UnitedHealth Group CEO Andrew Witty didn’t provide all the answers lawmakers sought in testimony last week over his handling of a ransomware attack on subsidiary Change Healthcare.
Witty recounted what led up to the AlphV ransomware group's intrusion into Change’s IT environment on Feb. 12 and what happened after it stole data on a third of U.S. residents and deployed ransomware.
Over the span of more than four hours before two Congressional hearings, the embattled healthcare leader shared key technical details which helped illustrate why the late February attack had such a devastating impact on the healthcare industry.
Here are five takeaways from Witty's testimonies:
1. Legacy tech at Change amplified attack’s impact
Change Healthcare was founded in 2007 but some of the technology systems running the company’s medical claims and payment processing business date back 40 years, according to Witty.
Before the attack, UnitedHealth, which acquired Change for $13 billion in late 2022, was in the process of upgrading and modernizing an extensive amount of Change’s technology.
“The attack itself had the effect of locking up the various backup systems which had been developed inside Change before it was acquired. That’s really the root cause of why it’s taken so long to bring it back,” Witty said.
Most of Change’s data was stored on premises in data centers before the attack. “As we've rebuilt the technology environment, we have moved much more into the cloud, which we believe creates a much more secure future environment,” Witty said.
2. Stolen credentials unlocked access
The attacker gained access to Change’s remote access server on Feb. 12 with stolen credentials, Witty said.
The company has relatively high confidence the credentials were stolen and sold on the dark web before the attack occurred.
The legitimate credentials and lack of MFA allowed the attacker to move laterally within Change’s systems, steal and encrypt data and deploy ransomware on Feb. 21.
3. Incident response cavalry called in
UnitedHealth brought in at least seven incident response firms and third-party cybersecurity experts to help it respond to and recover from the attack. Some of those engagements, all of which began after the attack, will now remain in place.
Witty specifically called out the support it received from Mandiant, Palo Alto Networks and Bishop Fox, but in written testimony added that Google, Microsoft, Cisco and Amazon were also on site assisting with recovery, advisory and testing efforts.
UnitedHealth asked Mandiant to join its board as a permanent advisor to strengthen the company’s cybersecurity oversight and strategy.
“They have been extremely helpful in understanding this attack, and they have become a board advisor to ensure that we have the very best advice at the top of the company,” Witty said. “We have the most elite cybersecurity advice available.”
4. Response and recovery snags
UnitedHealth immediately disconnected Change from all other systems when it became aware of the ransomware attack.
That rapid response was critical to prevent the ransomware from spreading and infecting any other provider or network in the country and it worked, Witty said. “We contained the blast radius to just Change. We shut down the whole thing.”
“It’s a software and network business, not a pipeline business in a physical sense,” Witty said. “When it’s attacked, the vulnerability is that the software is impacted or encrypted and that really freezes the whole system, which is why this has been such a devastating impact.”
Change’s legacy technology also meant the prime and backup IT environments were not isolated and both systems were directly impacted by the attack. IT elements in the cloud were brought back online quickly, but systems in older data centers were weighed down by multiple layers of old technology, Witty said.
The recovery effort took longer than most people expected because UnitedHealth had to rebuild Change’s platform from scratch, Witty said. This includes modern, often cloud-based technologies with “much greater built-in security capabilities than anything that pre existed the attack.”
5. Multifactor authentication wasn’t turned on
Multiple lawmakers grilled and criticized Witty over the unprotected remote access point AlphV used to break into Change Healthcare’s systems.
The company’s policy is to have MFA turned on for all external-facing systems, but for reasons that remain under investigation, a Change Healthcare Citrix portal used for desktop remote access did not have MFA turned on.
“That was the server through which the cybercriminals were able to get into Change,” Witty said.
“We’re trying to dig through exactly why that server had not been protected by MFA. I’m as frustrated as anybody about that fact and we are working to try and understand exactly why it was not covered at the time,” Witty said.
“I can confirm to you that as of today, across the whole of UHG, all of our external-facing systems have got multifactor authentication enabled,” he said.