than it desired.

Questions about UHG

As a result of the hack, the number of people affected and the inconvenience imposed on so many businesses and individuals, some members in Congress are once again questioning whether UHG has grown too large and should be broken up into smaller, stand-alone companies.

Concerns about the size of UHG stem from its substantial reported revenues, totaling about $359 billion in 2023, and its high ranking among the world’s largest companies (eighth place by revenue as of March 2024).d These concerns have become an issue not only for only for Democrats who have challenged large corporations in the past — including Ron Wyden (D-Ore.) and Elizabeth Warren (D-Mass.) — but now also by Republicans, including Bill Cassidy (R-La.) and John Barrasso (R-Wyo.).

The $6.5 billion of no-interest loans UHG advanced to practices that were affected by the cyberattack has seemed to do little to placate these angry senators. Despite the assurance by Andrew Witty, UHG CEO, during recent Senate hearings that the company had enabled multifactor authentication on all its systems, it still drew strong criticism from the Senate Finance Committee.e

Better vigilance to come?

It is also not clear that all of the publicity about the size and ramifications of the Change Healthcare attacks has increased vigilance among American companies to a level where intrusions are any less of an active threat. As recently as May 8, Ascension Health — a St. Louis-based not-for-profit network that includes 140 hospitals and 40 senior living facilities — reported a cyberattack to its healthcare system, which disrupted access to its electronic health records and various other systems used to order tests, procedures and medications.f This most recent attack used ransomware, deployed by “Black Basta,” a Russian-speaking group, which reportedly has been used in increased cyberattacks against the healthcare sector.g

Given how many systems and institutions continue to leave themselves vulnerable to attack and the ultimate willingness of many of these institutions to pay a ransom to release their systems, it is hard to image this problem getting better. And perhaps it is only surprising that it has not gotten worse.

The critical need for better business practices

The Change Healthcare intrusion occurred because basic good business practices — particularly the use of multifactor authentication — were not followed uniformly everywhere in the company. That the cyberattack was allowed to occur indicates a failure of both internal and external audits.

Proper training is a major requirement. Frequent updates to training, including testing with mock phishing e-mails to employees, should be fully embraced as part of good business practices. Whatever time is lost by frequent repeat training will be more than recompensed by prevention of a single cyber intrusion. There is no clear substitute for thorough and repeated training sessions.

The top 10 cyberattack mitigation strategies described by the U.S. National Security Agency include the following points among other guidance:h

  • Take inventory of all network devices and software.
  • Remove any unwanted or unneeded hardware and software from the network.
  • Update and upgrade software when updates become available, and automate the process when possible.

Take notice: Whatever short-term savings an organization enjoys by not pursuing appropriate upgrading will be more than lost if and —possibly more likely —when a cyber intrusion occurs.

Time to acknowledge the true risk

Even organizations that engage in appropriate training and software updates may still find themselves getting hacked. Being able to rapidly respond to and mitigate any attacks that occur, including having the ability to back up data, will remain an important part of modern business strategy.

The recent attack on Change Healthcare indicates that even normally well-managed companies like UHG are vulnerable to basic cybersecurity intrusions. Both Congress and the public are quickly losing tolerance to the continued vulnerability of companies to such intrusions and their consequences. 

Footnotes

a. Congressional Research Service, “The Change Healthcare cyberattack and response considerations for policymakers,” Insight, April 24, 2024.
b. Associated Press, “Change Healthcare cyberattack was due to a lack of multifactor authentication, UnitedHealth CEO says,” May 1, 2024.
c. American Economic Liberties Project, “Change Healthcare cyberattack fact sheet,” March 12, 2024.
d. Vankar, P.,  UnitedHealth Group – Statistics and Facts, Statista, March 19, 2024.
e. Franceschi-Bicchierai, L., “UnitedHealth CEO tells Senate all systems now have multi-factor authentication after hack,” TechCrunch, May 1, 2024.
f. WNEM Digital, “Ascension healthcare system investigates cyber security event,” May 8, 2024.
g. Kobus, P., “Black Basta behind ransomware attack on Ascension,” Healthcare Innovation, May 15, 2024.
h. National Security Agency, “NSA’s top ten cybersecurity mitigation strategies,” March 2018.

Advertisements

googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text1' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text2' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text3' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text4' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text5' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text6' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text7' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-leaderboard' ); } );