Written by: Ferhat Dikbiyik
Additional Contributions: Yavuz Han and Ekrem Celik

In this week’s edition of Focus Friday, we spotlight the significant cybersecurity incident at Change Healthcare, a pivotal event that has highlighted the criticality of Third-Party Risk Management (TPRM) in the healthcare sector. The breach not only underlines the vulnerabilities inherent in the healthcare industry’s interconnected systems but also emphasizes the importance of a proactive and informed TPRM strategy. With Change Healthcare’s extensive reach across numerous healthcare entities, this breach serves as a reminder of the potential for widespread impact. Through the TPRM lens, we will explore the implications of this incident and demonstrate how Black Kite’s Focus Tags™ can be instrumental in navigating the challenges it presents, ensuring a robust cybersecurity posture to safeguard against similar incidents.

What happened?

In the wake of the cybersecurity incident impacting Change Healthcare, a comprehensive response was initiated to address the ramifications of the ransomware attack orchestrated by the BlackCat/ALPHV gang. The breach, disclosed on Feb 21, 2024, reportedly led to the unauthorized access and potential theft of approximately 6TB of data, including highly sensitive medical, insurance, and payment information pertaining to millions of individuals.

UnitedHealth Group’s Response

UnitedHealth Group, the parent company of Change Healthcare, undertook immediate actions to mitigate the impact of the breach and restore the integrity of its services. Upon discovering the cyberattack on February 21, UnitedHealth Group promptly filed an SEC disclosure highlighting the incident’s severity.  Recognizing the critical nature of the services provided by Change Healthcare, UnitedHealth Group stated that they have been diligently working to restore operations, albeit acknowledging that some services might face disruptions for an extended period. The company worked closely with pharmacies and healthcare providers to ensure that patients continued to receive necessary care despite the disruptions caused by the cyberattack.

The attack, attributed to the notorious ransomware group BlackCat, led to significant operational challenges, particularly in processing healthcare claims and verifying insurance eligibility​​​​. UnitedHealth Group responded by disconnecting Change Healthcare’s systems to contain the breach and prevent further damage​​.

In response to the incident and its associated challenges, UnitedHealth Group and Change Healthcare have been proactive in addressing the breach’s fallout. Efforts to communicate transparently with affected parties, reinforce cybersecurity measures, and restore disrupted services are ongoing, with a focus on safeguarding sensitive data and preventing similar incidents in the future.

Were there any indicators before the attack?

Prior to the incident, the Black Kite platform had detected vulnerabilities within Change Healthcare’s systems, including issues with patch management and potential critical vulnerabilities in their Citrix servers. These vulnerabilities were known to be exploited by ransomware groups like AlphV and Lockbit. Additionally, there were signs of leaked credentials that could be subjected to credential stuffing attacks, indicating a heightened risk level. The Ransomware Susceptibility Index (RSI) for Change Healthcare had also shown a spike, signaling an increased risk of ransomware attacks.

Is AlphV/BlackCat more reckless?

The ransomware attack on Change Healthcare, attributed to the notorious BlackCat ransomware group, also known by its alternative name ALPHV, highlights the sophisticated and dynamic threat landscape that organizations face today. The Black Kite Research and Intelligence Team (BRITE) keeps a vigilant eye on the activities of groups like ALPHV/BlackCat, understanding their tactics, techniques, and procedures (TTPs) to better inform and protect their clients.

In an interesting turn of events, law enforcement agencies managed to seize ALPHV/Black Cat’s dark web blog in December 2023, a significant blow to the group’s operations. However, the resilience of these cybercriminal networks is not to be underestimated. ALPHV/BlackCat quickly bounced back from this setback with the aid of Lockbit, a rival ransomware operator. This alliance or cooperation between ransomware groups underscores the adaptive and collaborative nature of the cybercrime ecosystem. Despite a temporary disruption, the group’s pace of announcing new victims has not reached its previous peak levels. Yet, a noticeable shift in their operational behavior suggests a more reckless approach, possibly driven by a motive of revenge. The group has increasingly targeted critical infrastructures, energy companies, pipelines, and the healthcare sector more aggressively since their operational disruption.

