Cybersecurity professionals criticize prolonged recovery process of Change Healthcare after data breach incident
In a significant turn of events, the cyberattack on UnitedHealth Group's medical claims and payment processing platform, which was acquired from Change Healthcare last year for $13 billion, remains unresolved four weeks after it was discovered. The prolonged outage is evoking criticism from cybersecurity experts, who view the ongoing recovery as evidence of deficiencies in Change's backup procedures and response to cyberattacks.
Andrew Witty, CEO of UnitedHealth Group, has stated that significant progress is being made in restoring the services impacted by the attack. However, a timeline for when full operation recovery is expected has not been provided.
Katell Thielemann, a distinguished VP analyst at Gartner, expressed concern over the duration of Change's response and recovery time, stating that it calls into question whether resilience best practices were in place. Thielemann also urged companies to immediately elevate response and recovery as a core focus area in today's threat landscape.
The impacts of the Change incident are beyond comparison in the modern era of cybersecurity, according to experts. More than 110 services on Change Healthcare's IT infrastructure remain offline, and about 20 have resumed operations. Brett Callow, a threat analyst at Emsisoft, stated that a critical service like Change's should have a worst-case recovery time of less than four weeks.
The current cyberattack on Change Healthcare has caused national disruption. The attack impacted the entire healthcare supply chain without needing to deliver ransomware through the chain. The evolving role of CISOs involves corporate stakeholders wanting to better understand the risk calculus of their technology stacks.
Decades of industry consolidation and digital transformation efforts have created enormous concentration risks. Threat modeling in every industry needs to ferret out centers of gravity away from the obvious, in this case a claims clearinghouse.
The common deficiencies in backup procedures and response strategies evidenced by the extended recovery time of Change Healthcare's services include poor preparedness for rapid recovery, inadequate cybersecurity defenses, inefficient incident response planning, and reliance on legacy systems. These issues contributed to the almost 9-month duration to restore services following the ransomware attack in February 2024, far exceeding the industry average recovery time of about 7.34 months.
The lack of rapid recovery planning, failure to implement industry-standard cybersecurity defenses, dependency on legacy technology, inadequate incident response and communication, and extended financial impact due to disrupted provider billing are key factors that have prolonged the recovery and disruption.
Despite increased investments in healthcare cybersecurity, breaches remain frequent and costly, highlighting ongoing vulnerabilities in defense strategies and recovery preparedness. The Change Healthcare incident exemplifies how third-party ransomware attacks can cripple healthcare infrastructure when backup, recovery, and response strategies are insufficiently robust.
UnitedHealth Group is working aggressively to restore systems and services, and is enacting manual processes where possible. The costs and impacts on patients and other providers from the cyberattack are extraordinary, and the company is likely to face scrutiny and calls for accountability in the coming weeks.
- The ongoing ransomware attack on Change Healthcare's platform, which was acquired by UnitedHealth Group last year, has elicited criticism from cybersecurity experts, who view the prolonged recovery as evidence of deficiencies in Change's backup procedures and response to cyberattacks.
- The current cyberattack on Change Healthcare, which impacted the entire healthcare supply chain, has brought to light the evolving role of CISOs, with corporate stakeholders wanting to better understand the risk calculus of their technology stacks.
- The ongoing incident at Change Healthcare has highlighted ongoing vulnerabilities in defense strategies and recovery preparedness, as breaches remain frequent and costly, despite increased investments in healthcare cybersecurity.
- The common deficiencies in backup procedures and response strategies, such as poor preparedness for rapid recovery, inadequate cybersecurity defenses, inefficient incident response planning, and reliance on legacy systems, have contributed to the almost 9-month duration to restore services following the ransomware attack.
- In today's threat landscape, companies are urged to immediately elevate response and recovery as a core focus area, as evidenced by the current incident at Change Healthcare, which calls into question whether resilience best practices were in place.
- Threat modeling in every industry needs to be more vigilant in ferreting out centers of gravity away from the obvious, as demonstrated by the Change Healthcare incident, where a critical service like a claims clearinghouse was vulnerable to ransomware attacks.
