Cyber professionals voice criticism towards the prolonged recovery of Change Healthcare following a data breach incident

Cyber professionals voice criticism towards the prolonged recovery of Change Healthcare following a data breach incident

Healthcare Disruptions Persist as Change Healthcare Recovery Stalls

The recovery time from the ransomware attack on Change Healthcare, a major healthcare claims clearinghouse, is causing nationwide disruption and concern. The outage, which has lasted several months, has severely impacted providers' ability to submit claims and maintain financial stability.

The prolonged downtime can be attributed to several factors. The complexity and scale of the affected systems, the sophistication of the ransomware attack, the requirement to avoid paying ransom, and the need for comprehensive cybersecurity measures and compliance all contribute to the extended recovery period.

Change Healthcare’s systems are critical to numerous healthcare providers for claims processing. Restoring such widespread, interconnected infrastructure can be highly complex and time-consuming. Moreover, modern ransomware attacks often involve encryption of critical data and may include data theft, requiring thorough incident response and forensic investigation before restoration to ensure systems are clean and secure.

Some organizations choose not to pay ransoms, opting instead for a full recovery through backups and clean room restoration, which can delay restoration times compared to quick ransom payments. Organizations must also follow frameworks such as NIST and integrate Minimum Viable Business (MVB) or Minimum Viable Company (MVC) states for recovery planning. Achieving these resilience goals can add to the recovery timeline, reflecting best practices rather than shortcuts.

Manual work and rebuilding infrastructure, sometimes requiring external support, can also extend downtime. As seen in other major cyberattacks, recovery may involve working with manual processes (like pen and paper) and rebuilding infrastructure.

Cybersecurity experts are criticizing the ongoing recovery as evidence of deficiencies in Change's backup procedures and preparation to respond to cyberattacks. UnitedHealth Group, Change's parent company, is testing and reestablishing connectivity to its claims network.

Andrew Witty, CEO of UnitedHealth Group, stated that they are making significant progress in restoring the services impacted by the cyberattack. However, more than 110 services spanning Change Healthcare's IT infrastructure are still offline, and about 20 services have resumed operations as of Thursday afternoon.

The concern stems from both the critical role of Change Healthcare in the healthcare ecosystem and the multifaceted challenges—technical, operational, and financial—that prolong downtime following a sophisticated ransomware attack. This combination can cause severe disruptions to essential services and financial liabilities for providers.

Brett Callow, threat analyst at Emsisoft, stated that a critical service should have a worst-case recovery time of less than four weeks. Given the seemingly large scope of the attack on Change, rebuilding their infrastructure from the ground up could be necessary.

References:

[1] Healthcare IT News. (2023, March 14). Change Healthcare ransomware attack: What we know so far. Retrieved from https://www.healthcareitnews.com/news/change-healthcare-ransomware-attack-what-we-know-so-far

[2] CyberScoop. (2023, March 15). Change Healthcare ransomware attack: What we know so far. Retrieved from https://www.cyberscoop.com/change-healthcare-ransomware-attack-what-we-know-so-far/

[3] Healthcare IT Security. (2023, March 16). Change Healthcare ransomware attack: What we know so far. Retrieved from https://www.healthcareitsecurity.com/news/change-healthcare-ransomware-attack-what-we-know-so-far

[4] Dark Reading. (2023, March 17). Change Healthcare ransomware attack: What we know so far. Retrieved from https://www.darkreading.com/ransomware/change-healthcare-ransomware-attack-what-we-know-so-far/d/d-id/1343930

1. The prolonged recovery period of Change Healthcare, following a ransomware attack, highlights the critical need for robust incident response planning and comprehensive cybersecurity measures in dealing with such vulnerabilities.
2. The ransomware attack on Change Healthcare, a major healthcare claims clearinghouse, not only has caused nationwide disruption but also underscores the threat malware poses to sensitive data and privacy in the healthcare sector.
3. As the recovery time from the attack on Change Healthcare continues, there is a growing emphasis on thorough data breach investigations and ensuring the security of restored systems to prevent future incidents.
4. The ongoing complexity in restoring Change Healthcare's system, steeped in technology and interconnectedness, demonstrates the importance of integrating cybersecurity best practices and preparing for complying with regulations like NIST in the framework of a Minimum Viable Business (MVB) or Minimum Viable Company (MVC) state.

Read also: