back to article UnitedHealth's 'egregious negligence' led to Change Healthcare ransomware infection

The cybersecurity practices that led up to the stunning Change Healthcare ransomware infection indicate "egregious negligence" on the part of parent company UnitedHealth, according to Tom Kellermann, SVP of cyber strategy at Contrast Security. During the attack, ALPHV aka BlackCat criminals made it into the medical corporation …

  1. Pascal Monett Silver badge

    This may have hurt dearly

    But in the long run, the miscreants have now proven that paying the ransom is a very bad idea.

    We are finally poised to progress beyond well-intentioned admonishments that no one listens to. You get hacked ? Swallow the pill, correct the situation and put what money you have to ensuring that it won't happen again.

    Don't waste your money on paying the assholes who got in.

    They're assholes. They will gouge you for everything they can, and you'll still be fucked.

    1. midwestMan

      Re: This may have hurt dearly

      You might pay a ransom to recover data that you otherwise might not be able to recover, but that wasn't the case here. In this case, it was a move to constrain information. Nobody but the threat actors know what data was compromised, and won't for many months, if ever. That's all they hoped to accomplish by paying the ransom. It was so important to them, they paid it twice.

  2. Mike 137 Silver badge

    Only $22M?

    "I'm blown away by the fact that they weren't using multi-factor authentication," Kellermann told The Register. "I'm blown away that the networks weren't segmented. And I'm blown away that they didn't conduct threat hunting robustly into that environment knowing that they had been compromised. I think it's egregious negligence, frankly."

    It's really no different from the 2017 Equifax breach. This resulted from (among other things) failure to maintain a service inventory so they couldn't find a vulnerable service they'd been warned about and provided with a patch for; failure to renew the digital certificate used for decrypting traffic on an activity monitor so they couldn't see the exfiltration taking place; retention on the network of a plain text file containing credentials allowing the perps access to other internal networks. By 2019 the breach had cost them $1.4 billion , and subsequent settlements added another $650 million, so $22 million is really small fry.

    In both cases, as usual, the root causes are not technological -- they're inadequate management. Unfortunately, fulfilment of the really quite basic subclauses 5.1 'Leadership and commitment' and 5.2 'Policy' of ISO/IEC 27001 is interpreted by most organisations (at least in my experience) as a pure paper exercise. The Board gets the CIO to write a 'commitment statement' to satisfy the ISO auditors and then forgets about infosec entirely. Policies are written off the cuff by a designated staffer instead of their requirements being investigated and discussed, and from that point on infosec activities are conducted in multiple independent technological silos (anti-virus, firewall management, user access and authentication etc.), that don't intercommunicate, so no overall picture of the organisation's real security stance is available to anyone. Hence the prevalence of data breaches.

    1. elDog

      Well stated. Also the separation of silos and lack of coordination

      make it easier for the upper-level management to assign blame to some technical lead in the silo and take punitive action.

      The punitive action should be going up the chain - all the way to the CEO and the Board of Directors.

    2. UnknownUnknown

      Re: Only $22M?

      No mention of a SOC Audit or HIPPA Compliance?!?!?

  3. elip

    This guy is talking about something he knows nothing about. Not surprising given he's a sec company CEO. United Health only *recently* acquired Change and had not at all come close to integrating Change's networks with UNH's, which is why the impact was limited to Change Healthcare's network only, where yes, they did not use MFA for a lot of their internal systems (and still don't). However, UNH themselves has MFA across the board, and is heads-and-shoulders above their peers with regards to operational security.

    1. Anonymous Coward
      Anonymous Coward

      the term you're missing is "due diligence", moron...

      United Healthcare is 100% responsible for the breach at Change Healthcare.

      1. ecofeco Silver badge

        Re: the term you're missing is "due diligence", moron...


    2. Michael Wojcik Silver badge

      Recently? The deal closed 18 months ago. Not rolling out MFA in that time is inexcusable, as is not correcting the improperly-segregated networks.

      If UHC's IT security is as good as you claim, then all of this should have become apparent during due diligence, and there should have been a short-term, high-priority plan in place from the moment the acquisition was completed to fix it.

  4. Sparkus

    Not blown-away here

    Having been inside of Optum, and watched as the old-boy/girl network promote high percentages of connected people without regard for their actual skills or abilities, I'm not blown away at all.

    Optum is well-known as a repository where the only accountability is at the lowest level of staff. Once an individual is in a 'leadership' role, part of their job is to expand staff to ensure that a few sacrificial lambs are always available.

    Too big to fail = too big to trust. The best approach to security segmentation is to break that monster up.

  5. martinusher Silver badge

    It can be done properly

    Back when I was an accidental Intel employee our systems were fully Wintel -- "There Was No Alternative" --but they were configured and managed correctly so things worked as advertised despite us only running Windows 2000. There was proper authentication and its the only place where my desktop did actually appear on a remote 'guest' computer without printing jobs being automatically directed to a printed thousands of miles away.

    I also found out that there was also a Big Brother watching everything that was going on. Part of my work involved developing and testing a SNMP agent. (SNMP is a relatively harmless protocol that's UDP based.) That's how I found out that they not had a security team but they were looking at literally everything -- they not only detected my SNMP traffic running locally on our backwater's network but also knew exactly where it was coming from so who to call to ask about it. This illustrated that security isn't just a matter of bugging people to change their passwords every few weeks, it requires constant monitoring and immediate investigation once an anomaly is detected.

