Q&A: Healthcare cybersecurity advocate fears damage from Change Healthcare breach has only begun
The Change Healthcare data breach has rocked the healthcare delivery ecosystem in the U.S. The attack took place in February but effectively brought reimbursement to a standstill for months. While claims are once again flowing, serious questions surrounding the effects of consolidation, the vulnerable state of cybersecurity at institutions and the long-term impact on the system remain.
HealthExec spoke on the topic to cybersecurity advocate Richard Staynings, chief security strategist for Cylera. Staynings is an author and lecturer at the University of Denver’s University College, where he teaches the next generation of cybersecurity experts. During his more than 25-year career, Staynings has advised numerous government and private industry leaders on their healthcare security strategy, serving as an expert witness during government hearings on many high-profile breaches.
Staynings believes the Change Healthcare attack speaks to the larger corruption at the core of the U.S. healthcare system, which he believes prioritizes short-term business interests over public service.
Editor’s Note: The following interview has been edited for clarity and concision.
HealthExec: Can you summarize your thoughts on the Change Healthcare hack and its impact on the healthcare system?
Staynings: I believe it's going to be a major line in the sand. This is a breach that is going to be remembered for a long time, and one that's going to be referenced for quite a considerable period for a number of reasons: Firstly, it shows us that consolidation within the healthcare industry has left us highly vulnerable to single points of failure, where a single cyberattack can impact nearly all US healthcare providers—and Change Healthcare is, most definitely, a single point of failure because it serves so many healthcare providers. Ninety-six percent of US providers were impacted by the attack, and more than a third were seriously impacted.
Secondly, I think there are some lessons to be learned here: We need to design more resiliency into networks so everyone has multiple redundant paths to the internet, and multiple application service providers that can be switched out quickly when one fails. And at the same time, I think UnitedHealth Group (UHG) needs to build a lot more resiliency into its services, given the criticality of what they're providing and just how much of the market they now dominate after years of unhindered consolidation. That’s a big concern.
It seems it would be hard to get Change Healthcare back up and running without rebuilding most of the technology. How are they going to restore the data they lost in the ransomware attack?
My understanding is that Change Healthcare was able to get cloud services back up and running, but they had a harder time with the legacy client server apps and data. Plus, they didn't have backups outside of what they inherited with the purchase. So, they're having to rebuild everything, essentially, and it’s going to take months and months to get all their historical data—even though they were stupid and paid the $22 million ransom. That's just a giant ad out there for every unemployed Russian to get a job hacking American hospitals.
I think the breach was a good lesson in a failure of due diligence prior to an acquisition: When UHG-Optum purchased Change Healthcare, plainly the due diligence was not conducted properly and risks were not identified for immediate remediation. Not sure if this was done internally or externally, but I would bet that both UHG and Congress will be looking into this very carefully to see what went wrong.
The breach is reflective of how a lot of these companies act when they put themselves up for sale: They run everything down to the ground in order to boost profits, cook the books, and make themselves look very, very attractive to potential buyers. Change hadn’t invested in its security for quite some time, by all accounts. It was running on minimal security.
That’s the thing, everyone associates these hacks with big Russian firms or crime syndicates, but this one was the result of a lack of 2FA on a server that someone phished the credentials for. It wouldn’t be difficult for an amateur to break in.
Well, anyone could have broken in, from what I hear. The security in the Change Healthcare application was pretty disastrous. And having a jump server—for remote access, without the highest levels of security, is plain stupid. At the very least this should have had multi-factor authentication enabled, and really it should have been only accessible via a one-time pass or some form of Privileged Access Management. What Optum was trying to do was to assimilate the change application and rewrite it, but they plainly hadn't done due diligence or a proper security risk assessment. They failed to even put remedial security measures in place, while they were migrating to new technology.
This was not just a failure of security but a failure in corporate governance, I suspect. CISOs (Chief Information Security Officers) often get the scraps thrown at them and told to make do. That goes for the size of the security team and the money it has to spend. CEOs and boards would much rather declare windfall profits which boosts their stock options and dividends.
Can you detail how a similar ransomware attack can be thwarted? And why is the post-attack investigation so time-consuming?
First, you need to understand what information assets you have on your network and what risks each of those poses to other systems and the integrity of the entire network. You inventory and risk assess, then you do risk remediation—something that evidently wasn’t done at UHG-Optum. Maybe they missed some assets, maybe they did a lousy risk assessment and pen test. Who knows.
Secondly, you have to identify an attack quickly, so you can stop the attack in its tracks to prevent it spreading laterally across the network. That means eyes on glass, and folks watching what is happening. If you stop the attack quickly, you limit the damage. It’s called ‘containment,’ meaning, you isolate systems, you preserve forensic evidence for a future prosecution—and then you need to investigate what systems were compromised, in other words ‘where did the hackers go and what data did they touch?’
Now, from what we are told, the hackers were in the system for quite a while before they actually pulled the trigger and started encrypting stuff.
They were inside Change Healthcare’s systems for nine days, reportedly.
Yeah, nine days. So they had nine days to roam around in Change Healthcare’s systems, and you can guarantee that they were looking everywhere and siphoning all kinds of data from various places. A UBA (User Behavioral Analysis) tool should have caught that activity and flagged it, if not outright blocked it.
From a digital forensics perspective, it takes a long time to actually trace all the activity, to make sure that logs haven't been erased, and figure out what was touched so that they know whose data has been compromised. Then they can apologize, send out letters—which is a HIPAA requirement—to notify patients that their data may have been inadvertently accessed, to provide credit monitoring, and everything else. That's the process.
I know providers are concerned about the HIPAA notifications being sent out in a timely manner. The AMA had a survey that showed Change Healthcare being down is still impacting independent physicians and smaller hospitals. What does this mean for them long-term?
Oh this breach is hugely impactful. There are small hospitals that will go bankrupt because of this. They will close their doors—and communities will be without doctors, without emergency rooms, without stroke centers, maybe primary care practices. There are certainly a lot of primary care physicians who are massively impacted by this, and a lot of smaller providers will never recover. And of course, patients have suffered too. Patients who were unable to get their life-sustaining drugs for a couple of months! Then there are the pharmacies who gave out drugs to patients without gaining insurance approval and are now trying to submit payment requests manually.
It seems like this chaos will result in more consolidation of healthcare services, because now—if these small hospitals go out of business—they're going to be purchased by larger firms.
Exactly. There are hundreds of small hospitals going out of business. More than 106 rural health systems have closed in the past 15 years and the pace is accelerating. In fact, I'm hoping to give a presentation to the NHRA Rural Health Clinic Conference in September on this very subject.
We're seeing patients having to drive several hours to get to an emergency room. We're seeing stage three, stage four cancer patients that can't get to radiotherapy and chemotherapy because they can't get to a hospital with those services, because all the local cancer centers are closed down for financial reasons. We are seeing high-risk pregnancies go unaddressed, simply because patients reside in rural settings without proper healthcare services and can’t drive 2 hours each way to see their obstetric care team.
And the Change Healthcare breach is going to exacerbate the problem. It's going to push more providers to the very edge of oblivion. This is going to make healthcare less accessible for a lot of people, and their health will suffer as a result.
Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.