The Change Healthcare Breach | Healthcare Hijacked
The NSA is probably one
of the most secure places on the planet,
and they got hacked.
So what makes you think
that you're going to be any better?
Welcome to The CISO
Signal. I'm Jeremy Ladner.
If you enjoy true cybercrime investigative
deep dives,
please take a moment right now
to like, share and subscribe.
It really helps us grow the show
and reach other cybersecurity leaders
just like you.
Now we take a trip back to February
2024 to a small town in Florida
where an 87 year
old grandmother
leans against a pharmacy counter.
She knows the routine.
Same prescription, same dosage,
same plastic
chair by the window
while she waits for approval.
Only this time the screen does not clear.
The pharmacist refreshes it again
and again, but the system is frozen.
A few states away inside
a community health
clinic,
the waiting room fills past capacity.
Phones continue to ring mercilessly
without end.
Staff move as fast as they can.
The crowds continue to grow as voices
lower and tensions rise.
Patients are told to sit tight.
Care is not denied, but it is delayed.
And in healthcare, delays
carry real consequences
because modern healthcare
does not run on compassion alone.
It runs on authorization,
on claims, on payments
clearing quietly in the background,
unseen and assumed.
But in February of 2024, that
financial administrative system
was hijacked.
Pharmacies across the United States
could not process prescriptions.
Providers could not submit
claims, payments simply froze.
Hospitals and clinics entered crisis mode
not because of disease,
but because the machinery beneath care
had seized.
This was not a random outage.
It was a deliberate act
by financially motivated attackers
who understood
one thing very well: In healthcare...
...disruption creates pressure.
At the center of it all
sat Change Healthcare, a company
most patients had never heard of
and for good reason.
Change Healthcare was a boring
financial administrative
infrastructure that moved the money
that made care possible.
It was the bloodstream
claims, authorizations,
payments, quiet, constant circulation.
But when that circulation was cut,
leaders faced decisions
with no clean outcomes.
Shut systems down and protect
what remained
or keep them running and risk
further damage.
Move fast or move safely.
Each path carried consequence.
This was ransomware at its most dangerous.
And to help us examine what happens next.
I'm joined by two security leaders
who understand what this kind of moment
demands.
First, Thomas Schwab,
Founder and Managing Director of,
and this episodes sponsor, 1st
Cyber Operations Group.
Thomas has spent decades inside military,
government and enterprise environments,
helping leaders navigate cyber incidents
when disruption extends
beyond systems into operations,
governance and human impact.
At 1st Cyber Operations Group,
he now helps organizations strengthen
cyber resilience and incident readiness,
ensuring security teams and executives
can make confident decisions
when cyber incidents move
from technical problems
to business crises.
And joining Thomas and I
is our returning co-host, Scott Kisser.
Scott is Vice President and Chief
Information Security Officer at SmithRx.
He builds systems of trust
where failure is not theoretical.
His experience spans healthcare, fintech
and digital asset security, operating
at the intersection of technology
risk and executive accountability.
Gentlemen, thank you
both for joining us on The CISO Signal.
Thank you for having me.
I appreciate the opportunity. Hi, Jeremy.
Good to see you again.
Thanks for having me back.
Excellent.
Now let's begin the investigation.
We are in the midst of a ceaseless war.
Not of bombs or bullets, but of breaches,
firewalls and silent incursions.
The targets?
Our borders, our banks, our commerce,
and the critical infrastructure
that underpins a free civilization.
The enemy is cloaked in code, fueled by
greed, glory, and a desire for chaos.
This is the story of the unseen
protectors, the nameless generals,
the CISOs, chief information
security officers.
They are the guardians at the gate,
the watchers on the wall.
Ever vigilant
and always listening for The CISO Signal.
Act One: The Circulatory System.
Tom, before the breach change.
healthcare was working
exactly as designed.
From a crisis perspective,
when does nothing has gone
wrong
quietly turn into a dangerous assumption?
Yes. So reliability is often mistaken
for resilience.
Uptime gives people a false sense
of security around the environment, right?
They assume that because systems
are operational, that they just work
and that they're secure.
