Change Healthcare Cyberattack Caused by Flawed Cybersecurity Systems

ECE/Khoury Professor Kevin Fu explains how the poor design of Change Healthcare’s cybersecurity systems led to a nearly weeklong cyberattack that caused prescription delays at thousands of pharmacies across the country.

This article originally appeared on Northeastern Global News. It was published by Cesareo Contreras. Main photo: Change Healthcare’s systems have been offline since Wednesday, causing disruptions at major pharmacies in the United States. (AP Photo/Jim Mone, File)

Cyberattack on major health-tech company was caused by weak security infrastructure, Northeastern cybersecurity experts say

A nearly weeklong cyberattack at Change Healthcare has caused prescription delays at thousands of pharmacies throughout the country, highlighting the fragility of our health care systems and their reliance on third-party software makers for key infrastructure, says Kevin Fu, a Northeastern college of engineering professor and cybersecurity expert.

“I think it’s really a house of cards,” says Fu. “I think a lot of times companies, whether they are big or small, don’t realize how much they depend upon thousands of pieces of software. This particular [software] happens to be keystone to the whole practice of the delivery of health care. It’s deeply embedded into pharmacies. That’s why we are seeing these outages.”

Change Healthcare is a health-tech company that provides thousands of pharmacies and health care providers in the U.S. with tools that allow them to process claims and other essential payment and revenue management practices. The company reported it was under a cyberattack last Wednesday.

Kevin Fu, a professor in the Department of Electrical & Computer Engineering, studies cyber-physical systems. Photo by Matthew Modoono/Northeastern University

A day later, it informed the U.S. Securities and Exchange Commission of the incident, noting that it had “identified a suspected nation-state associated cyber security threat actor who had gained access to some of the Change Healthcare information technology systems.”

In response to the attack, the company, which is a subsidiary of United Healthcare, took its systems offline as it worked to investigate and resolve the issue, causing prescription delays at pharmacies like CVS and Walgreens.

As of Tuesday, Feb. 27, its systems remain offline, but 90% of the pharmacies affected by the attack have found workarounds to continue to provide services to customers, according to a statement Change Healthcare’s parent company, UnitedHealth, provided to CNBC.

Reuters has reported the attack was carried out by hackers who are part of the notorious ransomware gang Blackcat. Change Healthcare representatives, however, have not confirmed that or shared more details on the attackers.

Fu says the fact that the company had to shut down its systems at all is a major indication that its systems were not designed properly with cybersecurity in mind.

Read full story at Northeastern Global News

Related Faculty: Kevin Fu

Related Departments:Electrical & Computer Engineering