Behind the Scenes with a CISO: Unpacking the Blackcat Ransomware Attack on Change Healthcare

May 7, 2024

Welcome to our new series from OnDefend, where we delve into some of the most critical cybersecurity headlines. We’re breaking down the Blackcat ransomware gang’s attack on Optum, the operator of the Change Healthcare platform.

OnDefend’s VP of Communications Lauren Verno sits down with James Case, CISO of Baptist Health Jacksonville, to get his insider perspective.

The Attack: Here’s what we know: The CEO of UnitedHealth Group, the parent company of Change Healthcare, Andrew Witty testified in front of a congressional committee on Wednesday, May 1st, 2024, about the details behind the February attack by the #BlackCat #ransomware gang. The hackers gained initial access through stolen credentials used on a Citrix portal that did not have multi-factor authentication enabled. It was revealed the threat actor used these compromised credentials to remotely access the company’s system for nine days before deploying the ransomware. During that time, the cybercriminals stole files containing sensitive patient information, including Protected Health Information (PHI) and Personally Identifiable Information (PII) of most Americans. Witty told Congress he took sole responsibility for the decision to pay the ransom, saying, ‘This was one of the hardest decisions I’ve ever had to make, and I wouldn’t wish it on anyone.’

Watch the Full Interview Here

Interview with James Case, Baptist Health Chief Information Security Officer (CISO):

Lauren: What goes through your head as a healthcare leader when you see an attack like this?

James Case: The entire healthcare industry is impacted. It’s a giant third party that affects thousands of companies and hospitals. There are backend processes that, if taken offline, prevent hospitals from accessing essential services like payment processing or authorizations. So, there’s a huge ongoing impact from that one company that was impacted, affecting the entire nation.

Lauren: Does that automatically spur a change in your own security program when something like this happens?

James Case: It’s a reminder—it’s third party risk—so maybe in our tabletops, it’s a reminder or feeds back into our feedback loop on scenarios to really tabletop. So, really tabletopping third party risk that we should all do more and more.

Lauren: Practice, practice, practice.

James Case: Practice and then find ways to improve, so it’s really both. And then education, right? It’s all the above.

Lauren: When you go into your security program and you talk to your people, what are you saying to them specifically about ransomware and what you guys should be doing without going into any specifics obviously.

James Case: Definitely prevention, but what we’ve learned over the last decade is that we also have to detect and respond, so we have to practice those. Practice finding things like tabletops, really practice responding, so we can move quicker, have muscle memory.

Lauren: Let’s talk about Ransomware and healthcare, they just go hand and hand at this point?

James Case: It’s the number one risk for most hospitals.

Lauren: It’s more impacting than people think, in what way?

James Case: The hospital itself, patients know their charts are gone so people are going back to paper and now that we’re in 2024, the whole phrase going back to paper is getting less and less real. Now we have more doctors and folks that have never used paper, so they’re going to paper for the first time, they’re going to downtime procedures. So, we can practice for it and drill for it but when you’re really doing patient care it’s different.

Lauren: What would you say is the number one concern when it comes to a ransomware threat?

James Case: Easy answer there, absolutely is the patient care.

Lauren: Why ransomware, why healthcare?

James Case: The answer is pretty easy there, it’s about the money. Healthcare is a pretty easy target and also healthcare is kind of behind. Like the financial sector is years ahead from a controls perspective and a regulatory perspective and way more financial resources. Going back to hospitals trying to break even or trying to make a 1% margin just to stay afloat, well then there’s not money to add to the budget and add more controls and add more technology to stop the attackers. So, it’s a tough balance.

Lauren: Overall, do you think we’ll ever beat out the bad guys?

James Case: There’s no answer to that, right? It’s always going to be cat and mouse. Just like there’s no way to eliminate all risk, there’s probably no way to eliminate all bad guys. All you can do is find risk and reduce it and hope that you’re not the next person.

Reduce risk by testing and validating controls against real-world ransomware threats, discover how OnDefend empowered by BlindSPOT’s attack capabilities are supporting security programs through Ransomware Defense Validation. Discover if your environment is prepared for a ransomware attack with OnDefend’s comprehensive Ransomware Defense Validation service. This multi-level assurance offering supports security leaders in reducing risk by simulating real-world ransomware threats to validate your security measures.


Connect with Us to Stay in Touch