
Intelligent Medical Network Service Provider
As soon as 2024 began, the already poor cybersecurity record of the healthcare industry was broken once again—the data ransomware incident suffered by Change Healthcare, a subsidiary of UnitedHealth Group, has been consideredThe Most Severe Cybersecurity Disaster in the U.S. Healthcare Industry to Date.
This cybersecurity incident is unprecedented in history in terms of its broad scope, profound impact, and prolonged duration., to the extent that the U.S. Department of State publicly offered a $10 million reward on March 27, encouraging insiders to provide information for the apprehension of the hackers responsible for this incident.
Why Did This Severe Cybersecurity Disaster Make History, and What Insights Can We Draw from It? VCBeat Conducted In-Depth Interviews with Industry Experts to Provide Reference for the Sector.
Change Healthcare was founded in 2006 and went public in 2019. By 2021, it had become the largest commercial prescription processor in the United States, handling 15 billion transactions annually, accounting for approximately one-third of all online prescriptions nationwide. Its payment and settlement network covers around 900,000 physicians, 118,000 dentists, 3,300 pharmacies, 5,500 hospitals, and 600 laboratories across the country.
In 2021, Optum, a subsidiary of UnitedHealth Group, acquired Change Healthcare for $13.5 billion. This marked the largest acquisition in UnitedHealth’s history and once triggered an antitrust lawsuit by the U.S. Department of Justice. Although the deal was ultimately approved, the public has continued to question its rationale.
Starting February 21, 2024, Change Healthcare’s payment network was subjected to a cyberattack, preventing pharmacies and healthcare facilities across the United States from issuing prescriptions and processing insurance claims. For security reasons, the American Hospital Association (AHA) advised all healthcare institutions using the Change Healthcare clearinghouse network to consider proactively disconnecting from it. As a result, approximately one-third of the nation’s healthcare payment and settlement networks were completely paralyzed.
On February 28, one week later, the AlphV/BlackCat hacker group, which had launched attacks against MGM and Kaiser Permanente last year, claimed responsibility for this incident, stating that it had stolen up to 8 TB of data, including patients’ personal information and corporate data.Hackers Demand Record $22 Million Ransom from UnitedHealth in Healthcare Sector, otherwise all stolen data will be made public.
UnitedHealth quickly acknowledged the hacking group’s claims. Subsequently, foreign media reported that a Bitcoin address linked to AlphV received $22 million worth of Bitcoin in a single transaction on March 1. Although UnitedHealth refused to confirm this, many analysts believe that, given the characteristics of blockchain technology, this transaction was highly likely the ransom paid by UnitedHealth.
The disruption of the settlement network has caused significant inconvenience. Parties were unable to access prescriptions online or process insurance claims and payments. Patients were forced to pay out-of-pocket for medications, let alone enjoy any entitled discounts. Many healthcare institutions failed to receive insurance reimbursements; while large medical facilities could rely on cash flow reserves, community physicians had to dip into savings or even borrow money to barely cover their expenses.
Out of necessity, various parties have implemented numerous temporary measures. For instance, the U.S. Department of Health and Human Services (HHS) has required payers to waive or relax prior authorization requirements during network outages and has provided advance payments to healthcare providers most severely affected by the cyberattack. Additionally, some regional regulatory authorities have mandated the acceptance of paper or faxed claims for reimbursement and have extended the deadlines for submitting such claims.
UnitedHealth also launched a temporary financial assistance program on March 1, providing funding to affected physicians and healthcare facilities until payment processing is fully restored. The program covers the difference between their historical payment levels during the same period and the payments made after the network outage.As of April 3, UnitedHealth claimed to have provided nearly $4.7 billion in subsidies。
However, this does not cover all losses. Because regardless of the alternative solution, significant changes to workflows are required, thereby incurring substantial additional costs. According to foreign media reports, one affected physician stated that the incident resulted in up to $50,000 in additional wage expenses; another physician estimated that it had led to $100,000 in extra costs.
Based on estimates,Daily losses for physicians and healthcare institutions alone exceed $100 million., posing severe financial challenges to healthcare institutions that were already facing tight liquidity.
Statistics from the American Hospital Association show that 94% of surveyed hospitals are experiencing the financial impact of cyberattacks, with 82% reporting that service disruptions have affected their cash flow. Thirty percent of hospitals indicated that more than half of their revenue was impacted. Furthermore, nearly three-quarters of the surveyed hospitals stated that service disruptions have had a direct impact on patient care.
