Cyberattack on Change Healthcare: 5 key technical insights from the testament of UnitedHealth CEO
In a significant cybersecurity incident, UnitedHealth Group, one of the largest healthcare companies in the world, suffered a ransomware attack on its subsidiary, Change Healthcare, in February 2023. The attack, which occurred on February 12, resulted in the theft and encryption of data on a third of U.S. residents [1][6].
The incident began with the attacker gaining access to Change's remote access server using stolen credentials [2]. The specific vulnerability exploited was the lack of multifactor authentication (MFA) on Change Healthcare's Citrix portal, which provided remote access to desktops [15]. This critical configuration gap allowed the attackers to infiltrate the network easily [3][5].
The absence of MFA on the portal, which was a factor in the attack's impact [1], is currently under investigation. It's unclear why MFA was not enabled, whether due to policy decisions, technical limitations, or oversight [17]. However, this incident underscores the importance of MFA, a security control increasingly emphasized in updated HIPAA regulations to mitigate ransomware risks [1].
UnitedHealth Group took swift action to contain the breach. Upon discovering the attack, they immediately disconnected Change from all other systems, preventing the ransomware from spreading to other providers or networks [12]. They also engaged at least seven incident response firms and third-party cybersecurity experts to help respond to and recover from the attack [3].
The recovery effort took longer than expected because Change's platform had to be rebuilt from scratch using modern, cloud-based technologies [14]. UnitedHealth Group is now in the process of moving more of Change's data to the cloud as part of its efforts to improve security [7].
In a positive development, UnitedHealth Group has enabled MFA on all of its external-facing systems as of the current date [16]. They have also invited Mandiant, one of the incident response firms they called in, to join their board as a permanent advisor to strengthen their cybersecurity oversight and strategy [11].
Despite these efforts, the current status of Change Healthcare's IT environment and the extent of the data breach remain unclear [20]. No information about the ransom demand or whether a ransom was paid is available [19]. Google, Microsoft, Cisco, and Amazon also provided assistance with the recovery, advisory, and testing efforts related to the attack [5].
This incident serves as a reminder of the importance of robust cybersecurity measures in the digital age. As we move forward, it is crucial for organisations to prioritize security controls like MFA to protect sensitive data and prevent similar breaches.
- The critical configuration gap in Change Healthcare's Citrix portal, which lacked multifactor authentication (MFA), was exploited by the attackers in the ransomware attack on UnitedHealth Group's subsidiary, highlighting the importance of MFA in updated HIPAA regulations to mitigate ransomware risks.
- UnitedHealth Group, in their efforts to improve security, have now enabled MFA on all of their external-facing systems, also inviting Mandiant, one of the incident response firms they engaged, to join their board as a permanent advisor to strengthen their cybersecurity oversight and strategy.
- The recovery effort for UnitedHealth Group's subsidiary, Change Healthcare, was prolonged because their platform had to be rebuilt from scratch using modern, cloud-based technologies, with UnitedHealth Group now in the process of moving more of Change's data to the cloud to enhance security.
- Despite UnitedHealth Group's swift action, including disconnecting Change from all other systems upon discovering the attack, engaging incident response firms, and rebuilding their platform using modern technologies, the current status of Change Healthcare's IT environment and the extent of the data breach remain unclear, with no information available about the ransom demand or whether a ransom was paid.
