Healthcare Faces Uncertainty Amid Change Healthcare Cyberattack

February 28, 2024 - UPDATE 2/29/2024 - BlackCat/ALPHV has claimed responsibility for the attack and denied using the ConnectWise vulnerabilities for initial access.

Healthcare organizations everywhere are feeling the impact of the Change Healthcare cyberattack, which began on February 21st. At the time of publication, Change Healthcare, which is part of Optum and owned by UnitedHealth Group, had shut down more than 111 services as it works to restore systems. Fortunately, Change Healthcare said it had a high level of confidence that Optum, UnitedHealthcare, and UnitedHealth Group systems were not impacted by this incident.

“We are working on multiple approaches to restore the impacted environment and will not take any shortcuts or take any additional risk as we bring our systems back online,” Change Healthcare stated on its seventh day of outages.

Meanwhile, healthcare organizations are in limbo as they work to maintain business continuity without access to important services, such as claims processing for prescriptions.

As healthcare organizations grapple with maintaining operations and fulfilling prescriptions, government agencies and security researchers are working to disseminate indicators of compromise (IOCs) and prevent other organizations from falling victim to the same tactics.

Right now, keeping up-to-date on the latest security advisories, patching vulnerabilities, and maintaining business continuity remain paramount to getting through this event as a sector.

What We Know About the Change Healthcare Cyberattack, So Far

A few days after the cyberattack, the Health Information Sharing and Analysis Center (Health-ISAC) released a bulletin outlining several IOCs and information from cyber intelligence firm RedSense.

RedSense deduced that Change Healthcare had fallen victim to the exploitation of recently announced vulnerabilities in ConnectWise’s ScreenConnect, a remote desktop software application. However, as the incident is still under investigation, RedSense was not able to confirm the details within the Health-ISAC bulletin.

These vulnerabilities (CVE-2024-1708 and CVE-2024-1709) and available patches were disclosed on February 19th, just two days before the Change Healthcare cyberattack. The remote code execution flaws in ScreenConnect could be leveraged to bypass authentication controls.

“They quickly found a fix,” said Toby Gouker, CSO of clinical innovation at First Health Advisory. “But everybody is watching, and the malicious actors, they see a vulnerability. They are faster acting than a healthcare facility.”

With just two days between this vulnerability disclosure and the time that Change Healthcare took its systems offline, it is believed that threat actors were able to successfully exploit these vulnerabilities before Change had a chance to patch.

“They were doing everything they could to try to protect, but the day that happened, there were probably 600 different attacks seen. And one of them happened to be very successful,” Gouker noted.

However, ConnectWise maintains that it "is unaware of any confirmed connection between the ScreenConnect vulnerability disclosed on February 19th, 2024, and the incident at Change Healthcare."

"Our internal reviews have yet to identify Change Healthcare as a ScreenConnect customer, and none of our extensive network of managed service providers have come forward with any information regarding their association with Change Healthcare," the company stated.

BlackCat has since denied that they used the ConnectWise vulnerabilities for initial access, Bleeping Computer reported. 

On February 26th, Reuters reported that two people familiar with the matter had confirmed that BlackCat ransomware gang was behind the attack. BlackCat, also known as ALPHV, is believed to be a rebrand of DarkSide, a notorious group that committed the massive 2021 cyberattack against Colonial Pipeline.

Two days later, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and HHS released a joint cybersecurity advisory (CSA) about BlackCat, noting that they had committed attacks as recently as February 2024.

“Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized,” the CSA stated. “This is likely in response to the ALPHV Blackcat administrator’s post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023.”

The Department of Justice (DOJ) disrupted BlackCat actors in December 2023 and released decryption keys to victims, but some of the group's known affiliates remained active after the takedown.

In the CSA, the government urged critical infrastructure organizations to secure remote access tools, implement user training on social engineering, and validate security controls against known threat behaviors.

As the Change Healthcare cyberattack continues to unfold, healthcare organizations should leverage threat intelligence and recommended mitigations provided by Health-ISAC, CISA, HHS, and partners to defend against future attacks. Meanwhile, organizations are working to provide prescriptions to patients and remain financially afloat amid this uncertainty.

What Healthcare Can Do Now

As important as it is to understand how threat actors gained access to Change Healthcare’s systems from a security perspective, all the organizations that remain disconnected from Change Healthcare’s systems are likely more concerned with maintaining day-to-day operations.

Pharmacies across the country are still working to fill prescriptions without access to the systems that tell them how much to charge customers. Major pharmacy chains such as CVS and Walgreens, as well as independently-owned pharmacies, have experienced disruptions due to the attack. Tricare, which serves US service members and their families, said that the incident had impacted "all military pharmacies worldwide."

Michael D. Hogue, PharmD, FAPhA, FNAP, FFIP, executive vice president and CEO of the American Pharmacists Association (APhA), urged the public to “please keep in mind the incredible extra stress this situation places on pharmacies and pharmacy personnel,” shedding light on the impact that this incident is having on pharmacists and providers.

As such, the affected organizations must do what they can with the resources they have available as this event continues to unfold.

In addition to following the guidance laid out in the joint CSA, Health-ISAC recommended updating ScreenConnect software immediately.

What’s more, the American Hospital Association (AHA) and Health-ISAC suggested that organizations should “immediately reevaluate their risk of keeping any network services shut down to Optum, Change Healthcare, UnitedHealthcare and/or UnitedHealth Group which has been deemed safe by them.”

“Each health care organization should continue to monitor and independently evaluate information provided by Change Healthcare to inform its own risk-based decisions regarding nonimpacted systems.”

Gouker, who was the former Provost for the SANS Technology Institute, reasoned that remaining disconnected from unaffected UnitedHealth Group services may do more harm than good by restricting access to even more essential services. The Change Healthcare-Optum merger was just completed in October 2022, Gouker added, making it even less likely that their systems are fully integrated.

This is also an instance where a reliable business continuity plan can make or break an organization’s ability to operate, Gouker stressed.

“If your business continuity plan was, ‘I trust they'll never fail,’ that's just not the way we work in today's world,” he said.

Additionally, as Change Healthcare continues to work to restore systems, Gouker predicted that some organizations would run into cash flow problems.

“When everybody is running on thin profit margins, you depend on that profit to keep going,” he noted.

Gouker recommended that in the short term, organizations rely on their cash reserves and their ability to extend payment terms with vendors to keep afloat amid this incident. In the long term, tightening third-party risk management practices and business continuity plans will prove crucial to impacted businesses.

Change Healthcare has not provided a timeline for when its systems will be reconnected and fully operational.

“All we can say is that on average, for something of this size, I think probably a 30-day time period until you get business continuity and then six months to a year before you have disaster recovery,” Gouker predicted.

In the week since the attack, this incident has tested the sector’s ability to maintain business continuity and will likely continue to pose challenges.