The healthcare industry continues to grapple with the ramifications of the Feb. 21, 2024 ransomware attack against medical claim processing company Change Healthcare and its parent company, insurance giant UnitedHealth Group. The disturbing incident severely disrupted the flow of pharmaceutical drugs to patients, risking the well-being of millions. In the coming months, health leaders, cyber experts and government leaders will need to ascertain what transpired, assess the damage and respond accordingly.
Here are five questions that must be answered moving forward:
1. Will any significant casualties be directly tied to the ransomware incident?
Following the attack, patients struggled to receive vital medicines, as UnitedHealth was unable to process electronic payments and medical claims, and pharmacies contended with what the American Pharmacists Association described as “backlogs of prescriptions.” Some patients couldn’t afford to pay full price for drugs that would normally be discounted. In other cases, prescriptions were outright unavailable. It warrants further investigation to determine if this denial of care caused any patients to severely decline in health. It’s also still being determined to what degree patients’ personal data was violated.
There was also economic damage inflicted on care providers, including smaller pharmacies and health centers in underserved communities that struggled to absorb the financial blow. In early April, UnitedHealth Group revealed that it loaned over $4.7 billion to bail out healthcare providers in need.
2. Did UnitedHealth Group pay the ransom, and if so, will that encourage future attacks?
In early March, several news reports referenced a post on a cybercriminal forum that said the group behind the attack – AlphV/BlackCat – received a $22 million ransom payment from UnitedHealth Group. The company has not confirmed this, however.
For victimized organizations, paying the ransom can be a shortcut back to normalcy – and restoring care to patients was of paramount importance in this case. But bending to the attackers’ demands can encourage further attacks because cybercriminals can see that such efforts pay off.
3. What was the attack vector and how preventable was the intrusion?
Citing cyber intelligence and research sources, some reports – including a bulletin from Health-ISAC – initially identified the attack vector as a vulnerability in ConnectWise ScreenConnect remote desktop software. However, UnitedHealth has not confirmed this, and ConnectWise issued a statement denying that its product was connected to the ransomware event.
Remote desktop software is a great convenience to IT teams that need to apply patches and updates to globally distributed devices; however, they must be robustly secured, or these applications can open the door to damaging intrusions. It bears watching to see if remote desktop software was the genuine entry point in this case or just a red herring.
4. Was incident response handled responsibly, and can further measures be put in place to ensure that claims processing and drug distribution is less prone to disruption?
UnitedHealth’s incident response will undoubtedly be scrutinized by regulators. In fact, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) already announced that it would investigate if Change Healthcare complied with HIPAA rules throughout the course of the incident.
The attack exposed the ripple effect that can occur when ransomware affects a company that conducts business with a large swath of third-party partners. Clearly, healthcare leaders will need to take stock of weaknesses within the drug supply chain and ensure that stakeholders introduce reliable downtime procedures and robust business continuity and disaster recovery measures.
Back in mid-March, members of the Biden administration and health insurance companies met to devise strategies for mitigating further damage from the attack. Anne Neuberger, White House deputy national security advisor for cyber and emerging technology, encouraged insurers to adopt HHS’ Healthcare and Public Health Cyber Performance Goals – a voluntary set of practices designed to improve cyber preparedness and resiliency – with the understanding that the healthcare industry must be better prepared for the next incident.
