Change Healthcare Ransomware: What You Need to Know

In early 2024, a significant cyberattack struck the U.S. healthcare system, causing widespread disruptions and substantial financial losses. The attack not only impacted the company’s operations but also directly threatened patient health and safety.

Hackers targeted Change Healthcare, a key healthcare technology provider, with a ransomware attack that encrypted and immobilized large portions of the company’s systems. The attack cost the company $22 million, in addition to other losses incurred. 

This incident underscores the vulnerability of healthcare systems to cyber threats and the urgent need for proactive measures to protect against such attacks. Given the increasing prevalence of ransomware, it is crucial for Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs) to take steps to safeguard their clients.

In this blog, we’ll provide 5 actionable next steps for MSPs to prepare for and handle ransomware events with their clients. 

For a deeper dive, we encourage you to check out our webinar with Mike Wilkes, a seasoned CISO and the Director of Cyber Operations at The Security Agency, which offers a detailed analysis and key lessons learned.

Cynomi CEO, David Primor, and William Birchett, President of Logos Systems, discuss the Change Healthcare attack

What was the Change Healthcare Attack?

In February 2024, UnitedHealth Group’s Change Healthcare unit suffered a major ransomware attack that disrupted insurance claims’ processing services at numerous healthcare providers across the United States leading to significant delays in patient care and prescription processing​​​​.

The flow of payments to healthcare providers processed by Change Healthcare was brought to an abrupt halt as systems were taken offline in response to the attack. This caused significant disruption for clinics, pharmacies, and patients, leaving them unable to fulfill pre-authorized prescriptions or access insurance-covered medical treatments.

UnitedHealth, the parent company, swiftly responded by disconnecting the affected systems to contain the damage and paid a $22 million ransom in bitcoin to restore functionality. The company is still in the recovery process, working diligently to restore full operations and strengthen its defenses against future threats.

The Change Healthcare incident is part of a broader trend where cybercriminals exploit vulnerabilities in legitimate tools used by IT teams, and not malware, to launch attacks. In this case, attackers exploited a computer remote management tool used by the IT team. 

5 key takeaways for MSPs & MSSPs:

1. Governance and executive involvement: Focus on people, processes and tools – in that order

One of the most critical lessons for MSPs and MSSPs is the vital role of people and processes in cybersecurity. The new NIST Cybersecurity Framework 2.0 underscores this with its sixth category, “Govern,” highlighting its importance.

Rather than focusing solely on tools, service providers should prioritize involving executives in cybersecurity decisions and establishing clear processes. This approach ensures that cybersecurity is understood and supported at the highest levels, enabling the implementation of comprehensive security measures.

What to do:

1. Executive involvement: Involve executives (especially the board of directors) in cybersecurity decisions to ensure that cybersecurity is understood and supported at the senior  levels. Executives and employees, across all levels of the company, should be trained to enhance security awareness.
2. Clear Processes: Establish and share clear processes with all stakeholders is essential for effective cybersecurity. Processes can include the client documenting meeting minutes that show the board discussing cybersecurity and having a risk register to prioritize security risks.
3. Governance: Governance is critical for cybersecurity. Ensure clients have well-documented controls and processes in place, such as those outlined in the NIST cybersecurity framework

2. Risk Management and Compliance: Verify your clients’ WISP

Make sure your clients have a well-rehearsed and clear WISP (Written Information Security Plans). A WISP helps identify and manage risks effectively by outlining procedures for handling security incidents.

What to do:

• Create and/or verify WISP for your clients
• Ensure that clients understand that they are responsible for their own security and that you are responsible for providing security services and support

3. Shared Responsibility Model and SERP: Create a security incident response plan (SERP)

Ensure clients have a well-rehearsed Security Incident Response Plan (SERP), i.e. the “playbook” or “runbook” for handling security incidents. The SERP is a critical component of an organization’s security posture, as it ensures compliance, enables effective incident response, and clarifies the shared responsibilities between the MSP/MSSP and the client. 

The SERP outlines the procedures and framework for incident response and should be tested regularly to ensure that the organization can effectively detect, quarantine, and mitigate security incidents.

As an MSP or MSSP, you may be held responsible for security incidents that occur with your clients, even if the client should have been responsible. The shared responsibility model emphasizes that both the MSP/MSSP and the client are responsible for ensuring the security of the client’s infrastructure. This model should be clearly communicated to clients to avoid ambiguity and potential legal issues.

What to do: 

• Review and regularly test your clients’ SERP
• Communicate the shared responsibility model effectively to clients, emphasizing that both parties are responsible for ensuring the security of the client’s infrastructure.

4. Third Party Risk Management: Conduct Thorough Vendor Due Diligence

Assessing the security measures of third-party vendors is critical. Even if an organization has strong security, attackers will often target the weakest link, which is often a third-party provider, to gain access to the primary target. 

In the case of the Change Healthcare attack, the infrastructure of third-party providers like Okta was compromised, which then impacted Change Healthcare. In this case, the attack was a “fourth party breach event” (where an organization can be attacked through downstream business relationships and ownership structures) for the parent company United Health Group.

What to do: Ensure robust processes for identifying, monitoring, and mitigating third-party risks are in place.

5. Practice security hygiene

MSPs need to ensure their clients are constantly monitoring and updating their security processes across the company.

What to do (an initial  list of considerations):

• Ensure your clients implement MFA across all relevant systems.
• Adopt a zero trust security model and enforce strict verification processes for every access request.
• Regularly update and patch systems
• Make a list of all your remote management tools and ensure they’re securely configured and continuously monitored.

Healthcare ransomware is a growing and evolving threat that requires constant vigilance and proactive measures. By understanding the key points and lessons learned from recent incidents, MSPs and MSSPs can enhance their clients’ cybersecurity defenses and safeguard their critical operations. 

For more actionable advice on protecting your healthcare clients, check out our webinar.