Change Healthcare Cyber-Attack Leads to Prescription Delays Summary:

Health tech firm Change Healthcare was hit with a cyberattack on February 21, 2024, leading to a disruption of a number of its systems and services. According to Change Healthcare numerous applications across areas such as pharmacy, medical records, dental, payment services, and patient engagement are still experiencing connectivity issues. In particular, pharmacies have reported being unable to process patient prescriptions, preventing individuals from getting their medications on time. The health firm notes that it is currently working towards resolving the issue. In the meantime, the firm has disconnected its systems to prevent further impact.

Security Officer Comments:
It’s currently unclear what type of attack was launched and if any data was allegedly stolen. Given that Change Healthcare processes billions of patient transactions annually, this makes the firm a prime target for actors like ransomware groups who are looking to seize PII data belonging to patients. With access to such data, the actors can threaten to publish the details to the public if a ransom is not paid. Other cybercriminals could also purchase the data to launch targeted phishing and social engineering attacks.

Suggested Corrections:

The American Hospital Association recommends:

  • Organizations should use this opportunity to test the security, redundancy and resiliency of their network and data backups ensuring they remain offline. AHA recommends backup technology which renders the backups “immutable” — unable to be deleted, altered or encrypted.
  • Ensure that all high criticality, known and exploited vulnerabilities have been patched, especially any which are internet facing.
  • Review and test cyber incident response plans, ensure they are well coordinated and integrated with emergency management plans. Test callout for activation of incident command structure and backup communications plans should email and VoIP communications fail.
  • Review business and clinical continuity downtime procedures to ensure mission critical and life critical functions could sustain a loss of information, operational and medical technology for up to 30 days.
  • Consider designating clinical downtime “coaches” and “safety officers” for each shift. These would be individuals who are experienced and adept at working with downtime, manual procedures should there be a loss of access to the EMR and other medical technology, and who could guide and lead other less experienced staff in the implementation of downtime procedures to ensure continuation of safe and quality care.
  • Increase threat hunting and monitoring tools and techniques. Although no specific threat actor has been identified, the joint government agency advisory regarding “living off the land” cyber technique serves as a good general guide.