Security Lessons from the Change Healthcare Ransomware Catastrophe (csoonline.com) 45
The $22 million paid by Change Healthcare's parent company to unlock its systems "may have emboldened bad actors to further target the vulnerable industry," writes Axios:
There were 44 attacks against the health care sector in April, the most that [cybersecurity firm] Recorded Future has seen in the four years it's been collecting data. It was also the second-largest month-over-month jump, after 30 ransomware attacks were recorded in March. There were 32 attacks in February and May.
But an analysis by the security-focused magazine CSO says the "disastrous" incident also "starkly illustrated the fragility of the healthcare sector, prompting calls for regulatory action." In response to the attack, US politicians have called for mandated baseline cybersecurity standards in the health sector, as well as better information sharing. They have also raised concerns that industry consolidation is increasing cyber risk.
So what went wrong? The attackers used a set of stolen credentials to remotely access the company's systems. But the article also notes Change Healthcare's systems "suffered from a lack of segmentation, which enables easy lateral movement of the attack" — and that the company's acquisition may have played a role: Mergers and acquisitions create new cyber threats because they involve the integration of systems, data, and processes from different organizations, each with its own security protocols and potential vulnerabilities. "During this transition, cybercriminals can exploit discrepancies in security measures, gaps in IT governance, and the increased complexity of managing merged IT environments," Aron Brand, CTO of CTERA told CSOonline. "Additionally, the heightened sharing of sensitive information between parties provides more opportunities for data breaches."
And "In the end, paying the ransom failed to protect UHG from secondary attempts at extortion." In April, cybercriminals from the RansomHub group threatened to leak portions of 6TB of sensitive data stolen from the breach of Change Healthcare, and obtained through Nichy, according to an analysis by security vendor Forescout. An estimated one in three Americans had their sensitive data exposed as a result of the attack. Such secondary scams are becoming increasingly commonplace and healthcare providers are particularly at risk, according to compliance experts... The US Department of Health and Human Services (HHS) is investigating whether a breach of protected health information occurred in assessing whether either UHG or Change Healthcare violated strict healthcare sector privacy regulations.
Thanks to Slashdot reader snydeq for sharing the article.
But an analysis by the security-focused magazine CSO says the "disastrous" incident also "starkly illustrated the fragility of the healthcare sector, prompting calls for regulatory action." In response to the attack, US politicians have called for mandated baseline cybersecurity standards in the health sector, as well as better information sharing. They have also raised concerns that industry consolidation is increasing cyber risk.
So what went wrong? The attackers used a set of stolen credentials to remotely access the company's systems. But the article also notes Change Healthcare's systems "suffered from a lack of segmentation, which enables easy lateral movement of the attack" — and that the company's acquisition may have played a role: Mergers and acquisitions create new cyber threats because they involve the integration of systems, data, and processes from different organizations, each with its own security protocols and potential vulnerabilities. "During this transition, cybercriminals can exploit discrepancies in security measures, gaps in IT governance, and the increased complexity of managing merged IT environments," Aron Brand, CTO of CTERA told CSOonline. "Additionally, the heightened sharing of sensitive information between parties provides more opportunities for data breaches."
And "In the end, paying the ransom failed to protect UHG from secondary attempts at extortion." In April, cybercriminals from the RansomHub group threatened to leak portions of 6TB of sensitive data stolen from the breach of Change Healthcare, and obtained through Nichy, according to an analysis by security vendor Forescout. An estimated one in three Americans had their sensitive data exposed as a result of the attack. Such secondary scams are becoming increasingly commonplace and healthcare providers are particularly at risk, according to compliance experts... The US Department of Health and Human Services (HHS) is investigating whether a breach of protected health information occurred in assessing whether either UHG or Change Healthcare violated strict healthcare sector privacy regulations.
Thanks to Slashdot reader snydeq for sharing the article.
They're just now worried? (Score:5, Insightful)
They have also raised concerns that industry consolidation is increasing cyber risk.
Apparently soaring medical costs because of consolidation don't enter into the picture of concern. Gotta keep those profits high so the bribes, er, contributions, can keep coming. It's only now, with the costs associated with this attack draining the company coffers, that suddently there's concern over consolidation.
Someone ought to go after the three big ISPs in this country. Let's see how fast the issue of consolidation comes up. Maybe then Congress will finally force the issue of competition.
Re: (Score:1)
Re: (Score:2)
Why does HIPPA not apply to this?