This evolution in ALPHV/BlackCat’s targeting strategy poses a significant threat to sectors that are foundational to societal well-being and security. Their focus on critical infrastructure and healthcare, in particular, not only aims to maximize the impact of their attacks but also indicates a strategic choice to disrupt services and systems that are essential for everyday life. Such actions not only result in financial losses but can also have dire consequences on public health and safety.

The insights provided by the BRITE team about ALPHV/BlackCat’s post-disruption activities shed light on the importance of continuous monitoring and intelligence gathering in the fight against cybercrime. Organizations, especially those within critical sectors, must stay ahead of these threats through proactive cybersecurity measures, robust incident response plans, and fostering collaboration with cybersecurity communities and law enforcement agencies.

Why should TPRM Professionals be Concerned?

The recent breach at Change Healthcare underscores a critical vulnerability in the healthcare sector: the technological concentration risk. Change Healthcare, as a pivotal node in the healthcare information ecosystem, processes a vast amount of sensitive data spanning medical records, insurance details, and payment information across a wide range of healthcare entities. This central role means that a breach of its systems doesn’t merely impact its direct partners but has far-reaching implications across the entire sector.

For Third-Party Risk Management (TPRM) professionals, particularly those within the healthcare industry, this incident serves as a clarion call to reassess and fortify their cybersecurity posture. It’s imperative for these professionals to evaluate their, or their vendors’, direct or indirect reliance on Change Healthcare’s services to understand the full scope of potential exposure. This incident vividly illustrates the ripple effects that can emanate from the compromise of a single, central service provider, affecting countless entities that might not have a direct relationship with the breached entity but are nonetheless impacted due to the interconnected nature of today’s digital ecosystems.

Moreover, this breach highlights the critical need for a more nuanced approach to vendor risk management. It’s not enough to simply assess direct relationships; TPRM professionals must map and understand the entire supply chain of their data flows and service dependencies. This includes identifying and mitigating risks associated with secondary and tertiary connections that might not be immediately apparent but could expose organizations to significant vulnerabilities.

Questions TPRM Professionals Should Ask Vendors

In light of the Change Healthcare incident, TPRM professionals need to engage with their vendors with heightened scrutiny and a comprehensive approach to ensure robust cybersecurity practices are in place. Here’s an enriched set of questions designed to delve deeper into the vendors’ cybersecurity measures, their direct or indirect exposure to the incident, and their readiness for such cybersecurity challenges:

  1. Can you detail the nature and extent of data shared with Change Healthcare, and confirm if any of our shared data was potentially exposed during the incident?
  2. What immediate actions have you taken upon learning of the Change Healthcare incident to secure our shared data and mitigate any potential compromise?
  3. Given the nature of the breach, how do you evaluate your current data protection strategies against the exploited vulnerabilities, and what improvements or changes are being implemented?
  4. How will you communicate with us about potential data exposure, including the types of data involved, the extent of the exposure, and the steps you’re taking to address the issue?

Remediation Recommendations for Vendors Working with Change Healthcare

  • Conduct a thorough security assessment to identify any direct or indirect exposure due to the Change Healthcare incident. 
  • Enhance data encryption both at rest and in transit, especially for sensitive information shared with Change Healthcare. 
  • Reassess access controls and permissions for systems and data interacting with Change Healthcare. 
  • Update your incident response plan to include specific scenarios related to third-party data breaches.
  • Review compliance with all relevant legal and regulatory requirements, especially those relating to data protection and breach notification.
  • Engage in information sharing and collaboration with industry peers to benefit from shared experiences and strategies for mitigating the risks associated with third-party breaches.