This discontent has naturally led to a surge in accusations and lawsuits against UnitedHealth Group. Meanwhile, calls for the breakup of UnitedHealth have grown increasingly loud. The company’s stock price has also been severely affected; its closing price was $521.97 on February 21, after which it slid continuously, hitting a low of $439.20. Although the share price briefly rebounded to around $501 following the release of its first-quarter financial report, it has since resumed its decline.
More than three weeks after the incident, Change Healthcare’s network finally began to recover gradually. Starting March 15, core platform functionalities were progressively restored, and processing of the $14 billion in backlogged claims commenced. However,As of late April, the platform had not yet fully recovered, with some features remaining unavailable.. Obviously, this repair work was not as easy as imagined.
On the other hand, a data breach incident previously thought to be resolved has taken a dramatic turn for the worse. Typically, organized data extortion involves multiple groups with clearly defined roles, sharing ransom payments according to prearranged agreements. However, in early April, a hacking group known as RansomHub claimed that AlphV had absconded with the funds and failed to pay their agreed-upon share, demanding that UnitedHealth Group pay the ransom.
Subsequently, in mid-April, the group publicly posted documents on the dark web to substantiate its claims, including patients’ personal information such as e-bills, insurance records, and medical data, as well as contractual agreements between Change Healthcare and its partners.
As of now, UnitedHealth has yet to respond, making the future developments a matter of close attention.
An obvious question arises: Change Healthcare and its parent company, UnitedHealth, are undoubtedly at the pinnacle of the global healthcare industry. Theoretically, their cybersecurity defenses should rank among the best in the entire sector. So why did such a giant fail to prevent a cyberattack?
Wen Jinyi, Senior Expert of Sangfor’s Security Products, introduced to VCBeat that,The “triple extortion” attack recently experienced by Change Healthcare, a subsidiary of UnitedHealth Group, is a highly prevalent cyberattack method in recent years and is extremely difficult to prevent.。
“The so-called triple extortion combines three attack methods. The first involves infiltrating systems to encrypt and lock core data, rendering it inaccessible to the target and causing business operations to grind to a halt. The second entails launching over-saturated DDoS attacks against the target’s servers and networks after infiltration, completely paralyzing the compromised infrastructure. In some cases, hackers even engage in persistent harassment of the target’s senior executives and customers. The third method involves stealing data prior to encryption and threatening to publicly disclose it.”
“Such highly targeted intrusions are often meticulously planned, with preparation in some cases spanning years. Even industry giants like UnitedHealth Group find it difficult to defend against them; refusing to pay the ransom directly risks operational shutdowns. Even if operations are restored, the public disclosure of leaked core data can lead to significant legal liabilities, resulting in substantial financial losses and long-term damage to brand reputation. Thus, companies face a dilemma,” said Wen Jinyi.
Concerningly, the healthcare industry is experiencing rapidly escalating cyberattacks. A report by cybersecurity firm Emsisoft shows thatIn 2023, the U.S. healthcare industry suffered 46 cyberattacks, nearly double the 25 recorded in 2022. These attacks affected up to 141 healthcare organizations, impacting approximately one-third of the U.S. population.。
Hackers’ demands are growing increasingly ambitious, with ransom amounts rising rapidly.In 2018, the average ransom demanded per data extortion incident in the U.S. healthcare industry was only $5,000; by 2023, this figure had surged to $1.5 million, representing a 300-fold increase within just a few years.!
In fact, this is merely the tip of the iceberg; there are far more cyberattack incidents that have not been disclosed.
The current state of cybersecurity in China’s healthcare industry is equally grim. In recent years, there have been recurring rumors that domestic medical institutions, having fallen victim to data ransomware attacks, were compelled to pay ransoms.
Regarding the significant cybersecurity challenges facing China’s healthcare industry, Xu Hui, Executive Deputy General Manager of CEC Digital, believes that there are several primary causes:
First,The most critical reason is insufficient budgetary funding.“Investment in cybersecurity is relatively more sufficient at large Grade-A tertiary hospitals in first- and second-tier cities with more developed economies. However, medical institutions in economically underdeveloped areas, particularly at the primary care level and in remote mountainous regions, struggle to sustain routine medical operations, let alone secure adequate funding for cybersecurity safeguards,” he stated.
Meanwhile,There is also an uneven distribution of talent across different regions.Xu Hui stated that cybersecurity and data security are emerging industries, with an inherent shortage of qualified security professionals in the market. Most of these professionals are concentrated in first- and second-tier cities with higher economic development levels, making it difficult for technical expertise to reach third- and fourth-tier cities. “For hospitals in economically underdeveloped regions, it is not even easy to find professional security firms for consultation and exchange,” he added.
