Ransomware, PHI, and the $30 Million Bitcoin Ultimatum: How Change Healthcare's Breach Could Have Been Prevented

“Deposit 30 million dollars into our Bitcoin wallet, or we are going to leak all of your PHI.”

Change Healthcare stores and processes PHI and HIPAA data for anywhere between 170 million and 200 million Americans. They are one of the largest health IT companies in the world, managing critical systems for claims processing, patient records, and other healthcare data services.

That’s why, when a malicious actor gained access to their internal systems in 2023, all operations ground to a halt. While the exact method of attack hasn’t been publicly disclosed, it’s likely it resulted from unpatched vulnerabilities in their technology stack. These vulnerabilities could have easily been circumvented with the correct software implementation and engineering talent. Here are some key areas of security that could have helped Change, and can help anyone managing sensitive data:

1. Endpoint Detection and Response (EDR):

• What it is: EDR is focused on continuously monitoring and responding to threats on endpoints (devices like computers, servers, and mobile devices). It provides visibility into endpoint activities and helps detect suspicious behaviors.

• How it helps: In the event of unpatched vulnerabilities being exploited, an EDR system could detect unusual behavior, like unauthorized access attempts, file modifications, or privilege escalation, and trigger an alert before the attackers gain deeper access to sensitive systems.

2. Extended Detection and Response (XDR):

• What it is: XDR is a more comprehensive extension of EDR, integrating visibility and threat detection across multiple security layers (endpoint, network, cloud, etc.) in a unified platform.

• How it helps: XDR aggregates data from endpoints, cloud, network traffic, and user behavior, creating a holistic view of the environment. This allows faster detection of suspicious patterns, cross-layer correlation of threats, and a more coordinated defense. In a breach scenario, XDR can help correlate unusual activities across different systems, reducing the time to detect and respond.

3. Security Information and Event Management (SIEM):

• What it is: SIEM collects, analyzes, and correlates logs and security events from across an organization’s IT infrastructure, providing a centralized view of potential security incidents.

• How it helps: SIEM aggregates logs from various systems in an organization’s environment, providing a centralized view of suspicious behavior, such as unauthorized access attempts, system vulnerabilities, or unusual file access. By correlating this data, security teams can identify breaches early on.

4. Incident Response (IR) and Threat Hunting:

• What it is: Incident Response teams, aided by threat hunting tools, actively look for and respond to potential threats in the environment, while also investigating suspicious activities before they escalate into full-scale breaches.

• How it helps: Having a proactive Incident Response team (or, with the advent of AI, a properly configured machine learning model), coupled with threat hunting capabilities, could have helped detect the breach at an early stage. This allows organizations to contain attacks and prevent damage to their systems and data.

5. Security Orchestration, Automation, and Response (SOAR):

• What it is: SOAR platforms automate security operations workflows, combining security incident management, threat intelligence, and automated response actions.

• How it helps: SOAR would helps organizations respond to alerts more efficiently by automating the investigation process and taking immediate action based on pre-defined playbooks. For example, if an attacker accessed the system through a vulnerability, SOAR could have quickly isolated affected machines and mitigated the spread of the attack.

In a rapidly shifting technology landscape, wrought with AI and a new breed of threat actors, you need the best and brightest engineers to rapidly adapt to an unstable ecosystem. Let Nimbus be your guide.