Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Medicine Security IT

Security Lessons from the Change Healthcare Ransomware Catastrophe (csoonline.com) 45

The $22 million paid by Change Healthcare's parent company to unlock its systems "may have emboldened bad actors to further target the vulnerable industry," writes Axios: There were 44 attacks against the health care sector in April, the most that [cybersecurity firm] Recorded Future has seen in the four years it's been collecting data. It was also the second-largest month-over-month jump, after 30 ransomware attacks were recorded in March. There were 32 attacks in February and May.
But an analysis by the security-focused magazine CSO says the "disastrous" incident also "starkly illustrated the fragility of the healthcare sector, prompting calls for regulatory action." In response to the attack, US politicians have called for mandated baseline cybersecurity standards in the health sector, as well as better information sharing. They have also raised concerns that industry consolidation is increasing cyber risk.
So what went wrong? The attackers used a set of stolen credentials to remotely access the company's systems. But the article also notes Change Healthcare's systems "suffered from a lack of segmentation, which enables easy lateral movement of the attack" — and that the company's acquisition may have played a role: Mergers and acquisitions create new cyber threats because they involve the integration of systems, data, and processes from different organizations, each with its own security protocols and potential vulnerabilities. "During this transition, cybercriminals can exploit discrepancies in security measures, gaps in IT governance, and the increased complexity of managing merged IT environments," Aron Brand, CTO of CTERA told CSOonline. "Additionally, the heightened sharing of sensitive information between parties provides more opportunities for data breaches."
And "In the end, paying the ransom failed to protect UHG from secondary attempts at extortion." In April, cybercriminals from the RansomHub group threatened to leak portions of 6TB of sensitive data stolen from the breach of Change Healthcare, and obtained through Nichy, according to an analysis by security vendor Forescout. An estimated one in three Americans had their sensitive data exposed as a result of the attack. Such secondary scams are becoming increasingly commonplace and healthcare providers are particularly at risk, according to compliance experts... The US Department of Health and Human Services (HHS) is investigating whether a breach of protected health information occurred in assessing whether either UHG or Change Healthcare violated strict healthcare sector privacy regulations.
Thanks to Slashdot reader snydeq for sharing the article.
This discussion has been archived. No new comments can be posted.

Security Lessons from the Change Healthcare Ransomware Catastrophe

Comments Filter:
  • by quonset ( 4839537 ) on Saturday June 15, 2024 @05:45PM (#64552079)

    They have also raised concerns that industry consolidation is increasing cyber risk.

    Apparently soaring medical costs because of consolidation don't enter into the picture of concern. Gotta keep those profits high so the bribes, er, contributions, can keep coming. It's only now, with the costs associated with this attack draining the company coffers, that suddently there's concern over consolidation.

    Someone ought to go after the three big ISPs in this country. Let's see how fast the issue of consolidation comes up. Maybe then Congress will finally force the issue of competition.

    • Why does HIPPA not apply to this?
      • by XXongo ( 3986865 )

        Why does HIPPA not apply to this?

        HIPAA applies to healthcare professionals.

        Cybercriminals are not healthcare professionals.

    • by Shag ( 3737 )

      A friend runs a medical billing company that serves small medical practices, and when this all went down, a bunch of payments from Change to practices got backlogged. I just saw a message from him indicating that although Change is now paying new bills, the backlogged ones from months ago are still unpaid, which basically screws up the bookkeeping for those practices. Joy.

  • by Alascom ( 95042 ) on Saturday June 15, 2024 @05:50PM (#64552087)

    An ancient lesson throughout human history is that paying your enemies for temporary peace only ensures a stronger enemy when they return... and they always return. If you forget the past, you are doomed to repeat it.

    It should be illegal in the U.S. to pay ransomware. Any payment is complicity in the criminal acts.

