Details appear; Breach will break a record

Also see: Take an inventory of the security risks of your medical equipment

Change Healthcare says it processes 15 billion transactions annually and “touches” 1 in 3 patients in the US. The latest figures from the US Census Bureau estimate the country’s total population at approximately 336 million.

Based on UHG’s statement on Monday, “we expect there will be a very large notification population, a population that could potentially dwarf the number of individuals notified of the Anthem breach,” involving many tens of millions are affected, said supervisor Sara Goldstein of law firm BakerHostetler. (to see: UnitedHealth Group Previews Massive Change in Healthcare).

Healthcare industry organizations should monitor UnitedHealth Group’s official breach reports to regulators – as they happen – and especially keep a close eye on the company’s notifications to affected entities, she advised.

“Covered entities must continue to exercise reasonable care consistent with their requirements under HIPAA,” she said (see: Feds releases guide for reporting changes in health care).

Reasonable due diligence for entities includes staying abreast of the latest developments at Change Healthcare and monitoring for updates from their internal IT teams or third-party cybersecurity firms regarding their patients’ protected health information that may be posted online, she said.

“Contact your Change Healthcare account representative for information specific to your organization. Covered entities should also document and update their HIPAA risk assessment for the files as there are new developments,” she said.

Dave Bailey, vice president at security and privacy consultancy Clearwater, agrees that organizations potentially affected by the Change Healthcare breach should be proactive.

“Organizations have a responsibility to conduct a risk assessment to determine whether data was compromised by this incident and to comply with regulatory reporting requirements on the breach of protected health information,” he said. “Based on everything that is known, that clock has started.”

UnitedHealth Group also reportedly confirmed to TechCrunch on Monday that it had paid attackers a ransom, but did not say how much or to which cybercriminal gangs.

A Western affiliate of the ransomware group BlackCat, also known as Alphv, which claimed to be behind the February attack, has said that UnitedHealth Group paid BlackCat a $22 million ransom, but that the affiliate claims to have been defrauded as his or her reduction in the premium. Last week, another group, RansomHub, began leaking files allegedly stolen by the BlackCat affiliate, claiming to have exfiltrated 4 terabytes of data in the attack.

That RansomHub listing was removed from the dark web, fueling speculation that UnitedHealth Group may have paid a second ransom.

UnitedHealth Group acknowledged in its statement Monday that 22 screenshots, allegedly from exfiltrated files, some of which contained PHI and PII, were posted to the dark web by a malicious threat actor over approximately a week. “No further disclosure of PHI or PII has occurred at this time,” the company said.

UnitedHealth Group did not immediately respond to Information Security Media Group’s request for comment.

Attack details appear slowly

Meanwhile, details about the attack are emerging very slowly, providing insights for other entities in the healthcare industry facing similar threats.

That includes Monday’s reporting by the Wall Street Journal that hackers reportedly gained access to Change Healthcare’s network nine days before the ransomware launch, and compromised credentials from an application that allowed staff to remotely access systems was the access road.

The attackers’ tactics come as no surprise, Bailey said. “All threat indicators identify an adversary who is financially motivated, who will target an organization to steal credentials, exploit vulnerabilities and operate stealthily in search of data to exfiltrate and extort,” he said.

“Initial access is often the result of credential stuffing or phishing attacks that use trusted paths to exploit coarse-grained, transparent, and disconnected data protection systems,” said Anthony Cammarano, vice president of security, privacy and strategy at security firm Protegrity.

Credential compromise has recently emerged as the leading and preferred compromise path for attackers, replacing zero-day vulnerabilities, he said.

“This is often the easiest path of least resistance due to the transparent and trusted nature of our existing references. It is significantly difficult, if not impossible, for organizations to cover every weak point and attack surface, as well as every trusted user. This creates an opportunity for an opponent to expose themselves.”

Meanwhile, remote access applications have been particularly effective at giving attackers initial access to a victim’s network – and the average time before initial detection is usually closer to 100 days, says Mike Hamilton, founder and CISO of security company Critical Insight.

“Change detected the breach much faster, but the continued stories of other organizations being compromised using remote access tools should have been an opportunity for tighter controls around credential management, multi-factor authentication, system patching and monitoring for aberrational events. “

The remote access product used to access Change Healthcare’s environment was likely Remote Desk Protocol, a tool used by server administrators to remotely manage servers for which the threat group has been granted administrator-level credentials, and/or STM , or scheduled task management, a tool that server administrators use to maintain servers and schedule certain required tasks, such as updates, surmises Steve Hahn, executive vice president of security firm BullWall.

“Often 95% of the time, attackers use RDP to remotely access every server in the company, so they can do almost anything they want, undetected. RDP can be protected by MFA, so companies think they are safe” , he says. But when STM is used by the criminals, it becomes a way to plan a series of events that lead to the actual encryption, he said.

Hackers sometimes use the tool to schedule the launch of the latest ransomware event during hours when a hospital has the fewest IT staff, such as the middle of the night during a holiday, he said.

“This attack chain is so simple and so effective that companies simply have no hope of stopping it,” he said. “On the dark web, I’ve seen criminal groups jokingly calling RDP the ‘Ransomware Deployment Protocol’.”

Shortly after UnitedHealth Group publicly announced on February 21 that its Change Healthcare unit had suffered a cyberattack, some experts speculated that the incident may have involved exploitation of vulnerabilities in the ConnectWise ScreenConnect application (see: Change in healthcare affects military pharmacies worldwide).

ConnectWise has said that no connection has been made between the Change Healthcare hack and a possible exploitation of ScreenConnect flaws. UnitedHealth Group has not yet publicly commented on this.

Now speculation about a possible ConnectWise connection is resurfacing. “The ConnectWise remote access product was reportedly compromised using credentials that were either exposed in another data breach and used on multiple systems, or obtained through credential stuffing,” Hamilton said.

“Notably, the ConnectWise product was also vulnerable to exploitation at the time and it is not clear that the server was patched, leading to some uncertainty in the initial access vector,” he said.

“Careful management of credentials, use of multi-factor authentication and proper vulnerability management are all essential to avoiding this specific attack type,” Hamilton said.

“Importantly, when a vulnerability is announced and a patch is issued for an Internet-facing product, the mitigation of the vulnerability should be treated as an incident and prioritized accordingly,” he said.

Furthermore, proper monitoring of the network, endpoints and cloud properties – combined with effective incident response – is the best way to limit the impact of the event and shorten the time to discovery of the compromise, he said.