As Change Healthcare ransomware attack unfolds, concerns are escalating regarding patient care and safety, pushing the Healthcare Sector Coordinating Council’s (HSCC) 5 Year Strategic Plan into the spotlight. Donna and David talk with Gary Salman, CEO of Black Talon Security, on the ongoing situation, what is known and unknown, and its potential long-term effects. With the attack exacerbating issues within the healthcare system and highlighting the urgent need for robust cybersecurity measures, we explore the implications for patient data, the healthcare industry’s response, and what this means for the future of healthcare security.
In this episode:
Change HC Attack, What The… – Ep 450
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Thanks to our donors.
The HIPAA Privacy and Security Boot Camp
3.5 day In Person Event
April 9, 10, 11 and 12, 2024
PriSecBootCamp.com
Change HC Attack, What The…
[02:58] The Change Healthcare ransomware attack is shaping up to be a watershed moment for healthcare. The massive impact it is having on the entire sector includes concerns about our ability to maintain patient care and safety. It is certainly making the HSCC 5 Year Strategic Plan jump to front and center for many sector leaders and industry journalists. The plan provides answers to all of those asking “what can we do”. The fact it was officially released a week after the Change Healthcare services were taken offline was definitely fortuitous.We have touched on it briefly in the last few episodes as the Change Healthcare situation emerged and progressed. The problems are only getting worse every day, it seems. So, today we brought in our friend, Gary Salman, CEO of Black Talon Security, to have a conversation with us about what we know, what we don’t know and the long term impact we anticipate.
Several articles have details and points we discussed so we gathered them here for your reference.
The Change Healthcare attack: Explaining how it happened
Change Healthcare extortionists ALPHV get $22M in Bitcoin • The Register
As Change Healthcare’s outage drags on, fears grow that patient data could spill online | TechCrunch
Information on the Change Healthcare Cyber Response – UnitedHealth Group
HHS Statement Regarding the Cyberattack on Change Healthcare
Letter to Health Care Leaders on Cyberattack on Change Healthcare | HHS.gov
Since so much of this is timely information let’s just note that we are recording this the afternoon of March 12th and it will be released the morning of March 22nd.
What we know, or think we know, about what happened
Feb. 21, 2024, Change Healthcare, part of UnitedHealth Group since 2022, publicly disclosed that it had been impacted by a cyberattack and they were taking services offline leading to significant disruptions in their ability to provide services.
Sidebar (DOJ sued to stop the acquisition but eventually dropped the case: DOJ, state attorneys general drop appeal to UnitedHealth-Change Healthcare deal ruling)
Change Healthcare is a massive company with far reaching impacts which were immediately felt. Here are some notes about them:
- Platform provides several different services to healthcare providers including payment and revenue cycle management.
- That includes claims processing and management as the clearinghouse backend provider to many insurance payers.
- They manage 15 billion claims a year, totaling over $1.5 trillion.
But, wait, there’s more!
- One of the largest health information exchange (HIE) platforms in the U.S.
- Other services include clinical decision support, patient portals, secure messaging and appointment scheduling.
Impacts immediately include:
- Providers and hospitals are unable to bill for services or get paid for things they had billed prior to Feb 21.
- Pharmacies are unable to get details they need to fill prescriptions.
- Patients can’t file claims or get their prescriptions either.
Over time these issues cause more problems as their impact is felt.
Timeline
- Feb. 21, 2024: Change Healthcare announces that cyber attack forced their systems offline. Lots of speculation begins about how it happened including the mention that the ConnectWise vulnerability was involved. We also discussed that problem around the same time. (ConnectWise has since said they are “unaware of any connection” to their issues.)
- Feb. 26, 2024: AHA publishes their open letter to HHS that this thing is going to be bad, very bad for the entire sector. They estimate that it impacts one in every three patient records in the U.S.
- Feb. 28, 2024: Publishes their open letter to HHS that their members need government assistance to mitigate the attack’s impact on their businesses because this thing is bad, very bad for the entire sector. BlackCat/ALPHV claims responsibility.
- March 1, 2024: Security researchers notice that a payment of 350 bitcoins, worth $22 million had been made to a bitcoin wallet they know to be associated with BlackCat/ALPHV. Gotta figure that is from Change Healthcare unless another big one is happening under the radar.