    • The barbarian analogy is apt. The way the internet has made communications frictionless is kind of like ancient people of the steppe developing horsemanship, which repeatedly bred the most potently destructive versions of barbarian marauding. Hopefully the security industry comes up with better solutions than the "hide in castles" bullshit that people usually do.
      • Frictionless is an understatement. I run a small website and occasionally I'll watch the traffic. Literally within seconds there are attempts on ftp, telnet, ssh, every web attack you can imagine, mail spoofs, attacks against ports for windoze, ... I've blocked numerous /8's /16's etc from countries like ru and cn. And still it is a cesspool. And I run a small site. I cannot image the millions of hits on major sites that probably occur every second. Not sure how, but sanity needs to come to the web. If noth
        • Isn't that why things like Cloudflare and such are so ubiquitious today? That we've created the entire layer inside the internet to protect sites from... the internet? I haven't booted up my own server in a long while but I imagined it was like you described, plug it in and see everythin light up immediately.

          also your end made me think of "Okay I'll be chaff and you be wheat" [youtube.com]

        • Maybe one thing that would help is acknowledging that electronic privacy is fundamentally just a mutual agreement, not a tangibly achievable fact. Basically we ignore each other because we don't give a shit compared to the benefits we get from open networking. But if someone crosses lines as bright and thick as holding hospital patients hostage, the social contract has been breached and more substantive security protocols are invoked in their case.

          I'm not saying drone strikes, but I'm not NOT saying dr
          • I don't have an answer. The only physical equivalent I can think of would be how would most feel if every second of every day someone (and different someone's) are trying every window, door handle, door lock(with a key hoping to fit the lock), garage door was attempted to be opened. We already have porch pirates stealing packages regularly, but under this scenario you'd never get a package because from the delivery time to the time you opened the door it would be gone. In the early days, it was as you say a
      • by gweihir ( 88907 )

        "Hide in castles"? If people would do that, then there would not be a problem. With regard to IT, people more often than not hide in flimsy tents or by just standing there and closing their eyes.

        • Whether the castle is strong or flimsy, the shortsighted logic is the same: The victims imprison themselves and designate their attackers as wardens by default. The illusion of control is valued over the reality of freedom to respond. Then again, air gaps and Faraday cages are pretty great. I just wish people these days didn't gasp at the notion as if you were suggesting putting them in a fallout shelter.
    • by ArchieBunker ( 132337 ) on Saturday June 15, 2024 @07:07PM (#64552193)

      The bean counters have decided that the occasional ransom is cheaper than a larger IT budget.

    • It should be illegal in the U.S. to pay ransomware. Any payment is complicity in the criminal acts.

      The result of that will be fewer ransomware attacks reported to the police and more impunity for the criminals.

    • History teaches us that we do not learn from history.

      Those who remember the past are doomed to watch it be repeated.

    • by gweihir ( 88907 ) on Saturday June 15, 2024 @08:34PM (#64552317)

      Ransomware is an object lesson on this: It only got big because people started to pay. Today, these criminals have release cycles, test environments, software warranty, etc. The only reason they got there is that people did pay the ransom. Likely the only way to get rid of these criminal enterprises, which do a lot more damage than they rake in in profits, is to starve them. That means no more ransom payments and no more half-assing IT security.

      • Ransomware is an object lesson on this: It only got big because people started to pay. Today, these criminals have release cycles, test environments, software warranty, etc. The only reason they got there is that people did pay the ransom. Likely the only way to get rid of these criminal enterprises, which do a lot more damage than they rake in in profits, is to starve them. That means no more ransom payments and no more half-assing IT security.

        Rather similar to the old protection racket. Pay organized crime so something bad doesn't happen to your company. Except that if you do pay, you'll be paying all the time. I see the bad guys branching out into a monthly million dollar or so payment model.

        All that said, these companies might meet with DoD, and get some tips on hardening their systems. Not to impose classification of course, but something to avoid simply giving everyone's data away. The article has a start, with segmentation. Adding things

        • by gweihir ( 88907 )

          It is known how to make it hard for the ransomware attackers. Just look at, for example, the CIS controls, or even only ISO 27001 Appendix A. People are _asking_ to get hacked and extorted because they are half-assing IT security in a globally connected world.

    • An ancient lesson throughout human history is that paying your enemies for temporary peace only ensures a stronger enemy when they return... and they always return. If you forget the past, you are doomed to repeat it.

      It should be illegal in the U.S. to pay ransomware. Any payment is complicity in the criminal acts.

      Appeasement doesn't work very well, and my money is on Change Healthcare being a go to source of money, because they have accepted that they would rather pay the crooks than eliminate the problem.

  • Then travelled through the network?

    I'm sure I saw that plot on a TV show once. Something involving cylons. No, not people from Ceylon you idiot AI. Now quit changing the word.

