Change Healthcare Cyberattack Caused by Flawed Cybersecurity Systems
ECE/Khoury Professor Kevin Fu explains how the poor design of Change Healthcare’s cybersecurity systems led to a nearly weeklong cyberattack that caused prescription delays at thousands of pharmacies across the country.
Cyberattack on major health-tech company was caused by weak security infrastructure, Northeastern cybersecurity experts say
A nearly weeklong cyberattack at Change Healthcare has caused prescription delays at thousands of pharmacies throughout the country, highlighting the fragility of our health care systems and their reliance on third-party software makers for key infrastructure, says Kevin Fu, a Northeastern college of engineering professor and cybersecurity expert.
“I think it’s really a house of cards,” says Fu. “I think a lot of times companies, whether they are big or small, don’t realize how much they depend upon thousands of pieces of software. This particular [software] happens to be keystone to the whole practice of the delivery of health care. It’s deeply embedded into pharmacies. That’s why we are seeing these outages.”
Change Healthcare is a health-tech company that provides thousands of pharmacies and health care providers in the U.S. with tools that allow them to process claims and other essential payment and revenue management practices. The company reported it was under a cyberattack last Wednesday.
A day later, it informed the U.S. Securities and Exchange Commission of the incident, noting that it had “identified a suspected nation-state associated cyber security threat actor who had gained access to some of the Change Healthcare information technology systems.”
In response to the attack, the company, which is a subsidiary of United Healthcare, took its systems offline as it worked to investigate and resolve the issue, causing prescription delays at pharmacies like CVS and Walgreens.
As of Tuesday, Feb. 27, its systems remain offline, but 90% of the pharmacies affected by the attack have found workarounds to continue to provide services to customers, according to a statement Change Healthcare’s parent company, UnitedHealth, provided to CNBC.
Reuters has reported the attack was carried out by hackers who are part of the notorious ransomware gang Blackcat. Change Healthcare representatives, however, have not confirmed that or shared more details on the attackers.
Fu says the fact that the company had to shut down its systems at all is a major indication that its systems were not designed properly with cybersecurity in mind.
Read full story at Northeastern Global News