Bloomberg | Bloomberg | Getty Images
The ransomware attack on UnitedHealth’s Change Healthcare subsidiary last month not only brought to light how attractive the data-rich U.S. health-care industry is to hackers and how devastating the consequences for patients and doctors, but also how sophisticated cyber criminals are becoming when targeting vulnerable sectors.
The breach, which took place more than three weeks ago, prompted the U.S. Department of Health and Human Services this week to launch an investigation into UnitedHealth. In a statement, the HHS Office for Civil Rights said it’s investigating the cyberattack due to its “unprecedented magnitude.”
Change Healthcare is the largest clearinghouse for insurance billing and payments in the U.S.
Since the February 21 attack, the thousands of doctors, hospitals and other health providers that depend on Change Healthcare for billing reimbursements have not been paid as the company works to bring its systems back online.
UnitedHealth told CNBC in a statement that it will cooperate with the investigation from the OCR. “Our immediate focus is to restore our systems, protect data and support those whose data may have been impacted,” the company said. “We are working with law enforcement to investigate the extent of impacted data.”
The breach, no doubt, is a nightmare for health providers who claim they are running out of cash to run their practices as they wait for Change Healthcare payments, as well as for consumers who are seeing delays in getting prescriptions filled or procedures approved.
But it also underscores a much bigger problem: the vulnerability of the entire U.S. health-care sector.
Going after companies that will pay
Sumedh Thakar, CEO of cybersecurity company Qualys, said while the digitization of the U.S. health-care system has moved patient care forward, it’s also amplified the need for better understanding and protection against every new cyber threat.
“Why are hackers going after health care? Because they are looking at organizations that are most likely to be scared and therefore will pay,” he said.
The reason for that is because the data is so valuable. Cybersecurity researcher Jeremiah Fowler said on the dark web, medical records sell for $60 compared to $15 for a Social Security number and $3 for a credit card. Compounding that is the fact that there’s a chronic shortage of staffing, and as the Change Healthcare uproar has shown, there’s tremendous pressure to restore access quickly.
“Health-care data being exposed is a lot worse than most other data and the bad guys know this,” Thakar said.
Complicating the equation is the fact that many cyber criminals are now operating much like the businesses they’re going after, including Blackcat, the group claiming responsibility for the Change Healthcare hack. Far from rag-tag gangs in basements, these “ransomware-as-a-service” groups “operate on an affiliate model where the operational work is done by an extended network of threat actors,” explained Nicole Eagan, chief strategy and AI officer at cybersecurity firm Darktrace.
Typically, she said, this involves a core group of developers who sell or rent their “RaaS” tools to affiliate operators who then exploit companies. Often, affiliates receive a percentage of the ransom paid by the victim.
Ransomware-as-a-service
The fact that this ‘as-a-service’ model has increased in popularity over the last few years, compared to more traditional single-strain ransomware models, Eagan said, lowers the barrier for entry for bad guys and enables them to target vulnerable sectors like health care without having to develop their own ransomware.
The growth in this marketplace also means bad guys don’t have to depend only on ransomware payments to make money. They’re using “subscription models to return revenue for their ransomware development and deployment, Eagan said.
This development is likely to lead to more sophisticated and advanced extortion methods. For example, rather than relying solely on encrypting a company’s data for ransom, Eagan said she expects hackers will employ double or even triple extortion strategies, encrypting sensitive data but also threatening to leak or sell stolen data unless their ransom demands are met.
With so much going on, Thakar said the cybersecurity landscape continues to be a cat and mouse game: “Companies come up with a better way to defend, the bad guys figure out another way to go after businesses.”
Ultimately, security leaders must figure out if the money they’re spending on cybersecurity tools and solutions is truly bringing their risk levels down. “Whether it’s in health care or any other sector, that’s what security leaders need to explain to the board and their CFO,” he said.
Fowler said a shift in thinking is needed for health-care executives looking at an ever-increasing threat landscape. “I would tell a health-care leader ‘Your primary focus is on providing the best care and service to patients and customers, but your data is equally as valuable as the service you’re providing. Invest in protecting it the best you can.'”