Health-ISAC’s response to the Change Healthcare incident and Recommendations for Action
Chief Security Officer (CSO) at Health-ISAC recommends the following:
- Identify and analyze health sector systemic risks
- Determine key supplier and sector concentration risks
- Discern lessons learned and update Incident Response Plans
- Hold industry exercises to identify single points of failure and communication gaps
April 21, 2024, a blog written by Errol Weiss
Health Information Sharing and Analysis Center (Health-ISAC) greatly appreciates the time and attention that the United States Congress is giving to the Change Healthcare incident. Specifically, we found Senator Gillibrand’s recent open letter to Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly and the Department of Health and Human Services (HHS) Secretary Xavier Becerra, along with the Energy and Commerce Committee outreach to UnitedHealth CEO to be encouraging examples of how Congress can create urgency and bring focus to issues of grave importance like cybersecurity in the healthcare sector. While this outreach has been focused on the role of the US government and UnitedHealth itself, this blog hopes to complete the incident response picture by highlighting the actions of the healthcare industry led by Health-ISAC. Specifically, I show how Health-ISAC’s facilitation of timely and actionable information sharing, and trusted guidance and alerts helped mitigate even more impacts from this incident, and how it contributes generally to the healthcare sector in collaboration with its industry and government partners globally.
What is Health-ISAC?
Health-ISAC is a global, non-profit, member-driven organization offering healthcare stakeholders a trusted community and forum for coordinating, collaborating and sharing vital physical and cyber threat intelligence and best practices with each other. Health-ISAC’s membership is inclusive of all types of entities operating in the healthcare sector and its nearly 900 institutional member organizations, reaching more than 12,000 health IT and security professionals are located in more than 140 countries.
The vast majority of Health-ISAC’s operating expenses are funded through membership dues with the remaining revenues coming from vendor sponsorships. Health-ISAC receives no government grants. Since its formation in 2010, Health-ISAC has grown significantly in membership, capabilities, and geographic coverage.
Completing the Picture: The Change Healthcare Incident
Even within the context of the relentless wave of cyberattacks targeting the healthcare sector in recent years, the cyberattack against UnitedHealth Group (UHG) subsidiary, Change Healthcare, that became public on February 21, 2024, has become a sobering example of just how devastating such an incident can be for healthcare entities and the patients they serve. Despite how damaging the attack and its aftermath have been, it is worth noting how the efforts of the healthcare community over the past several years have informed the private sector’s response and helped mitigate a more catastrophic outcome. As Congress and the Biden administration look to improve cybersecurity and resiliency in the healthcare sector going forward, it is critical that they understand the role the private sector, through Health-ISAC, played in response to that incident and the day-to-day value Health-ISAC brings to its member organizations.
Information Sharing, Guidance, and Alerts
A founding principle of Health-ISAC — to help each member organization improve the resilience of their operations and ultimately improve patient safety, is perhaps best exemplified through the facilitation of timely, actionable, and relevant information sharing, guidance, and alerts. The core function of the Health-ISAC community includes sharing intelligence on threats, incidents and vulnerabilities that can include indicators of compromise, tactics, techniques and procedures (TTPs) of threat actors, advice and best practices, mitigation strategies and other valuable material.
During the Change Healthcare incident, Health-ISAC played a key role as the authoritative voice for the entire healthcare sector globally. Within the first week of the Change Healthcare incident, Health-ISAC contributed to the response efforts in multiple ways:
- Feb 21 – Hours after the Change Healthcare incident was announced, Health-ISAC hosted a dedicated channel in a Secure Chat environment to bring Members together to share desperately needed advice as organizations clamored for information necessary to frame up their own response strategies. Over 700 individuals joined the channel and over 1,600 messages were posted in the days following the incident.
- Feb 21 – Health-ISAC alerted members about the Change Healthcare incident with resources to find additional information about the incident and recommendations on network connectivity with UHG.
- Feb 22 – Health-ISAC provided members with an invitation to an American Hospital Association (AHA) hosted call to discuss the incident with the Federal Bureau of Investigation (FBI) and CISA.
- Feb 23 – Health-ISAC began to provide Indicators of Compromise (IOCs) to members only.