- March 5, 2024: HHS publishes HHS Statement Regarding the Cyberattack on Change Healthcare.
- March 10, 2024: HHS publishes Letter to Health Care Leaders on Cyberattack on Change Healthcare
What about the data?
[13:16] Things have gotten more complicated on the attack side of the story after the $22m payment was made. Apparently, they took the cash and shut down the operation leaving their “affiliates” high and dry with only the data and no money. Since then there have been a lot of statements about how much data they stole and what it included.Twitter screenshot from dark web forum
By March 5, BlackCat seems to have disappeared and posted a screenshot of the original notice the US and UK law enforcement put on the criminal’s website when they took it down last year. BlackCat got it back and set their affiliates free to attack anyone after that seizure. Now, they are blaming the FBI for shutting them down when it appears they decided it best if they “take the money and run”.
So the lower level criminals are angry they couldn’t trust their upstream criminal business partners. Wow, you can’t even count on honest criminals anymore!
First they said they had 6TB of data but now it seems like they only have 4TB based on the forum posting on Twitter. It mentions Medicare and Tricare, Davis Vision, CVS-CareMark, Health Net, Metlife, and Teachers Health Trust and “Tens of insurance companies and others”.
We already know they don’t delete this data when they claim they are going to do it even when paid. There is no way to confirm it other than taking their word for it. Honest criminals that they are.
When will it be back up and running?
[26:33] Here is what is currently posted at the time we recorded on the update site about the restore status:- Payments platform: Electronic payment functionality will be available for connection beginning March 15.
- Medical claims: We expect to begin testing and reestablish connectivity to our claims network and software on March 18, restoring service through that week.
While we work to restore these systems, we strongly recommend our provider and payer clients use the applicable workarounds we have established — in particular, using our new iEDI claim submission system in the interest of system redundancy given the current environment.
- March 15 to start getting payments for things they have ready to pay the providers and HDOs.
- March 18 to “begin testing and reestablish connectivity to our claims network” means not actually submitting them until that is done so don’t count on getting them in then.
What the … is going to happen after all of this?
[33:16] The fact that this situation will demonstrate that cyber safety truly is about patient safety just like HSCC has been saying, and we have been saying HIPAA isn’t about compliance, it’s about patient care for almost 9 years! Patient care has to come first is always the answer Kardon goes to when making recommendations about tough situations with clients. What is better for the patient’s care and safety.If we had asked anyone on Feb 20, 2024 how concerned they were that Change Healthcare would be shut down by a major cyber attack tomorrow, very few would have shown concern. When we do find out how this happened, it is statistically likely that a human made a mistake that invited the criminals in. That mistake could have been made months ago giving the criminals access to explore and steal TBs of data as they claim.
- There is no way this attack will teach criminals not to target healthcare, that is for certain. While also being able to use AI to attack more victims more aggressively.
- The movement to ban ransomware payments will get momentum but there is still too much to figure out there.
- The voluntary programs like the HPH CPGs and HICP Recognized Security Practices will become mandatory much sooner than we anticipated a few weeks ago when they were released.
- Insurance premiums for healthcare cyber coverage will continue to rise.
- The HSCC strategic plan concepts will move up much quicker to the priority list for leaders throughout the sector.
- The impact on this was so broad that even small providers had big impacts. They will need to have real plans for incident response on their part by incidents that occur in the supply chain.
- Vendor vetting and scrutiny will be a much bigger concern.
- Patients are going to become more vocal about these things impacting their care and the care of those they care about. More pressure to do better from patients will be felt on every part of the sector from those providing care to regulators. Without consumer trust the ability to provide effective care greatly diminishes.
- All of these rely on one important thing – attitudes amongst all organization leaders must change. They must start to understand and include the fact that patient care and safety will be seriously
For certain, this will impact patients and the entire sector for years. HHS was already in the process of pushing for more funding and authority to improve the cybersecurity posture of the entire industry. The ability to effectively make that argument just improved a thousand times if not more.
If a company this huge can get hit this hard there is no way anyone should think they have this covered. We must always be thankful things are going well while simultaneously being concerned we are under attack right now and don’t know it.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