Leveraging Black Kite in Light of the Change Healthcare Incident

In the face of the Change Healthcare breach and recent cybersecurity vulnerabilities, Black Kite’s Focus Tags™ emerged as a critical tool for TPRM professionals. Black Kite published a Focus Tag shortly after the incident’s disclosure, offering invaluable insights for TPRM professionals. By identifying and evaluating the vendors associated with Change Healthcare within their network, professionals can pinpoint potential data breaches and prioritize their risk management efforts more effectively.

These tags not only highlight the importance of immediate threat identification and risk prioritization but also underscore the need for effective vendor communication and comprehensive security enhancement. Here’s how Black Kite’s Focus Tags™ are transforming TPRM in response to current challenges:

  • Dynamic Risk Insights: The immediate identification of potentially affected vendors by emerging threats, such as the ransomware attack against Change Healthcare, allows TPRM teams to act quickly, minimizing potential damage.
  • Strategic Risk Management: Focus Tags™ facilitate a nuanced approach to risk management, enabling prioritization based on the severity of incidents and the criticality of the vendors involved. This ensures that resources are allocated efficiently, addressing the most pressing threats first.
  • Enhanced Vendor Communication: Armed with specific, actionable insights from Focus Tags™, TPRM professionals can engage in more targeted and effective discussions with vendors. These conversations are crucial for assessing and improving vendors’ security measures in light of recent incidents.
  • Overall Security Ecosystem Strengthening: By providing a panoramic view of the threat landscape, Black Kite’s Focus Tags™ assist in fortifying the overall cybersecurity strategy. This comprehensive awareness is vital for adapting to and mitigating the rapidly evolving cyber threats.

Black Kite’s Focus Tags™, especially in the current context of the Change Healthcare breach and new incidents, offer a strategic advantage. They convert complex cyber threat data into actionable intelligence, enabling TPRM professionals to navigate the complexities of today’s cyber threats with confidence and precision. As we continue to witness the emergence of sophisticated cyber campaigns, the role of Black Kite’s Focus Tags™ in enhancing TPRM practices has never been more crucial.

Want to take a closer look at Focus Tags™?

Take our platform for a test drive and request a demo today.

Focus Tags™ in the last 30 days:

  • Change Healthcare Client
  • ScreenConnect:CVE-2024-1709, Authentication Bypass Vulnerability
  • Cisco ASA [Suspected]CVE-2020-3259, Information Disclosure Vulnerability
  • Exchange Server:CVE-2024-21410,Privilege Elevation Vulnerability
  • QNAP QTS:CVE-2023-47218, CVE-2023-50358, OS Command Injection Vulnerability
  • Symantec MG [Suspected]:CVE-2024-23615, CVE-2024-23614, Buffer Overflow Vulnerability (Remote Code Execution)
  • FortiOS SSL VPN [Suspected]:CVE-2024-22024, An Out-of-Bounds Write Vulnerability
  • RoundCube [Suspected] :CVE-2023-43770, Stored-XSS Vulnerability [Updated]
  • Citrix ADC/Gateway:CVE-2023-6549 [Updated], Buffer Overflow Vulnerability
  • Ivanti EPMM:CVE-2023-35082 [Updated], Authentication Bypass Vulnerability
  • GoAnywhere [Suspected]:CVE-2024-0204, Authentication Bypass Vulnerability
  • Redis RCE: CVE-2023-41056, Remote Code Execution Vulnerability
  • Ivanti ICS: CVE-2024-21887, Command Injection Vulnerability, CVE-2023-46805, Authentication Bypass Vulnerability
  • Cacti SQLi: CVE-2023-51448, Blind SQL Injection (SQLi) Vulnerability
  • Juniper OS:CVE-2024-21591 [Updated Tag], Remote Code Execution Vulnerability
  • Kyocera Device Manager [Suspected]:CVE-2023-50916, Path Traversal Vulnerability
  • Apache Tomcat:CVE-2023-46589, Improper Input Validation Vulnerability