Insufficient investment has severely constrained the security capabilities of medical institutions. Peng Kejian, a data security technology expert at Meichuang Technology, mentioned this in an interview with VCBeat.Most hospitals have extremely limited budgets for cybersecurity.“While a few well-known hospitals possess relatively strong IT capabilities, the majority suffer from severe staffing shortages in their information technology departments. Some hospitals have only two or three staff members in total, with varying levels of professional competence. They are already stretched thin maintaining the operation and maintenance of their IT systems, let alone addressing network and data security.”
“Hospitals face numerous compliance requirements, with 80–90% of their annual IT investments allocated to supporting business operations. Budgets for cybersecurity are minimal, typically covering only the mandatory costs of Multi-Level Protection Scheme (MLPS) assessments. Beyond that, it is largely infeasible to undertake additional security infrastructure development or upgrades,” he stated.
“For example, a bastion host is an essential security mechanism. Under normal circumstances, third-party operations and maintenance (O&M) personnel must obtain accounts allocated through the bastion host to log in to hospital server resources, thereby achieving secure and controllable access. However, we have found that many hospitals only enable their bastion hosts during classified protection testing and inspections, rarely using them in daily operations. Since hospitals typically deploy numerous information systems—dozens of business systems may involve different vendors—O&M personnel often perceive account allocation and permission management via bastion hosts as significantly increasing their workload. Additionally, configuring these systems requires a certain level of technical expertise. As a result, some hospitals seldom activate their bastion hosts,” he added.
Peng Kejian further stated,Most hospitals lack a proactive mindset toward network and data security.“Many hospitals adopt a job rotation system to appoint executives in charge of IT, leading to the perception that the lack of investment in cybersecurity over the years has not caused any significant issues. Hospitals tend to take action only after actually experiencing a security incident, such as responding to data ransomware attacks by seeking solutions and deploying corresponding products.”
In terms of specific technical details, Wen Jinyi offered unique insights, believing thatNeglecting edge-side defenses is a common problem in the current medical industry“Many hospitals still adhere to traditional thinking, aiming to fortify their perimeters by layering security measures at gateway levels, such as situational awareness systems and firewalls. They strive to keep network threats outside the ‘wall’ as much as possible. Although endpoint security—the last mile of cybersecurity—has seen slight improvements in recent years, it is estimated that at least two-thirds of healthcare clients remain largely neglectful in this area.”
“I have seen many clients either install nothing at all or simply deploy a basic, traditional antivirus solution. Traditional antivirus software relies on simple signature- and rule-based comparisons to identify threats, leaving it ill-equipped to handle rapidly evolving variant threats. New threats can not only easily bypass detection by traditional antivirus programs but also directly uninstall them, leaving endpoints unprotected—effectively equivalent to having no protection installed at all.”
Fortresses are often breached from within; just as it was with the Trojan Horse thousands of years ago, so it remains in today’s cybersecurity landscape.
“The traditional defense strategy of ‘prioritizing the network over endpoints’ is no longer viable. The successful breach of UnitedHealth was most likely due to successful poisoning attacks originating from the endpoint side. The larger an enterprise is, the more numerous and dispersed its endpoint devices become. To address these emerging threats, it is essential to implement unified hardening of endpoint security, particularly for servers.”
Wen Jinyi believes that there are three main reasons for the “network-heavy, endpoint-light” approach. The first is that hospital IT personnel’s understanding of cybersecurity remains stuck in the past, leading them to favor this approach.
The second category involves large-scale hospitals with a vast number of endpoints, including PCs and servers, making operations and maintenance (O&M) management extremely challenging. “He believes that this approach would further complicate daily security O&M. Under the previous model, when physicians reported slow computer performance, the IT department would simply send someone to check the issue or install antivirus software. Strengthening endpoint security raises the bar for O&M capabilities; if not handled properly, it could lead to the direct isolation of certain business-critical processes, thereby disrupting clinical operations—after all, hospitals rely on numerous informatics systems of varying quality and provenance. For the IT department, this could become a thankless task.”
The third category concerns cost considerations. On one hand, the investment required for endpoint security is substantial; on the other, deployment poses a significant challenge for IT operations and maintenance (O&M). Large tertiary hospitals have a vast number of endpoints, including PCs and servers. Even setting aside the costs of security solutions, hospitals must address how to achieve rapid, batch deployment and installation, and how to ensure that such installations do not disrupt clinical operations. Many hospital computers have not been upgraded for years, and hardware modernization alone represents a considerable expense.
