The Urgency of MFA: Lessons from the Change Healthcare Cyberattack

Information released from the Change Healthcare ransomware attack in February 2024 reveals the absence of Multi-Factor Authentication on a remote-access tool that attackers used to gain access to the company's systems.

After the ransomware-related outage brought crucial healthcare reimbursement systems to a halt for providers across the country in late February 2024, all eyes were trained on the high-stakes investigation that followed.

The outage, which left providers and pharmacies unable to use their claims processing and reimbursement platform for more than three weeks in February and March, has been traced to an attack by BlackCat/ALPHV Ransomware Group. The attackers crippled Change Healthcare's systems, demanding a multi-million dollar ransom in exchange for the safe return of files and the restoration of system access.

The Cost of Security Negligence in Healthcare

Between the lengthy system outage impacting millions of transactions, incident response and recovery costs, and a ransom payment, Change Healthcare's parent company UnitedHealth Group has admitted that the cost of the attack will likely exceed $1 Billion. In further reports, UHG revealed the first quarter total impact reached $870 Million, with approximately $595 Million being direct costs from the system outage & restoration period (WSJ Cybersecurity). 

CSO Online reports that cryptocurrency transaction evidence reveals UHG paid the $22 Million ransom, but UnitedHealth Group admitted on April 22 that Protected Health Information (PHI) and Personally Identifiable Information (PII) were still exposed in the attack. 

Apart from the direct costs to UnitedHealth Group, the impact to individuals is significant. UHG reports that the exposed files containing PHI & PII "could cover a substantial proportion of people in America", and that it will likely take several months before impacted individuals can be identified and notified of their exposed data.

As the US Department of Health & Human Services (DHHS) investigated the breach, Congressional hearings began in April with calls to mandate baseline security standards for organizations within the healthcare sector as a result of the national security risk posed by breaches of far-reaching, interconnected healthcare systems like that of Change Healthcare.

Importance of Security Protections like MFA

Breach investigation reports now reveal that Multi-Factor Authentication protocols were absent on the remote access application in use within Change Healthcare's systems. Compromised user credentials, paired with the absence of a second authentication method, allowed attackers to use the remote access tool and quietly enter Change Healthcare's network undetected for more than a week before deploying the Ransomware attack.

"Deploying MFA is non-negotiable. It’s the front line in ensuring that users are who they claim to be.”

- Mark Allen, Head of Cybersecurity | CloudCoCo

MFA is not a silver bullet, and it's not the only cybersecurity tool that should be in use protecting your business network. Still, with 74% of all security breaches being traceable to a human element (including credential exposure), added security at the login level is becoming more than just a security best practice – it's a security necessity.

3 Key Takeaways for the Healthcare Industry

You've heard it before, we're sure, but it's true – healthcare is a top target for cyberattacks, whether you're a small, rural facility or a national provider. 

In 2022, Healthcare was identified as the most-breached industry by Kroll's Data Breach Outlook report. The reason? Not only is the payout lucrative for attackers if they succeed at obtaining PHI & PII, but the attack execution can often be easy. Kroll's 2023 report revealed that 28% of healthcare organizations still only invest in basic security protections, like monitoring. That makes for an easy breach from an attacker's perspective.

Three takeaways from the Change Healthcare attack and industry vulnerabilities it revealed include:

1. Importance of Cyber Defense

   As a primary target, it's time to stop leaving the door open for attackers. Proactive protective measures strengthen your IT systems and help close the gaps that attackers seek out when preparing an attack.
   
   

2. Limiting Human Error Through Security Awareness Training

   MFA may have been the smoking gun for this incident, but it was the stolen employee credentials that emblazoned the attack group to attempt access to the systems. Something as simple as a phishing email mistake or the reuse of a password could have allowed the employee's credentials to enter the hands of the attackers. With an emphasis on security awareness and employee responsibility, human error-related exposures can be significantly decreased.
   
   

3. Necessity of Business Continuity & Disaster Recovery Planning

   In the event that an attacker does find a way in, your ability to detect a breach and respond with resilience is dependent on your preparedness. Business Continuity should be a primary strategic focus long before you are faced with a cyber incident. 

The risks are high and the impact can be devastating if your organization falls victim to a large attack. If you need help prioritizing security within your healthcare IT strategy, Five Nines can help. Contact us today to collaborate with one of our experts.