Cybercriminals see the nation’s vulnerabilities far more clearly than regulators do.
When the coronavirus began straining American health care four years ago, hospitals and public officials at least saw the problem coming. Now a different kind of invader—purposeful and malign—has caught the system off guard. Late last month, hackers conducted a massive ransomware attack on Change Healthcare, a division of UnitedHealth Group that transmits health providers’ claims to patients’ insurers, and the consequences are rippling outward. Prescriptions, payments, and insurance authorizations are being delayed. Providers are having trouble sharing patients’ medical records. Some institutions worry about their ability to make payroll.
Because Change doesn’t provide critical care or treat patients, few people outside the health-care industry had even heard of the company before it publicly acknowledged the cyberattack. But one number makes the incident’s importance clear: Change says it handles more than 15 billion claims a year. It has quietly become an essential part of the infrastructure of American health care. And as the company struggles to get its network functioning again, other entities that rely on it are caught in limbo.
The hackers—apparently part of a gang that has called itself AlphV and BlackCat, among other names—seem to have figured out what America’s regulators have not: A vital but obscure data-transmission pipeline can be ransomware gold, the United States demands too little emergency planning from private entities that serve public functions, and even a massive industry may be subject to a single point of failure.
In 2022, when the U.S. Department of Justice unsuccessfully sued to block UnitedHealth’s acquisition of the firm, government lawyers asserted that Change processes 50 percent of all health-care transactions and that the health system “would not work” without it. In other words, antitrust officials were aware of Change’s significance. Antitrust investigations examine only unfair competition, not whether a company’s hold on the health-care system is a safety vulnerability. And responsibility for protecting civilian infrastructure against outside attack is diffused across the U.S. government. The Cybersecurity and Infrastructure Security Agency, within the Department of Homeland Security, is generally in charge of cyberdefense, and the regulatory agencies with which health-care companies have routine contact—including those within the Department of Health and Human Services—are less likely to prioritize defending against hackers. In general, cybersecurity efforts commonly focus on big, highly visible targets and may underrate the importance of the networks that move money, data, and essential supplies from place to place.
The 2021 cyberattack on Colonial Pipeline targeted the same vulnerability. Colonial Pipeline, like Change, was a little-known company in a powerful position: It managed and administered the flow of refined-oil products from the Gulf of Mexico to the East Coast. It carries millions of barrels of fuel each day and is the largest pipeline system for oil in the United States. After the attack was discovered, Colonial’s only option was to shut its whole system down. The company paid a ransomware demand to the hackers—who were reportedly affiliated with an earlier incarnation of AlphV—but the hackers’ solution appears to not have worked. The problem lasted for days, leading to gas shortages on the East Coast and an emergency declaration by President Joe Biden that relaxed previous restrictions on the transport of oil on trains and roads.
Law-enforcement agencies have blamed AlphV for other cybercrimes around the world. Whether Change or its corporate parent paid the ransomware price has yet to be confirmed. Wired, citing cybersecurity researchers, has reported that an address connected with AlphV received a bitcoin payment worth $22 million two days after the hack began. UnitedHealth declined to tell the magazine whether it had tried to free its data from the hackers, saying only that the company is “focused on the investigation right now.”
In this strange war between companies and the criminals who get into their systems, hackers generally seek amounts that a company or its insurer can pay without too much fuss (many companies now purchase ransomware coverage); if the victim pays, hackers release their hold on the data. If hackers demand too much, the company can’t pay; if they refuse to fix the problem they created, future victims won’t pay. An uneasy coexistence is developing.
That’s worrisome, because Americans should not count on the trustworthiness of hackers. Wired’s reporting suggests that people associated with AlphV may be fighting over the distribution of ransom money, leaving Change and its customers to await a remedy. This situation would be amusing—a melodrama between hacker factions as health-care executives wonder what has gone wrong—if it weren’t so damaging.
After the Colonial fiasco, the federal government passed limited regulations to demand greater cybersecurity defenses by the pipeline industry. Those rules did not extend to other crucial infrastructure, such as health-care-information systems. Private companies are not prohibited from paying ransomware, allowing a system of blackmail to fester. Even worse, there are no redundancy requirements for transmission companies to have plans in place should hackers penetrate their systems; like Colonial Pipeline, Change’s only solution is to shut down a wide variety of services that the company’s clients cannot do without. But an on-off switch for essential functions is hardly a sufficient response to a threat that is becoming all too predictable.
https://www.theatlantic.com/ideas/archive/2024/03/change-healthcare-alphv-blackcat-hackers/677650/