In February 2024, the U.S. healthcare system faced an unprecedented crisis: Change Healthcare, connecting more than a million doctors, hospitals, pharmacies and laboratories, was hit by a ransomware attack. The results were devastating.
The American Hospital Association revealed that 74% of hospitals experienced direct patient care impacts due to the attack. As well as putting patient care at risk, the attack exposed more than 100 million Americans’ healthcare data, and caused an estimated $872 million in damage.
One year later, the attack has become a poster child for the critical need for robust cybersecurity in the healthcare sector. What can we learn? Securin’s researchers took a retrospective on the attack…
Simple Tactics, Catastrophic Impacts
To many security teams, the initial attack vector will sound all-too-familiar: the attackers exploited public-facing applications and external remote services to gain initial access. Specifically, a stolen Citrix account without multi-factor authentication (MFA) was exploited. Once inside, the attackers moved laterally through the network, exfiltrating 6TB of sensitive data before deploying their encryption payload as part of a ransom demand.
From an operational perspective, one basic security control – MFA – could have helped to prevent:
- 119 Change Healthcare and Optum services/platforms affected.
- Widespread disruption to US healthcare billing and pharmacy systems.
- $593M in direct cyberattack response costs, $279M due to business disruptions.
Despite a ransom payment of $22m, the stolen data was leaked on the dark web, with potentially serious long-term consequences for affected individuals and organizations.
Code Blue For Healthcare Operations
Significant as they were, the technical impact of the attack extended far beyond Change Healthcare itself: 119 services and platforms were disrupted, wreaking havoc on billing and pharmacy systems across the United States.
For healthcare providers, the attack caused immediate cash flow problems, as payment processing systems across the country went offline. For patients, care authorization was disrupted, along with prescription fulfillment. The far-reaching (and potentially life-threatening) impact underlined the fragility of the U.S. healthcare system’s reliance on centralized digital infrastructure; as Securin’s CISA Sectors Critical Infrastructure Report showed, there were over 300 healthcare breaches in the first half of 2024 alone. Securin analysis of 519 attacks on healthcare targets in 2024 showed a sector incredibly vulnerable to ‘low hanging fruit’ compromise:
☣️ Vulnerability/Misconfiguration Exploitation – 27%
☣️ Compromised Credentials – 26%
☣️ Spear Phishing by Link or Attachment – 22%
The Group Behind the Change Healthcare Attack
The group behind the attack, BlackCat / ALPHV, is the leading threat actor against healthcare and public health systems in the U.S. The group presents such a significant threat, the U.S. Department of State put a $10m bounty on the group’s leaders in 2024. Among their key tactics:
- Initial access via stolen credentials, and has exploited known vulnerabilities such as Log4j for lateral movement.
- Double extortion: stealing data before encryption, to increase leverage.
- Targeting critical infrastructure globally: the group has also breached targets in the energy sector.
Lessons Learned
The Change Healthcare breach exposed structural vulnerabilities across an entire industry. Some critical lessons stand out:
1. The Access Control Challenge
The initial breach started from a compromised account without MFA – a basic security measure that’s still not universally implemented in healthcare. For a sector that relies heavily on remote access for operations, MFA should be non-negotiable.
2. Data Concentration Risk
With over 100 million records accessed from a single breach point, a more segmented approach to both data and storage access could be adopted.
3. The Cybersecurity Gap
As is so often the case with critical infrastructure providers, healthcare providers often prioritize operational continuity over security investments and implementations. The Change Healthcare attack underlined how this approach can ultimately create far greater operational risk.
Risk Mitigation Recommendations
For security professionals supporting healthcare organizations, the messages around MFA, zero trust, network segmentation and data protection are clear. Here are some steps you can take to mitigate the risks:
- Implement robust multi-factor authentication across all systems, especially for remote access
- Enhance data segmentation and encryption to limit potential breach scope
- Improve threat detection and response capabilities through AI-driven security tools
- Conduct regular, comprehensive security assessments and penetration testing
- Develop and regularly test detailed cyber incident response and business continuity plans
- Increase cybersecurity awareness training for all staff, with a focus on social engineering tactics
Healthcare Sector Cybersecurity: Early Intervention Wins
As we keep seeing across the critical infrastructure sectors, older, known software vulnerabilities continue to give attackers an easy pathway into systems. Despite the availability of patches, many of these weaknesses continue to feature in attacks – underlining the critical importance of getting to grips with attack surface management and patching.