2 Minute Drill: Unraveling the Change Healthcare Cyber Crisis: A Deep Dive
Episode 91st March 2024 • This Week Health: News • This Week Health
00:00:00 00:08:45


  Hi, I'm Drex, and I'm going to get into a lot of stuff today, and I'm definitely running over my two and a half minutes. So maybe this is a lightweight version of Unhack the Podcast, or maybe it's an overweight version of the two and a half minute drill. Either way, let's get into it. My voice was shot yesterday after the trip to Vive.

So I'm just getting this out today. Sorry for the delay. The VIVE conference was really interesting because if AI was Cinderella as a topic at this year's VIVE, then Change Healthcare and the cyber attack was her evil stepsister. And I'm not sure which one of them was talked about more. Let me start off this whole thing with a story.

Last year, the FBI, in coordination with other law enforcement agencies, severely disrupted a ransomware gang's server and operational infrastructure, for a time shutting them down and sending their ransomware as a service operation into chaos. Now, ransomware as a service is a pretty innovative business model that's been developed by cyber thugs to allow other less experienced cyber thugs to get in on the very lucrative business of ransomware without all the overhead and experience that's usually necessary.

Essentially, Lowering the barrier to entry. This ransomware gang named Alph V, or Black Cat, suffered other severe damage during that FBI attack, including an outage of their data leak site. That's the place where they post the data they've stolen, often offering it to the highest bidder. So think of it kind of as eBay for data they've ripped off from your organization.

And Black Cat not only lost the data leak site, the FBI also grabbed a bunch of decryption keys in the takedown, almost a thousand of them, which allow the FBI and other agencies to help victims of Black Cat ransomware. unlock their files without paying the ransom. And then they poke the ransomware gang in the eye a little bit more by taking over their website and posting law enforcement logos and declaring this website has been seized.

As you can imagine, the effect of the takedown was pretty significant. Besides the loss of encryption keys, BlackCat's ransomware as a service affiliate started contacting victims directly, cutting BlackCat out of the process because they felt like they couldn't trust that service provider anymore.

Within a few days, The anger at Black Cat boiled over, and they took back their site, and they re established their data leak operation, because, obviously, they had a business continuity and incident response plan. And that's another thing about these ransomware gangs, if I can just take it aside for a few seconds here.

To call them gangs might make it feel like they're not well organized, or that they're just a bunch of kids in a garage somewhere causing chaos. But nothing could really be further from the truth. These e crime syndicates, probably a better reference than gangs, these e crime syndicates are organized a lot like traditional companies.

They have CEOs and CFOs. They have innovation teams and business development leaders to help them manage the large number of relationships they have to coordinate. They have employee of the month programs. And bonus programs. And the best negotiators in the world. They probably know your cyber insurance company and your policy structure better than you do.

And they might even have experience already with the law enforcement folks you called for help. They also have some of the best help desks in the world because you are the client. And by the way, they even call you that internally because you are the client. And while it's unfortunate that you've had your data encrypted, it's very important for them to help you get that Bitcoin payment done.

Um, they'll answer any questions, they'll help however they can so that you, the client, can get the encryption keys that you need to decrypt your files and get back to work. So never think that the people attacking you don't know what they're doing. They're likely way better funded, and way more skilled, and seriously organized, and clearly highly motivated to be in the e crime business.

You're an ATM to them, and that's all you are. They don't care about you, or patients, or families. So now, back to the angry black cat part of the story. After the takedown, Black Cat was so incensed, they pointedly called out hospitals as a preferred target for them and their ransomware as a service affiliates.

They've been a key part of the surge of attacks on healthcare. And that's been going on for a while now. Including some really despicable acts, like Publishing stolen photos of breast cancer patients. And so, how's all this tie back to the Change Healthcare Cyber event? Well, we're a week plus into this. I think it might be fair at this point to call it a crisis.

Uh, health systems, pharmacies, medical groups, other healthcare organizations, all have been disrupted nationwide. And for CIOs and CISOs I've met with over the last week, they tell me it's like nothing they've ever seen. I've also heard it described this week. Like this, the Change Healthcare Cyber Event is Healthcare's version of the Colonial Pipeline Breach.

On Wednesday, Black Cat claimed on its website that it was responsible for the Change Healthcare event and that it has stolen over 6 terabytes of data that includes material from every Change Healthcare customer, including Tricare, Medicare, CVS Caremark, and a score of others. In a nutshell, BlackCat found the one right domino to tip over to create chaos across the entire healthcare industry.

And I'm speculating here, but this may wind up being one of the largest and most costly cyber disruptions in the history of the industry. Maybe the country. And it's not over yet. Change has filed an 8K with the Security and Exchange Commission that they've had a material breach, and they recently acknowledged that Alfie, BlackCat, was the adversary involved.

And my bet There's lessons we'll learn from this incident for years. But first we have to get out of the current situation. So over the next days, weeks, and months, I'll talk a lot about the challenges in healthcare cybersecurity. And this weekend, I'll get specific on some of the things we need to do together to make progress on an improved cyber posture.

And it's not all about spending money, although we're going to have to figure out some issues on the budgets. Uh, I'll talk about priority patching, execs flying top cover for their security teams, simplification of the entire environment, business continuity, incident response, of course third party risk management, and the simple fact that most organizations don't really know where they have personal health information stored on their network.

And that's critical in this whole scenario. Some of the stuff I'll tell you may be considered hyper opinionated or even contrarian, but for those of you who know me, return FHIR is always welcome. I've been a healthcare exec for 30 years. I love a good conversation. Also on this weekend's special show, I'll talk about some of the stuff that, out of context, uh, won't seem like it has anything to do with cybersecurity.

Stuff like Maslow's Hierarchy of Needs and physician and nurse licenses. Again, more this weekend. Look for another special edition of Unhack's Two and a Half Minute Drill in Overtime. Yeah, thanks for listening. Like and share this message and tag folks you want to hear this story. Uh, I try to do these as a mostly plain English, mostly non technical discussion on cybersecurity challenges, so it's fine to share with your peers and leaders and Teams.

They need to know what's going on too. I'm Drex. That's it for today. Stay a little paranoid. I'll see you around campus.



More from YouTube