It is not difficult to see that the latter two categories of causes are essentially attributable to insufficient investment.
“Most hospitals still only meet the mandatory compliance requirements for China’s Classified Protection of Cybersecurity (MLPS), which essentially just requires them to install basic antivirus software. As long as no security incidents occur, meeting these minimal requirements is considered sufficient,” added Wen Jinyi.
Clearly, compliance with the Multi-Level Protection Scheme (MLPS) may be one of the few drivers currently motivating hospitals to invest in security. But is it sufficient to meet cybersecurity needs?
For hospitals, compliance with the Classified Protection of Cybersecurity (MLPS) is a mandatory requirement. As early as December 2011, the former Ministry of Health issued the Guiding Opinions on Information Security Classified Protection in the Health Industry, requiring the health sector to carry out security classification in accordance with the Guidelines for Grading Information System Security under the Classified Protection of Information Security Technology. It was explicitly stated that the security protection level for critical health information systems should, in principle, be no lower than Level 3. This framework is commonly referred to as MLPS 1.0.
In May 2019, the State Administration for Market Regulation and the Standardization Administration of China released the “Information Security Technology—Baseline for Classified Protection of Cybersecurity (GB/T 22239-2019),” which came into effect in December 2019, marking China’s entry into the era of Classified Protection 2.0. Compared with Classified Protection 1.0, Classified Protection 2.0 features more detailed requirements and covers a broader range of systems.
The "Accreditation Standards for Tertiary Hospitals (2020 Edition)," released at the end of 2020, further implemented a "one-vote veto" system for safety. The first part, covering prerequisite requirements, states that "occurrence of large-scale medical data breaches or other major cybersecurity incidents causing serious consequences" will result in a one-year postponement of the accreditation review. During the postponement period, the hospital's original accreditation level shall be revoked, and it shall be managed as "unrated."
These regulations have effectively heightened hospitals’ emphasis on cybersecurity, particularly among tertiary hospitals. According to the CHIMA “2021–2022 Survey on the Status of Hospital Informatization in China,” 86.4% of the tertiary hospitals in the survey sample passed the Level 3 evaluation of the Multi-Level Protection Scheme (MLPS).
However, only 22.22% of hospitals below Grade III have passed the Level 3 MLPS assessment. On average, merely 63.56% of hospitals have passed the Level 3 MLPS assessment. It is evident that more time is needed to fully promote Level 3 MLPS compliance.
Furthermore, under the current circumstances, most hospitals merely aim to meet the minimum requirements for compliance with the Classified Protection of Cybersecurity (MLPS), which contradicts the original intent of the classified protection framework. Among these,The highest proportion of hospitals, at 18.66%, had only one system that passed the Level 3 Classified Protection assessment; those with two systems passing the assessment accounted for 15.15%, ranking second.。
There is also good news: 14.11% of hospitals have had five systems pass the Level 3 Classified Protection of Cybersecurity, nearly doubling compared to a year ago.
Even so,Level 3 MLPS compliance merely meets the most basic cybersecurity requirements.Peng Kejian stated, “The hospital has met the basic cybersecurity requirements by achieving Level 3 Classified Protection of Cybersecurity. In recent years, digitalization has advanced rapidly, with many new business lines and scenarios emerging. Frankly speaking, Level 3 Classified Protection serves as a compliance baseline; it is essential to fully consider the cybersecurity and data security risks posed by various business scenarios and to establish a multi-layered security protection system.”
Lin Lu, Director of Data Security Products at Anheng Information, also expressed the same view: “Level 3 Classified Protection of Cybersecurity (MLPS 2.0 Level 3) can provide basic security capabilities. From a legal and compliance perspective, MLPS 2.0 Level 3 is also mandatory for hospitals. However, I believe that MLPS 2.0 Level 3 alone cannot guarantee that hospitals will be able to cope with new types of cyberattacks, such as data ransomware.”
“MLPS assessment actually targets the classification of a specific system within an organization, rather than evaluating the overall security level of an entire hospital. For hackers, there is no need to breach systems with the highest MLPS rating—namely, those that have passed Level 3 MLPS compliance.”"He often breaches the system with the lowest level of protection that you expose the most, and then gradually penetrates into the core systems.". This is what we refer to in security as the “wooden bucket principle.”
