Recovery of Change Healthcare's cybersecurity system draws criticism from cybersecurity professionals due to its prolonged duration

Recovery of Change Healthcare's cybersecurity system draws criticism from cybersecurity professionals due to its prolonged duration

The ransomware attack on Change Healthcare, a critical player in healthcare payments and claims processing, is causing nationwide disruption. The company, which was acquired by UnitedHealth Group for $13 billion in late 2022, touches 1 in 3 patient records. Over four weeks since the intrusion was detected, the medical claims network of Change Healthcare remains offline, despite the restoration of pharmacy prescription and electronic payment platforms earlier this month.

The lengthy outage following the cyberattack is causing criticism from cybersecurity experts, who view the ongoing recovery as evidence of deficiencies in Change Healthcare's backup procedures and preparedness to respond to cyberattacks. Brett Callow, a threat analyst at Emsisoft, expressed concern about the time taken to recover IT systems and the lack of a backup plan. Recovering from ransomware attacks is a complicated endeavor, especially when there is a need to eradicate malware or footholds from many interconnected systems. Recovering from the attack at Change Healthcare could potentially require a complete rebuild of their infrastructure from the ground up.

In the wake of this incident, it is crucial to emphasize the best practices for incident response and recovery in critical infrastructure sectors like healthcare payments and claims processing. These practices include a comprehensive, structured approach that emphasizes preparation, detection, containment, recovery, and continuous improvement.

Preparation and Policy Development

Establish clear incident response (IR) policies and playbooks tailored to the specific environment, including healthcare payment systems which often operate in cloud or hybrid environments. Thoroughly train staff on incident recognition, reporting, and response roles, especially focusing on those handling sensitive healthcare payments and claims data.

Detection and Analysis

Deploy continuous monitoring tools and automated alert systems to quickly identify potential security incidents, including anomalous activity on cloud platforms or payment processing systems. Implement strong Identity and Access Management (IAM) policies, enforce multi-factor authentication (MFA), and utilize zero-trust principles to limit access strictly to necessary users.

Containment and Eradication

Quickly isolate affected systems to prevent lateral movement of threats. Use orchestration tools to automate initial containment steps, such as revoking compromised credentials or shutting down affected cloud resources.

Recovery

Restore operations gradually from verified clean backups, following a prioritized sequence that emphasizes the most critical healthcare payment and claims systems to minimize service disruption. Monitor systems post-recovery carefully for any signs of reinfection or persistent threats, and perform penetration testing or security validation before full system restoration. Maintain robust data protection by encrypting data at rest and in transit, and regularly test backup and disaster recovery procedures to ensure effectiveness.

Communication and Compliance

Inform relevant stakeholders promptly, including internal teams, healthcare providers, payment networks, and regulatory bodies when applicable. Clear communication maintains transparency and fulfills compliance requirements.

Lessons Learned and Continuous Improvement

Conduct detailed post-incident reviews within two weeks of recovery to analyze what worked and what didn’t, including technical response, escalation, communication effectiveness, and resource allocation. Update incident response plans and security tools based on lessons learned to strengthen resilience against future incidents. Engage cross-functional teams—including IT, compliance, legal, and clinical stakeholders—in this process to ensure all aspects of incident management improve.

Sector-Specific Considerations

Critical infrastructure sectors such as healthcare payments require compliance with regulations like HIPAA and Payment Card Industry Data Security Standard (PCI DSS), which dictate strict controls on data privacy and security measures. Collaboration with government agencies like CISA enhances preparedness and leverages guidance specific to critical infrastructure protection, including emergency communication strategies and risk management tailored to healthcare and payment systems.

Thielemann argues that we need to cast a much broader net when defining critical infrastructure, as the case of Change Healthcare demonstrates. The impacts of the incident are beyond comparison, according to Chris Henderson, senior director of threat operations at Huntress. The attack impacted the entire healthcare supply chain without needing to deliver ransomware through the chain. Thielemann suggests that our threat modeling in every industry needs to ferret out centers of gravity away from the obvious, in this case a claims clearinghouse.

UnitedHealth Group CEO Andrew Witty stated that they are making significant progress in restoring the services impacted by the cyberattack. UnitedHealth Group is working aggressively to restore systems and services, and is enacting manual processes where possible. This week, the company started "testing and reestablishing connectivity in a phased manner" to its claims network.

The City of Dallas and Prospect Medical Holdings both took over a month to fully resume operations after they were hit by ransomware attacks last year. As the recovery at Change Healthcare continues, it serves as a reminder of the importance of robust incident response and recovery practices in critical infrastructure sectors.

1. The ongoing cybersecurity incident at Change Healthcare, a significant player in healthcare payments and claims processing, has highlighted the importance of robust incident response strategies, particularly in critical infrastructure sectors.
2. Thorough preparation for potential cybersecurity incidents is crucial, including establishing clear incident response policies and playbooks for complex environments like healthcare payment systems, training staff on incident recognition and response roles, and regularly testing backup and disaster recovery procedures.
3. Swift detection and analysis is equally vital, utilizing continuous monitoring tools, automated alert systems, strong Identity and Access Management practices, and zero-trust principles to minimize the risk of security breaches.
4. Effective containment and eradication involve quick isolation of affected systems, automated initial containment steps, and meticulous post-recovery monitoring to ensure complete removal of threats and persistent risks.

Read also: