Lessons Learned and Life After a Breach in Your Healthcare Organization

Mitigate third-party ransomware risks beyond IT disaster recovery plans.

Analyst Perspective

Prioritize ransomware risks beyond disaster recovery and incident response plans.

In today’s healthcare landscape, organizations face increasing cybersecurity challenges due to their reliance on third-party vendors and complex IT environments. The largest healthcare breach involving Change Healthcare/UHC highlighted significant vulnerabilities, disrupting hospital operations and billing and exposing patient records. This underscores the urgent need for comprehensive strategies to address these risks.

However, many healthcare organizations encounter obstacles such as outdated IT disaster recovery plans that fail to address virtual and digital connections, limited budgets and resources, and complex, interconnected systems that make it difficult to identify and fix vulnerabilities. Traditional disaster recovery approaches often overlook the evolving nature of third-party risks and virtual environments, increasing susceptibility to cyberattacks.

This research offers a roadmap to mitigate third-party ransomware and data breach risks, featuring insights on current healthcare cybersecurity threats, lessons from the Change Healthcare/UHC data breach, and strategies to prevent future incidents.

Sharon Auma-Ebanyat Research Director, Healthcare Industry Info-Tech Research Group

Executive Summary

Your Challenge

Change Healthcare/UHC experienced the largest healthcare breach, which affected hospital operations, billing, and exposed patient records.

Increased reliance on third-party vendors can introduce significant cybersecurity risks without proper evaluation and contingency plans.

Many healthcare organizations do not have updated IT disaster recovery plans for virtual and digital connections, leaving them vulnerable to cyberattacks.

Common Obstacles

Traditional disaster recovery plans are not focused on the virtual environment, especially with the increase in the volume of third-party vendors.

Complex interconnected systems and applications make it challenging to identify and address vulnerabilities in complex IT environments.

Limited budgets and resources hinder robust cybersecurity and disaster recovery implementations such as multifactor authentication (MFA), updating outdated and unpatched systems.

Info-Tech’s Approach

Leverage Info-Tech’s insights on current healthcare cybersecurity threats, a case study of the Change Healthcare/UHC data breach, lessons learned, and how to prevent future breaches.

Adopt a strategy to mitigate third-party ransomware risks in a virtual environment which includes vendor security risks, data flows and architecture, incident response, data governance and classification, disaster recovery, and security considerations.

Use Info-tech's Healthcare Business Impact Analysis Tool to estimate the impact of downtime on your organization.

Info-Tech Insight

With the increasing reliance on third-party vendors, healthcare organizations are more vulnerable to ransomware attacks. However, understanding and adopting a well-documented third-party mitigation strategy for virtual environments will strengthen your resilience toward ransomware attacks.

Four behaviors driving ransomware attacks

The healthcare sector has seen a significant rise in ransomware attacks in 2024, primarily due to the following security gaps:

• Insufficient Multifactor Authentication (MFA) Implementation

  Many healthcare organizations have not fully implemented MFA, especially for remote access services. Attackers exploit this weakness using stolen credentials, gaining unauthorized access to critical systems.

• Outdated and Unpatched Systems

  Legacy systems and outdated software with known vulnerabilities are prevalent in the healthcare industry. These unpatched systems are prime targets for exploitation by ransomware groups looking for easy entry points.

• Inadequate Employee Training on Phishing and Social Engineering

  Employees often lack training on recognizing phishing attempts and social engineering tactics. Phishing emails are a common vector for ransomware, leading to credential theft and malware installation.

• Lack of Comprehensive Data Backups and Redundancy

  Reliable, off-network backups are essential for recovering from ransomware without paying a ransom. Without them, organizations face prolonged downtime and potential data loss. Implementing geo-redundant and regularly verified backups can significantly mitigate recovery challenges.

“57% of healthcare organizations impacted by cyberattacks reported poor patient outcomes as a result.” (Armis, 2024)

Info-Tech Insight

The combination of weak MFA, outdated systems, poor employee training, and inadequate backups creates a prime target for ransomware, making a proactive, layered defense essential for healthcare organizations to effectively deter and mitigate ransomware attacks.

Ransomware attacks increase mortality rates

Patient transfers, delays in procedures, and increased complications lead to longer lengths of stay and increased mortality rates.

Ransomware attacks add strain to neighboring hospitals

Neighboring hospital are seeing an increase in demand from redirections due to ransomware attacks.

1. 113% increase in stroke cases

   Ransomware affects the unaffected hospitals who absorb patients from stroke code activations.

2. 81% increase in cardiac arrests

   Nearby hospitals are handling more critical cases, putting stress on their system.

3. 88.75% increase in unfavorable neurological outcomes due to longer transfer times

   Ransomware has impacted neurological outcomes of patients in unaffected hospitals due to disruptions in operations.

4. 35.2% increase in ambulance arrivals

   During the attack phase, there are several emergency medical services (EMS) ambulance diversions to unaffected hospitals.

5. 15.1% increase in patient volumes

   During attacks, unaffected hospitals experience an influx of patients increasing their daily census.

6. 47% increase in waiting room time

   During an attack, unaffected hospitals waiting room time increased from 21 minutes to 31 minutes.
(Sources: JAMA Network Open, 2023; Microsoft Security Insider, 2024)

Attackers are targeting compromised credentials and vulnerabilities

Bad actors are attacking backup systems

The frequency and impact of ransomware attacks are on the rise for backup systems.

Ransomware-as-a-service (RaaS) has lowered entry barriers for attackers without technical expertise.

“RaaS platforms have democratized access to sophisticated ransomware tools, allowing even those with minimal technical skills to launch highly effective attacks.” (Jack Mott, Microsoft Threat Intelligence, quoted in “US Healthcare at Risk,” Microsoft Security Insider, n.d.)

• Backup systems are under attack.
  Two thirds (66%) of attempts to breach hospital backups were successful in 2024. This was only surpassed by energy (79%) and education (71%).
• If your backup was breached, you likely paid the ransom.
  Those with impacted backup systems were more than twice as likely (67%) to pay ransom compared to those who were not (27%)
• If your backup was breached, it likely cost you more.
  The median ransom demand for backups vs. initial ransom demand was more than three times higher: US$4.4 million vs. US$1.3 million.
• More than half of all those breached paid the ransom.
  A total of 53% of all breached organizations paid the ransom.
• Recovery takes time.
  The average recovery time is one month.
(Sources: Sophos, 2024; Microsoft Security Insider, 2024)

Change Healthcare UHC: The largest healthcare breach in history with over 100 million individuals impacted

What Happened?

In February 2024, Change Healthcare, a subsidiary of UnitedHealth Group (UHG), experienced a significant ransomware attack orchestrated by the ALPHV/BlackCat group.

This incident disrupted healthcare services nationwide and compromised sensitive patient information.

Incident Overview

• Date of Attack: February 21, 2024.
• Perpetrator: ALPHV/BlackCat ransomware group.
• Method of Entry: Attackers used stolen credentials to access a Citrix remote access service that lacked multifactor authentication (MFA).
• Change Healthcare implemented MFA across all remote access points and conducted comprehensive security audits to identify and rectify vulnerabilities.

(Sources: “Change Healthcare Hackers,” TechCrunch, 2024; Wikipedia, 2024)

Immediate Implications

• Operational Disruption: The encryption of systems led to widespread service outages, delaying patient care and financial transactions.
• Data Compromise: Over 100 million individuals' personal health information (PHI) was compromised, marking it as one of the largest healthcare data breaches on record.
• Financial Strain: The attack resulted in significant financial losses, with UHG reporting an $872 million impact, potentially escalating to $1.15 billion.

US$22 million ransom was the amount Change Healthcare paid in exchange for tools necessary to decrypt and restore the encrypted systems and promises to delete the stolen data and refrain from public disclosure.

(Sources: Wired, 2024; AP News, 2024; The Record, 2024)

Long-Term Implications

Despite remediation efforts, several risks could persist:

• Data Copies: Unauthorized copies of the stolen data may still be in circulation, posing ongoing privacy threats.
• System Vulnerabilities: If all security gaps were not identified and addressed, systems could remain susceptible to future attacks.
• Reputation Damage: The breach could erode trust among patients and partners, leading to long-term reputational harm.
• Financial Recovery: UnitedHealth Group's Optum (UHG) initiated emergency funding programs to support affected providers, but the financial repercussions continued to impact the healthcare sector.

(Sources: The Verge, 2024; “UnitedHealth Says Change Healthcare Hack Affects Over 100 Million,” TechCrunch, 2024)

Cloud solution outages are a risk to your SaaS data

At a minimum, set a goal to review cloud vendor risk at least annually, define standard processes for monitoring outages, and review options to back up your SaaS data.

Example baseline standard for cloud risk mitigation.

Review vendor risk at least annually. This includes reviewing SLAs, the vendor’s incident preparedness (e.g. disaster recovery plan, business continuity plan, security incident response plan), and the vendor’s data protection strategy.

Incident response plans must include, at a minimum, steps to monitor vendor outage and communicate status to relevant stakeholders. Where possible, business process workarounds are defined to bridge the service gap.

For critical data (based on your BIA and an evaluation of risk), maintain your own backups of SaaS data for additional protection.

Embed risk mitigation standards into existing IT operations.

Include specific SLA requirements, including incident management processes, in your RFP process and annual vendor review.

Define cloud incident response in your incident management procedures.

Include cloud data considerations in your backup strategy reviews.

Download Mitigate the Risk of Cloud Downtime and Data Loss

Info-Tech Insight

As many organizations move to cloud solutions, it increases risk for cybersecurity attacks, which is why it is important to integrate cloud risk mitigation standards with IT for effective oversight with all other high-risk vendors.

Lessons learned from the Change Healthcare/UHC breach

Lessons learned can be mitigated through five phases/practices

Many of these lessons learned can be addressed through these five practices, extending beyond disaster recovery plans and incident response plans.

Category
Strengthen Third-Party Risk Management Comprehensive Incident Response Plan		1. Evaluate and Prioritize Vendor Security Risks
Resilience Through Redundancy Enhanced Data Protection Protocols		2. Assess and Document Data Flows and Architecture
Comprehensive SaaS Risk Management Incident Transparency and Communication Incident Analysis and Lessons Learned		3. Review Incident Response Plan
Review and Strengthen Compliance		4. Develop Data Governance and Classification
Invest in Advanced Threat Detection		5. Strengthen Disaster Recovery & Security Considerations

Info-Tech’s approach to mitigate third-party ransomware risks

In a complex vendor environment, rather than tackling these lessons individually, healthcare organizations should focus on the following five practices/phases.