  • Ya think? (Score:5, Insightful)

    by battingly ( 5065477 ) on Saturday June 15, 2024 @06:13PM (#64552127)
    Criminals are now emboldened as a result of them paying the ransom? File that under "Duh". The only solution is to make paying the ransom a federal crime. The current approach of appeasement isn't working. Make the money source dry up for the criminals and give organizations only one possible means of protection: improve their security.
    • by gweihir ( 88907 )

      Indeed. The problem is that this is unpopular with the morons focussed all on short-term profits and no strategic planning. Hence politicians pushing for this long overdue change will find they have problems getting reelected.

      • by gweihir ( 88907 )

        How can anybody with two braincells mod this down? It is _literally_ what is happening.

    • Fine, just ensure that the buck can't be passed. Organisations like to outsource the risk/IT. If my data goes to one company, the end-to-end of that data should mean that a breach downstream is compensated by the company that ingested it.

    • by mjwx ( 966435 )

      Criminals are now emboldened as a result of them paying the ransom? File that under "Duh". The only solution is to make paying the ransom a federal crime. The current approach of appeasement isn't working. Make the money source dry up for the criminals and give organizations only one possible means of protection: improve their security.

      Which will work as well as any other "federal crime"... which is to say it wont as the people it applies to are pretty convinced that the laws don't apply to them as they've a good track record of well, the law not applying to them.

  • by tiqui ( 1024021 ) on Saturday June 15, 2024 @06:31PM (#64552153)

    This will continue until the executives of these companies are charged with a HIPAA violation FOR EACH PATIENT WHOSE DATA IS COMPROMISED. As long as the executives are not personally charged, they can pass along any fines to their patients (the victims) and it's therefore in the interests of the executives to save money by running crappy vulnerable IT systems. Even with charges for the executives, there would still be a problem: There's a limit to the total size of fine that can be imposed in one year... less than the bonuses many executives get in a year. If the politicians wanted to fix this, they could, but they won't - the healthcare people are some of their "campaign contributors". Ask yourself: why cap the penalties in the legislation, if nobody is expected to violate it, and if any violations are actually going to be considered serious? The cap is because the politicians KNEW their campaign contributors would violate it, and they did not want those contributors to feel any pain, but they wanted the public to think they were taking privacy seriously.

    The new proposed legislation mentioned is the usual meaningless drivel to plop out of congress: rather than cracking-down on a sleazy reckless industry, it mandates a few standards, and it those standards are met... you guessed it... it sends bundles of taxpayer money to those healthcare companies (remember: they're "campaign contributors"). If the politicians were SERIOUS, the legislation would offer NO "carrots" and instead provide hyper-draconian penalties - like 50 years at hard labor for any executive or manager at any company that leaks ANY patient/customer private data. People would be shocked at6 how rapidly this would all end if the folks with the MBA degrees and suits and corner offices had their physical butts on the line, and no golden parachutes were in sight.

    • This will continue until the executives of these companies are charged with a HIPAA violation FOR EACH PATIENT WHOSE DATA IS COMPROMISED.

      Qualified executives will not accept a job under those terms.

      The result will be even more unqualified people running the show.

  • who missed the September 11th 2001 terror attacks on Washington & NYC. Sheesh. Let the trial lawyers unleash some lawfare attacks on those corps who leave the data barn door wide open and have some local DAs start fining and jailing the boardroom set. How about that course of action instead of more hearings, reports, and investigating commissions?
  • by Mirnotoriety ( 10462951 ) on Saturday June 15, 2024 @07:42PM (#64552241)
    MICROS~1 Windows strikes again ..
  • And it is: "Do not fuck up your IT security if you depend on your IT". Seriously. Segmentation, 2FA, offline or reliably write-protected backups, established and tested (!) recovery procedures, a capability to run local-only while the attack-path is identified, security-logging to allow the identification of said attack path, capability or established contract for said attack path identification, monitoring and alerting for attack detection and a few more things.

    Non of that is new. None of that is surprisin

    • by gweihir ( 88907 )

      That this gets downvoted nicely illustrates the problem: Too many fuckups in IT and IT Security that do not even want to do it right. We really need liability and for gross negligence, personal liability.

  • ... mandated baseline cybersecurity standards ...

    Let me understand this: HIPPA requires businesses to hold more personal data than banks and to not share it but there isn't a white-paper defining best practices and must-not-dos for that task?

    The only way that can happen is health-industry advocates wrote the legislation and paid people to vote "yes" to a paper-tiger regulator.

Technology is dominated by those who manage what they do not understand.

Working...