By Mark Lanterman
This past winter, UnitedHealth Group was the victim of a massive cyberattack, negatively impacting many healthcare providers and inhibiting their ability to care for patients. The American Hospital Association characterized the attack as “the most serious incident of its kind leveled against a U.S. health care organization… The repercussions from the attack have made it harder for many hospitals and doctors to provide patient care, fill prescriptions, submit insurance claims, and receive payment for the essential health care services they provide.”1 The potential cascade of consequences has only started to surface, beginning with the initial cost of the attack, which included a substantial ransom that was ultimately paid to the attackers. UnitedHealth Group CEO Andrew Witty confirmed this past May that a $22 million payment had been made to the attackers in an effort to protect compromised patient data.2
Following the incident, calls for information about what exactly transpired abounded. UnitedHealth explained that the Russia-based ransomware group known as ALPHV or Blackcat was responsible for the cyberattack, with the group itself claiming that it had stolen more than six terabytes of data.3 According to a CBS News account of a congressional hearing, “The cybercriminals entered through a portal that didn’t have multifactor authentication (MFA) enabled.”4 Witty explained to lawmakers that the reason for the oversight was that Change Healthcare (the breached subsidiary of UnitedHealth Group) had been recently acquired and was still using old technologies that needed upgrading.5 Since this testimony, Oregon U.S. Sen. Ron Wyden has called for further investigation by the Federal Trade Commission and the Securities and Exchange Commission, pointing to the lack of MFA protection as a direct, and preventable, cause of the attack.6
The attack on UnitedHealth Group is in many ways a worst-case scenario of what can occur as a result of a cyberattack. In this instance, one missing best practice security measure on one remote server7 culminated in what some are calling the worst attack the healthcare industry has ever experienced. The healthcare industry is always a prime target for cybercrime, and this attack demonstrates how far-reaching the damages of an attack can be. It remains to be seen what the most important lessons from this situation will be, but there is already much to be learned.
As CEO Witty explained, Change Healthcare had been recently acquired and was operating, at least to some extent, on outdated technology. Organizations are particularly vulnerable to cyberattacks during periods of expansion. It is during times of growth that important security measures are especially prone to be neglected in favor of prioritizing convenience and immediacy in providing services. But one key lesson here is that ensuring the uniform application of best practices and investing in new technologies is often an essential piece of the puzzle when growing an organization. In this case, UnitedHealth Group was only as secure as its least secure subsidiary.
Additionally, this incident reveals that sometimes the easiest and most obvious security measures are the most powerful. Even if an organization believes that it is secure, believes that it has implemented best practices, believes that its policies are comprehensive—it never hurts to start from the top and double-check. As evidenced here, slowing down and verifying that standard measures were universally implemented across the organization may have made a big difference.
Mark Lanterman is CTO of Computer Forensic Services. A former member of the U.S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security/forensic experience and has testified in over 2,000 matters. He is a member of the MN Lawyers Professional Responsibility Board.
Notes
1 https://www.aha.org/news/perspective/2024-03-06-serious-cyberattack-history-our-nations-health-care-system
2 https://www.cnbc.com/2024/05/01/unitedhealth-ceo-says-company-paid-hackers-22-million-ransom.html
3 https://www.cbsnews.com/news/unitedhealth-senate-hearing-cyberattack-change-healthcare/
4 https://www.cbsnews.com/news/unitedhealth-senate-hearing-cyberattack-change-healthcare/
5 https://www.cbsnews.com/news/unitedhealth-senate-hearing-cyberattack-change-healthcare/
6 https://www.finance.senate.gov/chairmans-news/wyden-urges-biden-administration-to-investigate-unitedhealth-group-negligent-cybersecurity
7 https://www.finance.senate.gov/chairmans-news/wyden-urges-biden-administration-to-investigate-unitedhealth-group-negligent-cybersecurity