- Feb 24 – Health-ISAC provided additional IOCs to members.
- Feb 25 – UHG began to provide indicators of compromise (IOCs) relating to the incident directly to Health-ISAC. Health-ISAC shared the IOCs with members and other critical infrastructure sector ISACs
- Feb 26 – Health-ISAC provided updated recommendations including maintaining network connectivity with safe UHG systems and IOCs at TLP:WHITE with Health-ISAC members plus AHA, CHIME and the Health Sector Coordinating Council. We wanted to ensure the entire health sector benefited from this information – not just members — and we estimate that more than 250,000 people received those recommendations. Health-ISAC also shared the advisory with HHS , CISA, FBI, other partners and 21 other ISACs / ISAOs/ CERTs and posted the information publicly on our website. Visits to Health-ISAC’s website increased by 45% after the recommendations were posted there.
Throughout the incident, Health-ISAC provided a secure and trusted forum for members to collaborate, share information and learn from each other to protect their respective networks and maintain essential services. Health-ISAC also provided authoritative and responsible advice to the global healthcare community and served as a conduit for organizations to anonymously provide vital information that could be shared broadly.
Recommendations – Public & Private Partnership
While these immediate contributions during the initial response were especially beneficial to the healthcare sector community, Health-ISAC continues to contribute to the long-tail of recovery operations, collecting lessons learned and exploring areas for improvement. In the months to come, Health-ISAC will take numerous follow-on actions to better prepare its members, including:
- Convene working groups that assess the Change Healthcare attack and the healthcare sector’s response to discern lessons learned and inform revisions to Health-ISAC and member Incident Response policies and procedures.
- Integrate elements of the Change Healthcare attack into tabletop exercises and workshops to help identify single points of failure and better prepare members for similar events in the future.
- Establish working groups with public- and private-sector participants to identify and analyze systemic risks across the health sector and recommend near- and long-term actions to ensure the sector is resilient. The task force will take into consideration the complexities and interdependencies between the major sub-sectors within HPH: healthcare delivery, insurance, medical devices, and pharmaceuticals to name a few. Each of these sub-sectors faces its own specific risks while simultaneously having shared responsibility to ensure that safe, secure, and timely patient care is delivered under all circumstances.
- Collaborate with public- and private-sector subject matter experts to identify key supplier and concentration risks in the health sector and help create a strategy to mitigate those risks.
All of these actions are the result of years of continuous hard work to build up Health-ISAC’s community since its founding in 2010, and expand its expertise and capabilities. The rapidity of trusted information sharing, guidance, and alerts within the first few hours and days was vital to ensuring that the global healthcare community could make informed decisions as to how best to protect themselves while maintaining a high level of operational efficiency.
Conclusion
We thank the members of Congress and the Biden administration for their support and attention to the cybersecurity and resilience challenges facing the healthcare and public health sector in the US and around the world. We look forward to continuing and growing our partnerships and collaboration in achieving a safer and more secure healthcare sector for all patients.
More reading: Beyond Change Healthcare: How Health-ISAC Serves the Healthcare Sector
Published by
Errol Weiss
Chief Security Officer (CSO) at Health-ISAC
Published • 1d
Very proud of Health-ISAC‘s response to the ongoing Change Healthcare incident, including the hundreds of members collaborating every day since the event became public on February 21. Members are helping each other out to get systems back up and running.
Looking ahead, there are things we can do to improve sector resilience and ensure safe, secure and timely patient care is delivered under all circumstances. Join us and become a part of the solution. DM me to learn more.
- Related Resources & News
- Leveraging ISO 81001-5-1 Amid Medical Device Procurement
- Mitigating risk as healthcare supply chain attacks prevail
- Enhancing Cybersecurity in Rural Hospitals
- Health-ISAC Hacking Healthcare 11-15-2024
- Cyber Incident Response: Playbook for Medical Product Makers
- Feds Warn of Godzilla Webshell Threats to Health Sector
- Trump’s Return: Impact on Health Sector Cyber, HIPAA Regs
- Health-ISAC Hacking Healthcare 11-7-2024
- Protecting the Healthcare Supply Chain Against Russian Ransomware Attacks
- All hospitals should be concerned about cyberattacks. Here’s why