HIPAA applies to healthcare professionals.
Cybercriminals are not healthcare professionals.
Re: (Score:1)
A friend runs a medical billing company that serves small medical practices, and when this all went down, a bunch of payments from Change to practices got backlogged. I just saw a message from him indicating that although Change is now paying new bills, the backlogged ones from months ago are still unpaid, which basically screws up the bookkeeping for those practices. Joy.
Re: They're just now worried? (Score:2)
It's because the public health service officials don't want private doctors, so they make them suffer the death of multiple annoyances and fines crafted fake rule breaks.
Paying barbarians only creates stronger barbarians (Score:5, Insightful)
An ancient lesson throughout human history is that paying your enemies for temporary peace only ensures a stronger enemy when they return... and they always return. If you forget the past, you are doomed to repeat it.
It should be illegal in the U.S. to pay ransomware. Any payment is complicity in the criminal acts.
Re:Paying barbarians only creates stronger barbari (Score:4)
Re: (Score:3)
Re: (Score:2)
Isn't that why things like Cloudflare and such are so ubiquitious today? That we've created the entire layer inside the internet to protect sites from... the internet? I haven't booted up my own server in a long while but I imagined it was like you described, plug it in and see everythin light up immediately.
also your end made me think of "Okay I'll be chaff and you be wheat" [youtube.com]
Re: (Score:2)
I'm not saying drone strikes, but I'm not NOT saying dr
Re: (Score:2)
Re: (Score:3)
"Hide in castles"? If people would do that, then there would not be a problem. With regard to IT, people more often than not hide in flimsy tents or by just standing there and closing their eyes.
Re: (Score:2)
Re:Paying barbarians only creates stronger barbari (Score:4, Interesting)
The bean counters have decided that the occasional ransom is cheaper than a larger IT budget.
Re:Paying barbarians only creates stronger barbari (Score:4, Interesting)
Those that are attacked successfully by Ransomware thieves should sue into oblivion all previous victims that paid the ransom as they were all complicit in funding the thieves.
Re: (Score:2, Insightful)
Then we should make said bean-counters go to prison if they use that strategy.
Re: (Score:2)
It should be illegal in the U.S. to pay ransomware. Any payment is complicity in the criminal acts.
The result of that will be fewer ransomware attacks reported to the police and more impunity for the criminals.
Re: (Score:2)
History teaches us that we do not learn from history.
Those who remember the past are doomed to watch it be repeated.
Re: Paying barbarians only creates stronger barbar (Score:1)
How could we learn from history that we don't learn from history if we don't learn from history?
Re:Paying barbarians only creates stronger barbari (Score:5, Informative)
Ransomware is an object lesson on this: It only got big because people started to pay. Today, these criminals have release cycles, test environments, software warranty, etc. The only reason they got there is that people did pay the ransom. Likely the only way to get rid of these criminal enterprises, which do a lot more damage than they rake in in profits, is to starve them. That means no more ransom payments and no more half-assing IT security.
Re: (Score:2)
Ransomware is an object lesson on this: It only got big because people started to pay. Today, these criminals have release cycles, test environments, software warranty, etc. The only reason they got there is that people did pay the ransom. Likely the only way to get rid of these criminal enterprises, which do a lot more damage than they rake in in profits, is to starve them. That means no more ransom payments and no more half-assing IT security.
Rather similar to the old protection racket. Pay organized crime so something bad doesn't happen to your company. Except that if you do pay, you'll be paying all the time. I see the bad guys branching out into a monthly million dollar or so payment model.
All that said, these companies might meet with DoD, and get some tips on hardening their systems. Not to impose classification of course, but something to avoid simply giving everyone's data away. The article has a start, with segmentation. Adding things
Re: (Score:2)
It is known how to make it hard for the ransomware attackers. Just look at, for example, the CIS controls, or even only ISO 27001 Appendix A. People are _asking_ to get hacked and extorted because they are half-assing IT security in a globally connected world.
Re: (Score:2)
An ancient lesson throughout human history is that paying your enemies for temporary peace only ensures a stronger enemy when they return... and they always return. If you forget the past, you are doomed to repeat it.
It should be illegal in the U.S. to pay ransomware. Any payment is complicity in the criminal acts.
Appeasement doesn't work very well, and my money is on Change Healthcare being a go to source of money, because they have accepted that they would rather pay the crooks than eliminate the problem.
Bad guys entered through one system (Score:2)
Then travelled through the network?
