The most disruptive cyberattack on U.S. critical infrastructure to date remains unresolved four weeks after UnitedHealth Group said it discovered an intrusion in its medical claims and payment processing platform.
More than 110 services spanning Change Healthcare’s IT infrastructure remained offline and about 20 services have resumed operations as of Thursday afternoon, according to Optum’s status page. UnitedHealth Group acquired Change, which touches 1 in 3 patient records, for $13 billion in late 2022.
The length of Change’s sustained downtime following a cyberattack is unexceptional, but its enduring impacts are abnormal.
The monthlong outage is evoking criticism from cybersecurity experts who view the ongoing recovery as evidence of deficiencies in Change’s backup procedures and preparation to respond to cyberattacks.
“Such a critical service should have a worst-case recovery time of less than four weeks,” said Brett Callow, threat analyst at Emsisoft.
“The fact that it has taken a company that provides such a critical service so long to recover is obviously a concern. Not only the time it took to recover its IT systems, but the fact that it seemingly didn’t have a backup plan that could be quickly and speedily put in place,” Callow said.
UnitedHealth Group said it’s working aggressively to restore systems and services, and enacting manual processes where possible. The company did not respond to requests for additional comment about the length of the recovery.
“We continue to make significant progress in restoring the services impacted by this cyberattack,” UnitedHealth Group CEO Andrew Witty said Tuesday in a statement. “We know this has been an enormous challenge for healthcare providers and we encourage any in need to contact us.”
The duration of Change’s response and recovery time, 29 days since the intrusion was detected, is concerning, according to Katell Thielemann, distinguished VP analyst at Gartner.
“It calls into question whether resilience best practices such as incident response plans, backups, manual operations failover or offline communications trees were in place,” Thielemann said via email.
“Many companies still think about cybersecurity as a prevention and detection problem. But with today’s threat landscape, response and recovery should be immediately elevated as a core focus area,” Thielemann said.
‘Unprecedented’ impact
The modern era of cybersecurity is marked by attacks with far-reaching consequences including last year’s mass exploit of a critical vulnerability in MOVEit, the 2020 attack against SolarWinds’ Orion software and the 2021 attack targeting Kaseya. But experts say the impacts of the Change incident are beyond comparison.
“The sustained damages are unprecedented,” Chris Henderson, senior director of threat operations at Huntress, said via email. “This attack impacted the entire healthcare supply chain without needing to deliver ransomware through the chain.”
Threat hunters and analysts rarely observe out of the ordinary activity, yet this is a repeat theme in their analysis of Change’s drawn-out recovery.
The costs, impacts on patients and other providers are extraordinary, according to Callow.
“The scale and magnitude of this incident is without precedent. It has caused disruption for an unprecedented amount of time,” Callow said. “I can’t think of another incident that comes close in terms of the amount of disruption that’s been caused.”
The ransomware attack on Change, and the nationwide disruption it’s caused, raises new questions about what federal officials should designate as critical infrastructure. Change sits in a nebulous space, despite its critical role in healthcare payments and claims processing.
“We need to cast a much broader net when defining critical infrastructure. In this case, decades of industry consolidation and digital transformation efforts have created enormous concentration risks,” Thielemann said.
“Our threat modeling in every industry needs to ferret out centers of gravity away from the obvious, in this case a claims clearinghouse,” Thielemann said. “How many of these technologies underpin everything, hiding in plain sight?”
Recovery efforts ongoing
Change restored pharmacy prescription and electronic payment platforms earlier this month, but the medical claims network is still offline. UnitedHealth Group said it started “testing and reestablishing connectivity in a phased manner” to its claims network this week.
The company has not said when it expects full operation recovery.
The post-attack downtime at Change “feels longer than usual, but no two incidents are alike,” Chester Wisniewski, global field CTO at Sophos, said via email. “IT systems are very customized in large environments and the amount of reliance upon them varies.”
Outages extending longer than a month do happen. The City of Dallas and Prospect Medical Holdings both took over a month to fully resume operations after they were hit by ransomware attacks last year.
Recovering from ransomware attacks is a complicated endeavor, even more so if victim organizations have to eradicate malware or footholds from many interconnected systems.
“Given the seemingly large scope of the attack this could mean completely rebuilding their infrastructure from the ground up,” Henderson said.
“Most organizations can get critical systems up and then run in a degraded state while the full restoration and validation of services continue,” Henderson said. “Change Healthcare’s critical business of medical billing likely makes running in a degraded state even more difficult or impossible.”