Change Healthcare Cyberattack Causes Unprecedented Disruptions

On Feb. 21, 2024, Change Healthcare, 联合健康集团(UHG)的子公司，也是美国最大的医疗保险账单和支付管理平台之一, experienced a large-scale cyberattack. 这次攻击迫使该公司在数周内关闭了其系统中的100多项服务, affecting millions of health care providers and patients across the country. Due to its magnitude, 网络安全专家认为这次事件是历史上最具破坏性的攻击之一, showcasing the devastating impacts of cyber events in the health care sector. 本文提供了美高美集团4688Change Healthcare网络攻击的更多信息，并提供了帮助组织防止类似事件的指导.

“我们继续在恢复受这次网络攻击影响的服务方面取得重大进展. 我们知道这对卫生保健提供者来说是一个巨大的挑战，我们鼓励任何有需要的人与我们联系.” - Andrew Witty, CEO of UHG 

Cyberattack Overview

The attack began when BlackCat (also known as ALPHV), 一个复杂的网络犯罪组织，实施了几起重大数据泄露事件, infiltrated Change Healthcare’s system. 

Although it’s currently unknown how BlackCat gained this unauthorized access, cybersecurity experts presume it was likely via remote desk protocol (RDP), brute-force techniques or application vulnerabilities. From there, 该网络犯罪组织部署了勒索软件，使Change Healthcare系统中的各种敏感数据和基本操作不可用. BlackCat then demanded the company make a large payment in exchange for restoration.

In response to the attack, Change Healthcare立即中断了超过111项服务，以防止进一步的损害，并联系执法部门寻求额外的补救援助. From Feb. 21-28, the company’s services remained disconnected, ultimately leaving doctors and hospitals unable to bill, manage and issue prescriptions for medical procedures; preventing pharmacies from filling prescriptions; and restricting patients from making health insurance claims and receiving prescribed medications. According to digital health risk assurance firm First Health Advisory, this downtime may have cost health care providers up to $100 million per day.

During this time, several health care organizations, 比如美国医院协会和医疗集团管理协会, 发布了公开声明，强调网络攻击的严重性，并敦促美国采取行动.S. government to get involved in mitigation efforts. Shortly afterward, BlackCat took responsibility for the attack, claiming they compromised more than six terabytes of health care provider, insurance program and patient data, including personally identifiable information.

On March 1, 随着公司向其系统中的医疗保健提供者提供临时资金，Change Healthcare开始显示出复苏的迹象. 

到3月5日，联邦政府宣布介入补救过程.S. 卫生与公众服务部概述了调查该事件的详细计划，并支持卫生保健部门采取多项恢复措施. A few days later, Change Healthcare恢复了与处方索赔提交和支付操作相关的服务. 该公司预计将在3月18日这一周恢复受网络攻击影响的其余服务.

Altogether, the attack contributed to several weeks of considerable operational disruptions, Change Healthcare及其利益相关者面临的财务挑战和医疗保健并发症. Furthermore, 该公司可能因为答应了黑猫的赎金要求而加重了攻击造成的损失. Although Change Healthcare has not confirmed this speculation, 一些网络安全专家报告称，最近一笔2200万美元的比特币交易通过公开可见的加密货币区块链平台进入了黑猫的一个账户，证明该公司支付了赎金.

Prevention Guidance

随着像Change Healthcare网络攻击这样的勒索软件事件变得越来越频繁和昂贵, it’s important for organizations to take steps to prevent similar losses. Here are some ransomware prevention tips for organizations to keep in mind:

• Protect sensitive data. By keeping confidential information secure, 组织可以使网络犯罪分子更难以访问这些数据，并在勒索软件事件中使用这些数据来对付他们. This entails selecting safe locations to store critical information, 建立例行的数据备份协议，实施访问控制策略(如.g., the principle of least privilege and multifactor authentication).  
• Utilize effective security software. 各种安全解决方案可以帮助保护组织的系统免受潜在的勒索软件威胁. These include antivirus software, patch management plans, endpoint detection and response solutions, and email authentication technology.
• Prioritize technical procedures. In addition to security solutions, certain technical procedures may help organizations minimize ransomware risks. This may involve setting up RDP safeguards to limit possible attack avenues, segmenting and segregating different networks to stop the spread of attacks, 并优先考虑报废软件管理，以减少过时技术的攻击风险.
• Educate employees. 因为员工被广泛认为是抵御网络攻击的第一道防线, they should be regularly educated on the latest ransomware threats, detection practices and response methods.
• Have a plan. 网络事件响应计划可帮助组织在攻击发生时迅速采取行动并限制总损失. 组织应将勒索软件攻击场景纳入其网络事件响应计划，并通过桌面演习和渗透测试定期评估这些计划，以确保其有效性.
• Approach ransom demands with caution. The FBI generally advises against complying with ransom demands, 因为没有人能保证网络罪犯会遵守他们的谈判结果, potentially exacerbating overall losses. Further, 支付赎金要求的组织可能更有可能成为未来勒索软件攻击的目标, as cybercriminals will remember their willingness to deliver payments in the past.
• Purchase proper coverage. 组织必须确保足够的网络保险，以保持财务保护，防止勒索软件攻击造成的损失. 组织应咨询保险专业人员，讨论具体的保险需求.

Contact us for additional risk management resources. 

本新闻简报的内容是一般的兴趣，并不打算适用于特定情况. It should not be regarded as legal advice and not be relied upon as such. In relation to any particular problem which they may have, readers are advised to seek specific advice. © 2024 Zywave, Inc. All rights reserved.