I'm sure I saw that plot on a TV show once. Something involving cylons. No, not people from Ceylon you idiot AI. Now quit changing the word.
Re: (Score:2)
I don't think that UHG learned their lesson from this, either. As someone who's worked with them in the past, their IT security practices are still pretty atrocious.
vendor controlled systems get in the way of lockin (Score:2)
vendor controlled systems get in the way of locking stuff down.
Re: (Score:2)
Only of the customer tolerates that.
Ya think? (Score:5, Insightful)
Re: (Score:1)
Indeed. The problem is that this is unpopular with the morons focussed all on short-term profits and no strategic planning. Hence politicians pushing for this long overdue change will find they have problems getting reelected.
Re: (Score:2)
How can anybody with two braincells mod this down? It is _literally_ what is happening.
Re: (Score:2)
Fine, just ensure that the buck can't be passed. Organisations like to outsource the risk/IT. If my data goes to one company, the end-to-end of that data should mean that a breach downstream is compensated by the company that ingested it.
Re: (Score:2)
Criminals are now emboldened as a result of them paying the ransom? File that under "Duh". The only solution is to make paying the ransom a federal crime. The current approach of appeasement isn't working. Make the money source dry up for the criminals and give organizations only one possible means of protection: improve their security.
Which will work as well as any other "federal crime"... which is to say it wont as the people it applies to are pretty convinced that the laws don't apply to them as they've a good track record of well, the law not applying to them.
Government not serious about it (Score:5, Interesting)
This will continue until the executives of these companies are charged with a HIPAA violation FOR EACH PATIENT WHOSE DATA IS COMPROMISED. As long as the executives are not personally charged, they can pass along any fines to their patients (the victims) and it's therefore in the interests of the executives to save money by running crappy vulnerable IT systems. Even with charges for the executives, there would still be a problem: There's a limit to the total size of fine that can be imposed in one year... less than the bonuses many executives get in a year. If the politicians wanted to fix this, they could, but they won't - the healthcare people are some of their "campaign contributors". Ask yourself: why cap the penalties in the legislation, if nobody is expected to violate it, and if any violations are actually going to be considered serious? The cap is because the politicians KNEW their campaign contributors would violate it, and they did not want those contributors to feel any pain, but they wanted the public to think they were taking privacy seriously.
The new proposed legislation mentioned is the usual meaningless drivel to plop out of congress: rather than cracking-down on a sleazy reckless industry, it mandates a few standards, and it those standards are met... you guessed it... it sends bundles of taxpayer money to those healthcare companies (remember: they're "campaign contributors"). If the politicians were SERIOUS, the legislation would offer NO "carrots" and instead provide hyper-draconian penalties - like 50 years at hard labor for any executive or manager at any company that leaks ANY patient/customer private data. People would be shocked at6 how rapidly this would all end if the folks with the MBA degrees and suits and corner offices had their physical butts on the line, and no golden parachutes were in sight.
Re: (Score:2)
This will continue until the executives of these companies are charged with a HIPAA violation FOR EACH PATIENT WHOSE DATA IS COMPROMISED.
Qualified executives will not accept a job under those terms.
The result will be even more unqualified people running the show.
Re: (Score:2)
If every landlord was forced to live three months of every year in the worst of their tenements, you can guess that they would start requiring a minimum standard of quality for their locations.
Nope. They would stop being landlords. They would remove the tenements from the rental market and sell them as owner-occupied condominiums.
Says the same government regulaters... (Score:1)
MICROS~1 Windows strikes again .. (Score:3)
There really is only one lesson here (Score:1)
And it is: "Do not fuck up your IT security if you depend on your IT". Seriously. Segmentation, 2FA, offline or reliably write-protected backups, established and tested (!) recovery procedures, a capability to run local-only while the attack-path is identified, security-logging to allow the identification of said attack path, capability or established contract for said attack path identification, monitoring and alerting for attack detection and a few more things.
Non of that is new. None of that is surprisin
Re: (Score:2)
That this gets downvoted nicely illustrates the problem: Too many fuckups in IT and IT Security that do not even want to do it right. We really need liability and for gross negligence, personal liability.
What the? (Score:2)
Let me understand this: HIPPA requires businesses to hold more personal data than banks and to not share it but there isn't a white-paper defining best practices and must-not-dos for that task?
The only way that can happen is health-industry advocates wrote the legislation and paid people to vote "yes" to a paper-tiger regulator.