More than two months after being hit with a cyberattack, Change Healthcare is still bringing its systems back online.
Restoring them hasn't been an easy task.
Related: Lawmakers slam UnitedHealth chief over Change Healthcare attack
Change Healthcare, which UnitedHealth Group acquired for $13 billion in October 2022 and incorporated into its Optum brand, operates more than 100 online platforms, including critical systems enabling pharmacy transactions, claims processing, provider payments and prior authorizations. It works with government payers, insurance companies, health systems, hospitals, pharmacies, nursing homes, medical groups and infusion centers. The company processes 15 billion transactions a year and touches one-third of patient records.
The scope of Change Healthcare, coupled with its legacy technology, has complicated restoration efforts after ransomware group BlackCat, also called ALPHV or Noberus, allegedly infected systems and locked UnitedHealth Group out Feb. 21.
"Our response to this attack has been grounded in three principles: to secure the systems, to ensure patient access to care and medication, and to assist providers with their financial needs," UnitedHealth Group CEO Andrew Witty told House and Senate lawmakers Wednesday. "We have deployed the full resources of UnitedHealth Group in this effort. I want to assure the American public, we will not rest — I will not rest — until we fix this."
UnitedHealth Group directed Modern Healthcare to Witty’s testimony and to its Change Healthcare status website in response to requests for comment.
Restoration is complex
UnitedHealth Group has said it's taken a prioritized approach to bringing systems back online by first focusing on pharmacy processing, medical claims and payment systems, with ancillary service restoration still in progress. As of May 2, one-third of the 28 platforms catalogued on Change Healthcare's status website are marked as uninterrupted or fully restored, about half are partially available, five are in progress, and one is pending a restoration date.
Witty told the Senate Finance Committee Wednesday that core systems are back to normal. In a statement submitted to the committee, the American Medical Association disagreed with the assertion, citing a survey of members from April 19 to April 24.
The length of Change Healthcare's outage isn't necessarily an outlier, according to cybersecurity experts. Organizations usually design incident responses around containment, eradication and remediation, which can be a tedious endeavor, they said.
Following detection of the ransomware, UnitedHealth Group shut down all Change Healthcare systems, notified law enforcement, enlisted the help of cybersecurity experts and paid the $22 million ransom in Bitcoin to regain control of systems, Witty said to lawmakers Wednesday. The company has also replaced thousands of laptops, reset passwords and rebuilt its data center, Witty shared in his written testimony for the House Energy and Commerce Committee's Oversight and Investigations Subcommittee, before which he also appeared Wednesday.
Companies will typically attempt to retrace the hackers’ steps to see what information was accessed and whether it included financial or protected health information — a potentially time-consuming process in this case, considering UnitedHealth Group said Monday hackers were in its systems for nine days before launching the ransomware.
“You cannot independently restore systems without understanding how the bad actors were able to penetrate the network,” said John Riggi, national advisor for cybersecurity and risk for the American Hospital Association.
Witty told lawmakers hackers used stolen credentials to access a platform that grants employees remote access to systems.
Given Change Healthcare's many platforms, UnitedHealth Group probably has had to be careful about bringing systems back online in the correct order to limit the risk of corrupting data, Riggi said.
“When you have networks vast and complex like Change, [restoration] must be done in a very methodical sequenced way, so it isn't like flipping a light switch and everything turns back on," Riggi said.
Microsoft and Amazon Web Services, along with cybersecurity companies Palo Alto Networks, Mandiant, Tenable, Bishop Fox and Trend Micro, are assisting UnitedHealth Group, including by scanning systems for vulnerabilities, performing penetration tests, rescanning services and conducting forensic analyses before advising customers on reconnection, according to Change Healthcare's status webpage. In addition, Mandiant is now a permanent UnitedHealth Group board advisor, Witty told lawmakers.
“As part of restoration efforts, if you connect a system that is still vulnerable back to the network, the ransomware could reinfect that asset and essentially take you back to square one,” said Marty Edwards, deputy chief technology officer at Tenable, speaking generally about what vulnerability scanning involves. “It is essential that organizations prove that they have cleaned and eliminated these vulnerabilities prior to placing the asset back into production."
Use of legacy technology
Change Healthcare’s dated technology has complicated matters.
UnitedHealth Group was still in the process of integrating Change Healthcare and upgrading its servers with stronger cybersecurity standards when the attack took place, Witty told lawmakers Wednesday. In the meantime, UnitedHealth Group failed to establish reliable backups for many Change Healthcare functions and did not adhere to the parent company's policy of requiring multi-factor authentication on external platforms, he said.
"The attack itself had the effect of locking up the various backup systems which had been developed inside Change before it was acquired. That's really the root cause of why it's taken so long to bring it back," he said.
Change Healthcare is "a 40-year-old company with many different technology generations within it," Witty said.
Change Healthcare's history of acquisitions could be adding to the impediments, said Stuart Hanson, CEO of data-exchange and blockchain company Avaneer Health. Hanson served as senior vice president and general manager of consumer payment solutions at Change from 2015 to 2018.
“Many times, when [Change Healthcare] acquired those companies that were adjacent or complementary to their business, [it] continued to operate those old legacy systems,” Hanson said. “That makes it hard because then you've got people trying to either relearn or learn old code, and then try to untangle it, identify where the weak points were and try to fix things."
The cyberattack took the greatest toll on Change Healthcare servers stored in data centers, which included many core and backup systems, forcing the company to rebuild systems from the ground up, Witty said.
"The elements which were in the older data centers — and had within them [multiple] layers of historical legacy technologies — that was the challenge," he said.
The Change Healthcare servers stored in the cloud were brought back online almost immediately, Witty said.
“The reason why it's taken longer than you might expect to recover is we've literally built this [clearinghouse] platform back from scratch so that we can reassure people that there are no elements of the old, attacked environment within the new technology,” Witty said.
Most of the new platforms will be cloud-based "with much greater built-in security capabilities than anything that pre-existed the attack," he said.
UnitedHealth Group said during its earnings call April 16 the cyberattack has already cost $872 million. The majority of money has gone toward direct response expenses, such as the restoration of its clearinghouse platform.
Uncertainty lingers
As Change Healthcare's systems come back online, customers are navigating the necessary reconnection process.
UnitedHealth Group said on its status webpage it is providing third-party attestations for each restored system verifying it’s safe to connect. Optum’s security team, Palo Alto and Mandiant are also continually monitoring core services, according to UnitedHealth Group.
There hasn’t been indication of malware spreading among customers reconnected to Change Healthcare’s systems, which is reassuring, Riggi said.
The unknown of when Change Healthcare will be fully restored has left some providers considering making temporary workarounds permanent and others wondering how much longer they can handle the operational and financial challenges.
“It's not over. There are still plenty of organizations that don't have the functionality that they need, and it's not clear when they're going to get that,” said Dr. Julia Skapik, chief medical information officer at the National Association of Community Health Centers.