Resiliency is more than just technology

Lessons from the Change Healthcare ransomware attack

By Jeff Kaiserman and Bryan Kissel

Verizon’s annual Data Breach Investigations Report (DBIR) offers extensive information on cyber incidents and data breaches worldwide. It is always an interesting yet alarming read. In 2023, ransomware made up 15.5% of the actions associated with a change in information confidentiality, integrity, or availability (an incident) and 24% of the actions associated with public disclosure of information (a breach).

Ransomware and extortion breaches over time (Source: Verizon 2024 DBIR)

According to the DBIR report, ransomware dropped slightly this year while extortion attacks increased significantly. This was largely attributed to the tactics used during the MOVEit breach, though Verizon believes there is enough distinction that they will continue to track ransomware and extortion as separate but related attacks. Ransomware continues to cause outages and impact financials, as became all too clear during the attack against Change Healthcare and subsequent attacks against other healthcare companies.

The interconnectedness of industry systems makes this a risk that all industries face. Healthcare had the light shone on it during the Change Healthcare incident, but similar issues exist in financial services, retail, and manufacturing.

This trend requires an approach that goes beyond high availability architecture, business continuity planning, and disaster recovery. Resiliency is that new approach.

Change Healthcare recap

On February 21, 2024, Change Healthcare suffered a devastating cyberattack orchestrated by the BlackCat/ALPHV ransomware group, which demanded a ransom for the restoration of services. The attack, classified as a ransomware attack, encrypted data on Change Healthcare’s systems, rendering critical operations inaccessible. While Change Healthcare has not confirmed paying the alleged $22 million ransom, security researchers suggest otherwise, with services fully restored by mid-March. The attack highlights the vulnerabilities in the healthcare sector, affecting millions of Americans who rely on Change Healthcare’s services.

Change Healthcare, a healthcare technology company acquired by UnitedHealth Group (UHG) in 2022, offers various services, including payment and revenue cycle management and clinical decision support. The company processes 15 billion claims annually, totaling over $1.5 trillion, making it a vital component of the healthcare infrastructure in the US. The attack, executed by gaining unauthorized access to Change Healthcare’s network, disrupted critical operations such as claims processing and eligibility checks, affecting patient care services, hospital finances, and revenue cycle management.

• February 21: Cyberattack is underway; Change Healthcare decides to take systems offline
• February 26: American Hospital Association informs the Department of Health and Human Services (HHS) of the perceived impact of the Change Healthcare breach
• February 28: The Medical Group Management Association petitions the HHS to step in to mitigation planning
• March 1: 250 Bitcoin ransom demand is paid
• March 20: Business critical systems and operations restored

In summary, there were 25 days where the full system was down, plus a $22 million Bitcoin payment. It’s impossible to accurately predict the true impact of this event, but we do have some indicators that put estimated costs in the billions of dollars:

• Critical services were disrupted, reverberating across healthcare services, claims processing, eligibility verifications, prescription clearing, and patient care delivery. This was by far the most significant instance of collateral damage.
• Financial implications for providers and networks are a close second. Facilities were unable to provide and bill for services, process payroll, or maintain logistics, having an immediate and significant financial impact on the affected organizations.
• UHG initiated a Temporary Funding Assistance Program to provide short-term financial support to impacted organizations. We don’t have numbers on the cost of this program.
• Reverting to analog administration and pen–and–paper operations was another significant setback for impacted organizations.

In addition to the immediate costs, there is the possibility of lawsuits, civil penalties, and regulatory compliance fines related to the scope of the breach—plus, toss in two years of identity theft protection services for each data subject compromised during the event.

It’s also important not to forget about the customer impact. In the short term, there was an obvious impact on access to medication and uncertainty on the associated costs. In the long term, there are questions concerning the continuity of care and the stability of the environment. Customers want to know if their care environment will recover and, if so, what the long-term impacts will be.

The cyberattack prompted swift responses from industry organizations and the federal government, with assistance programs and guidance issued to impacted providers. UHG established a Temporary Funding Assistance Program to aid affected healthcare providers while federal agencies collaborated to provide threat intelligence and support. The incident underscores the importance of robust resiliency measures and contingency plans for healthcare organizations, emphasizing the need for highly secure data practices and proactive business continuity planning.

Resiliency

Resiliency goes beyond traditional solutions like high availability and disaster recovery.

• High availability (HA) aims to allow systems to function when a subset of the underlying components fail. These components are typically servers, databases, APIs, or other technical components.
• Disaster recovery (DR) provides a recovery environment to be used in the case of a disruption to information technology capabilities. Disruptions could include the loss of a data center or a significant portion of computing resources, network failures, or ransomware, for example. DR acknowledges that a loss of business function will occur, as agreed to through the “return to operations” metric. Note that in the case of ransomware, DR is only effective if unencrypted and uninfected backups can be found and the malware has been contained.

Resiliency focuses on business processes rather than information technology capabilities or system components. In this sense, resiliency aligns with business continuity (BC). The difference is in the goal: the goal of BC is to recover, whereas the goal of resiliency is the continued functionality of the process.

With the interconnectedness of the systems mentioned earlier, it is important to consider resiliency from two perspectives. Internal resiliency addresses the continued functionality of internal processes, while external resiliency addresses the continued functionality of external upstream or downstream digital supply chain services. It has been my experience that internal resiliency is better understood than external, although recent events would make it seem that external resiliency can have a broader impact.

What does “continued functionality of the process” mean? Continued functionality means that, despite adversity, critical internal and external business processes continue to function for as long as possible. While there are many ways to go about this, there are core questions to consider.

For internal processes:

• Are there subprocesses that can be supported by technology other than what is normally used?
• Are there manual subprocesses that can be used?
• Are there people who can be shifted to the sub-processes to help with the backlog?
• Are there subprocesses that can be skipped?

For external processes:

• Is there another provider that can be leveraged, and does the technology allow you to switch providers easily?
• Are there manual processes ready to go if another provider can’t be leveraged?
• Do communication plans exist for customers who may contact you?

What happens next?

The roadmap to resiliency starts with an understanding of your critical business functions and the upstream and downstream dependencies that support those functions. It is essential to have a clear picture of the current state of these functions and then develop a roadmap to improve their resiliency.

Resiliency and high availability/disaster recovery are different, and both are critical to success. Resiliency without HA/DR means accepting that large portions of the organization will function at reduced capacity during the outage and that outages will last longer than necessary. HA/DR without resiliency means accepting that key business functions are unavailable from the time the systems are affected until they have been restored. Only both offer a complete solution.

We believe that practice is critical to resilience. Organizations should employ varying levels of simulations or tabletop exercises. A plan looks great on paper, but practicing is what makes the plan workable.

Finally, resiliency requires a change in the cultural mindset. At any given moment, people may be called on to switch to new tasks that aren’t part of their normal day-to-day workloads. This requires support in organizational change and talent service.

Slalom is a next-generation professional services company creating value at the intersection of business, technology, and humanity. Learn more and reach out today.