Change Healthcare's 2024 Ransomware Attack: A Wake-Up Call for Healthcare Cybersecurity
Executive Summary
In February 2024, Change Healthcare, a subsidiary of UnitedHealth Group, suffered a significant ransomware attack orchestrated by the Russian group ALPHV (BlackCat). The attackers exploited a server lacking multifactor authentication, gaining unauthorized access and encrypting critical systems. This breach disrupted essential healthcare operations nationwide, including insurance eligibility verification, prescription processing, and claims management, affecting approximately 190 million individuals. The incident underscored the vulnerabilities in third-party service providers within the healthcare sector, prompting the Department of Health and Human Services to intensify efforts in identifying and mitigating such risks. The attack's magnitude and impact have led to increased regulatory scrutiny and a reevaluation of cybersecurity practices across the industry.
Why This Matters Now
The Change Healthcare breach highlights the critical need for robust cybersecurity measures, especially in third-party vendors integral to healthcare operations. As cyber threats evolve, ensuring comprehensive security protocols, including multifactor authentication, is imperative to protect sensitive patient data and maintain the integrity of healthcare services.
Attack Path Analysis
In February 2024, attackers exploited a Citrix remote access portal lacking multi-factor authentication to gain initial access to Change Healthcare's network. They escalated privileges by creating administrative accounts, enabling deeper system control. The attackers moved laterally across the network, mapping systems and exfiltrating approximately 6TB of sensitive data. They established command and control channels to maintain persistent access and coordinate their activities. The attackers exfiltrated vast amounts of protected health information and personally identifiable information. Finally, they deployed ransomware, encrypting critical systems and causing widespread operational disruptions across the U.S. healthcare sector.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited a Citrix remote access portal lacking multi-factor authentication to gain initial access to Change Healthcare's network.
MITRE ATT&CK® Techniques
Valid Accounts
Exploitation of Remote Services
Multi-Factor Authentication
Multi-Factor Authentication Interception
Multi-Factor Authentication Request Generation
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
HIPAA – Risk Analysis
Control ID: 164.308(a)(1)(ii)(A)
HIPAA – Risk Management
Control ID: 164.308(a)(1)(ii)(B)
HIPAA – Unique User Identification
Control ID: 164.312(a)(2)(i)
HIPAA – Person or Entity Authentication
Control ID: 164.312(d)
NIST CSF – Threat and Vulnerability Identification
Control ID: ID.RA-3
NIST CSF – Least Privilege
Control ID: PR.AC-7
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Health Care / Life Sciences
Primary target experiencing massive supply-chain vulnerabilities through third-party vendors, requiring enhanced segmentation, encryption, and zero trust controls per HIPAA compliance.
Information Technology/IT
Third-party IT service providers face elevated scrutiny as supply-chain attack vectors, necessitating robust egress security and multicloud visibility capabilities.
Insurance
Healthcare insurers and payment processors vulnerable to supply-chain compromises affecting 190 million records, requiring enhanced threat detection and anomaly response systems.
Financial Services
Healthcare payment ecosystems threatened by supply-chain attacks disrupting sector liquidity, demanding strengthened east-west traffic security and policy enforcement controls.
Sources
- HHS burrows into identifying risks to health sector from third-party vendorshttps://cyberscoop.com/hhs-burrows-into-identifying-risks-to-health-sector-from-third-party-vendors/Verified
- Change Healthcare Cyberattack Underscores Urgent Need to Strengthen Cyber Preparedness for Individual Health Care Organizations and as a Fieldhttps://www.aha.org/change-healthcare-cyberattack-underscores-urgent-need-strengthen-cyber-preparedness-individual-health-care-organizations-andVerified
- Change Healthcare hackers broke in using stolen credentials — and no MFA, says UHG CEOhttps://techcrunch.com/2024/04/30/uhg-change-healthcare-ransomware-compromised-credentials-mfa/Verified
- UnitedHealth hikes number of Change cyberattack breach victims to 190 millionhttps://www.healthcaredive.com/news/change-healthcare-cyberattack-affects-190-million-unitedhealth/738351/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's lateral movement and data exfiltration, thereby reducing the overall impact.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's initial access may have been limited to the compromised portal, reducing their ability to move further into the network.
Control: Zero Trust Segmentation
Mitigation: The creation and use of unauthorized administrative accounts could have been restricted, limiting the attacker's control over critical systems.
Control: East-West Traffic Security
Mitigation: Lateral movement within the network may have been constrained, reducing the attacker's ability to access and exfiltrate sensitive data.
Control: Multicloud Visibility & Control
Mitigation: Establishment of command and control channels could have been detected and restricted, limiting the attacker's ability to maintain persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: Data exfiltration attempts may have been identified and restricted, reducing the volume of sensitive information accessed by the attacker.
The deployment of ransomware could have been limited to isolated segments, reducing the overall operational impact.
Impact at a Glance
Affected Business Functions
- Claims Processing
- Billing
- Pharmacy Benefit Transactions
- Insurance Eligibility Verification
Estimated downtime: 60 days
Estimated loss: $2,880,000,000
Personal health information of approximately 190 million individuals, including names, addresses, Social Security numbers, and medical records.
Recommended Actions
Key Takeaways & Next Steps
- • Implement multi-factor authentication (MFA) on all remote access portals to prevent unauthorized access.
- • Deploy Zero Trust Segmentation to enforce least privilege access and limit lateral movement within the network.
- • Utilize East-West Traffic Security to monitor and control internal traffic, detecting unauthorized movements.
- • Establish comprehensive Threat Detection & Anomaly Response mechanisms to identify and respond to suspicious activities promptly.
- • Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