    1. Claptrap314 Silver badge

      Re: It can be done properly

      NIST updated their recommendation in 2017. NO password rotation unless it has been leaked.

      1. J. Cook Silver badge

        Re: It can be done properly

        I'm assuming it's this document? Just making sure. :)

        More specifically, Section of that document:

        Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

        1. Snake Silver badge

          Re: should not require memorized secrets to be changed periodically

          I wish JPMorganChase would listen to that! I've made a complaint that they require a password change on their mobile POS product...and they promptly ignored me.

          As usual -_-

          Forcing password changes without good cause only reduces security, as people either: (a) get sick of the policy and create the simplest passwords to meet the requirements, or (b) run out of good ideas on secure passwords they can memorize and go back to the reasoning of factor (a).

  6. Alf Garnett

    I read somewhere, might have been The Register, an article that said many companies have determined that it's cheaper to clean up after a data breach than to try preventing them in the first place. United healthcare must be in that camp.

    There should be a law requiring companies that hold sensitive information about people ( medical records, financial data, etc) to take steps to secure that data. If there is a law in the U.S. like this already, United healthcare should be prosecuted for failing to obey it. Of course that won't happen. They'll just bribe congress so they don't create such legislation, or others in the government so they don't get prosecuted for violating it.

    1. Claptrap314 Silver badge

      The law (HIPPA) exists...

      enforcement however? ...

      1. J. Cook Silver badge

        Re: The law (HIPPA) exists...

        That is the weak spot in that law, along with some of the penalties, which after a certain point, don't really scale for when multi-nationals with annual revenue larger than a small country break it repeatedly. :(

  7. LogicalNiko

    Admit your mistakes

    I’ve been in the industry for about 20 years now and have done security and compliance from Federal Government, to Hospitals, to major healthcare providers, cloud providers, and tech startups. If you really want to make decisive changes and earn industry respect do it openly. Publicly commit to partnering with large names and use them to showcase how you can turn systems around. Publish white papers and stats on your journey over the next two years to help other companies do the same. Invite other healthcare medical providers to security open houses where you show examples of what you did wrong, and how you stopped doing it.

    Because fundamentally if you don’t make that change a pillar of how you’re different and bettering healthcare through trust and transparency, you will likely just end up sweeping your issues under the rug again after just hiring some consultants to hide the problems.

    1. UnknownUnknown

      Re: Admit your mistakes

      More fundamentally where are the SOC Audits and HIPPA Compliancy.

      Were they not done, or were they just horseshit ??

  8. Anonymous Coward
    Anonymous Coward

    For those who came late...

    I found out a MONTH BEFORE the hack that in order to connect to one of their endpoints, we had to spin up an out-of-maintenace distribution. Their ciphers were that old. That endpoint it fixed now.

    But just no.

  9. DJ

    A simple solution(?)

    Government fine schedule:

    First breach: 20% of prior calendar year's revenue (no, not profit).

    Second breach: 50% of prior calendar year's revenue.

    Third breach: 100% of prior calendar year's revenue.

    Mine's the one with the loose change in the pocket.

    1. Anonymous Coward
      Anonymous Coward

      Re: A simple solution(?)

      That fine plus proper customer compensation for the damage caused would certainly be appropriate. Then maybe ATT would not have maintained my info for 14 years after I stopped using their services then spill the beans so that now my address, email and SSN available on the internet for world and dog to see, use and abuse.

      The into ATT lost for me in their recent breach dates back to the end of 2010 or early 2011 when I last used their services. I can understand them needing my SSN to check credit when I signed up for their DSL service 9 or ten years earlier, But to keep that data for over 20 years and then losing it in a breach is unacceptable. They should be liable for the damages it causes. Somehow they think its ok to just pay for a year of credit monitoring.

  10. moonpunk

    Paying Ransoms...

    I know of a Police Authority in the UK who seriously contemplated paying a ransom after finding their data partially encrypted (they managed to stop the rest of the data being encrypted) - they had no network segmentation, and found their backup systems (which were not offline - were only online and connected to their live production network) were also affected! I know this because I was a consultant working on site and helping to manage the fallout. In one meeting the then Head of IT had said he spoke with senior management about the very real possibility of paying the ransom in order to get the keys!! Fortunately their bacon was saved when one of the more junior member so fhte team announced they had a lot of the data in an offline data warehouse he had been working on!

  11. DJSpuddyLizard

    Usually security is seen as an expense, and the goal of all CEOs is to reduce expenses and increase their bonuses,

    Maybe a class action lawsuit brought against United on behalf of 150M or so US residents could help change this?

  12. DerekCurrie

    United Health makes mucho money on a lousy reputation. WHY?

    I recall the State of New York, nearly two decades ago, suing United Health for scamming Medicare recipients, booting victims off their Medicare Part D plan to anything better. Now this crap. As far as I can tell, United Health's only friends are AARP. That's one major reason I have zero interest in AARP. Buying one's way into someone's approval is disturbing.

    Locally, United Health bought a large store front building in a popular neighborhood, put up their sign and did nothing-at-all with the property. The entire point was to make it LOOK like they had a presence there, which they literally did not. It was marketing BS. Again the word 'scam' had resonance.

    Don't, IMHO of course, give them a second look.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like