Lin Lu stated that the current Level 3 Classified Protection of Cybersecurity (MLPS 2.0) represents the optimal solution after considering practical implementation and cost inputs. It is unrealistic to mandate compliance at the organizational level or to require all hospital systems to pass the assessment in the short term. “After all, annual IT investment is limited. These systems incur costs not only for construction and maintenance but also for MLPS assessments. As we know, the cost of Level 3 MLPS certification varies by region, typically ranging from RMB 50,000 to 80,000 per year. For a hospital with dozens of systems, the annual MLPS assessment fees alone can reach millions of yuan. Therefore, comprehensive coverage is currently impractical.”
Technically speaking,Measures to strengthen cybersecurity are often reiterated, such as regular data backups, security awareness training, timely patch upgrades and update management, network segmentation, access control, emphasis on email and network security, endpoint protection, development of incident response plans, regular security audits, and periodic backup testing and verification.etc.
By implementing these mitigation strategies, hospitals can enhance their resilience against ransomware attacks and minimize the potential impact on their operations and data. However, the key issue lies in the extent to which these measures can be effectively implemented.
Xu Hui offered several insights on how to help the healthcare industry address cybersecurity challenges.
First,It is necessary to improve the cybersecurity assurance mechanism in the healthcare industry and strengthen cooperation and coordination among all parties.Xu Hui believes that all parties involved in security, including government departments, industry associations, service providers, and medical institutions, need to strengthen cooperation for joint prevention and control.
“We refer to strengthened cooperation not as a unilateral approach where each party views the issue from its own standpoint through a single lens. For instance, cybersecurity and data security service providers often lack sufficient understanding of the healthcare industry. To effectively serve healthcare institutions, it is essential to take a comprehensive, multi-dimensional approach that integrates scenario-based practices, legal and compliance requirements, and the actual operational realities of hospital management. Furthermore, since data lies at the core of hackers’ interests and is constantly flowing with high dynamism, it is difficult to clarify through a single-dimensional perspective. Only through collaborative efforts by all stakeholders can appropriate and effective solutions be identified,” he stated.
Secondly,In addition to strengthening technical safeguards, it is also essential to continuously improve the cybersecurity management system.“Ultimately, security relies 30% on technology and 70% on management; establishing sound security management systems and procedural mechanisms is therefore critical. Although Level 3 Classified Protection of Cybersecurity (MLPS 2.0) provides only foundational security capabilities, it encompasses over 300 specific requirements across 14 aspects, offering significant guidance for the development and improvement of hospitals’ cybersecurity assurance systems,” he stated.
Xu Hui further stated, “The high-value data held by the healthcare industry is the primary target of data ransomware attacks. Therefore, following the Cybersecurity Law, China rapidly introduced a series of laws and regulations, including the Data Security Law, to extend coverage to areas not addressed by existing cybersecurity measures. In addition to the current three-tiered Classified Protection of Cybersecurity system, relevant standards for classified protection of data security are expected to be released in June. It is anticipated that more policy guidelines and industry standards will be intensively issued in the near future.”
Xu Hui finally mentioned that the top-level design for data security is currently insufficient in terms of industry adaptation. Its foundation lies in the classification and grading of data, which differs significantly from traditional cybersecurity and requires a strong integration of technology with industry-specific adaptation. From the perspective of individual hospitals, their practices regarding data usage, management, and workflows are inconsistent. Therefore, it is necessary to further refine the detailed standards.
Cybersecurity in the healthcare industry, and even more so data security, is undoubtedly a significant and long-term challenge that requires concerted efforts from all sectors. VCBeat has consistently monitored cybersecurity and data security within the healthcare industry. We hope this article will serve as an invitation for further discussion and welcome insights and leads from industry professionals.
References:
Andy Greenberg,Wired.com:Hackers Behind the Change Healthcare Ransomware Attack Just Received a $22 Million Payment
Arundhati Parmar,Medcitynews.com:Tampa General Hospital CEO on Change Healthcare Breach: They Are Going To Have To Give an Update Soon
Emma Bardin,Medcitynews.com:Department of Justice sues to block UnitedHealth from acquiring Change Healthcare
Ron Harman King,Medcitynews.com:Healthcare Docket: A Near Doubling of Hospital System Cyberattacks Triggers Bipartisan Bill
Jill McKeon,healthitsecurity.com:HHS offers resource guide to providers impacted by Change Healthcare cyberattack
Victoria Bailey,healthitsecurity.com:Change Healthcare cyberattack affecting hospital finances, care access
Fred Pennic,hitconsultant.net:UnitedHealth Faces New Ransomware Threat After Alleged $22M Payment Failure
Paige Minemyer,fiercehealthcare.com:AMA: 80% of docs have lost revenue amid disruptions from Change Healthcare cyberattack
CHIMA, “Survey on the Status of Hospital Informatics in China (2021-2022)”