In turn, leaders stop asking the hard
questions around would this system fail?
Complacency here is really the real risk.
The longer the system is operational,
the more complacent the organization may
grow and maybe stop taking a hard
look at what could fail.
Most people never meet that machinery.
They meet its decisions:
A green checkmark, a copay,
a denial that lands like a door closing.
That Wednesday,
the decisions stopped arriving.
At first, it looks like nothing, a loading
circle that spins a beat too long.
A screen that refuses to update.
A clerk who tries again
and then again, and then calls across
the counter asking,
is anyone else seeing this?
Across town, across
state lines and across the country,
the same small silences begin to stack up.
A prescription sits on a counter
while the pharmacist explains
quietly that the network is down.
A building team refreshes a dashboard and
gets yesterday's numbers frozen in place.
A phone line at a doctor's office
fills with patients asking
why the refill is delayed;
Why the approval isn't showing;
Why the system is acting
like it has forgotten their name.
The board of directors in
any company has a critical part to play.
They are in charge of all manners
of the business and that includes
dependencies, critical dependencies,
and making sure operations
are not only resilient, but they're there
for when systems go down.
Absolutely.
Boards frequently look at all risks,
but I would say more
infrequently look at critical dependencies
like Change Healthcare provided.
Healthcare in the United States runs
on paperwork disguised as electricity.
The country looks like hospitals
and clinics and pharmacy chains,
but underneath it is routing and clearing
and verification and settlements.
One of the biggest arteries in that under
layer is a company most patients
never think about: Change Healthcare
– Part of the UnitedHealth Group.
Change is not a hospital.
It does not do surgeries.
It does not hand a child
a bandage or deliver a diagnosis.
It moves information,
it checks eligibility,
it helps route claims,
and it helps move payments.
If a hospital is the body.
Change is part of the circulatory system.
And according to public reporting
and industry analysis, Change is immense.
A clearinghouse
handling about 15 billion medical claims
a year, representing a huge share of US
claims processing.
UnitedHealth has also described Change’s
reach as touching
roughly 1 in 3 patients’ records
in the US.
As a CISO, I frequently like to say
if I cannot see it, I can't secure it
and it's the same question
that boards need to ask.
They need to be able
to see all dependencies,
even the ones around the corner.
And in this case, you know, as
we saw with the Change Healthcare breach,
it caused colossal failure
of many downstream systems.
That scale matters for one reason only.
When it stops, the country feels it.
On February 21st, 2024, UnitedHealth Group
discloses that Change Healthcare
is experiencing a cyberattack
and that systems have been taken offline.
The language is careful,
protective, corporate, calm even.
But in some versions of that statement,
the company says it disconnected systems
to prevent further impact.
“Taken offline.”
It sounds clean, like flipping a switch,
but in reality
it is the sound of a door being slammed
after someone's already heard footsteps
in the hallway.
In this particular case,
I actually think that the system,
the entity itself, never thought that
it could bring down
so many downstream providers
from pharmacies to doctors offices
to, you know,
grandmas and grandpas and elderly people
who can't get their meds.
Nobody actually thought of the events.
If I turn the system off, the system
being Change Healthcare,
what would that do to the entire US
healthcare system?
The outage spreads into places
where people cannot afford delays.
Pharmacies
across the US report disruptions.
The American Pharmacists
Association says many pharmacies
cannot transmit insurance claims
and are facing significant backlogs.
For a patient,
it becomes an awkward moment
at the counter:
a hand hovering over a wallet, a question
asked to
softly because it feels embarrassing
to have your medication
held up by something you cannot see.
When you walk into an organization
and you're talking to folks
for the first time, are they aware,
do you think, typically, that they've got
all of their eggs in one basket?
Or so much is dependent on this one
piece of infrastructure that if it fails
and there aren't
redundancies, that the whole business,
the whole day to day is going to collapse?
And not only is that bad for the business,
but the customers
and customers of customers.
How typical is that?
That's a great question.
So many organizations, I think, go back
to, you know, the large cloud providers
or other large security providers
that in the past have not had any issues.
But in the last probably 18 months or so,
we have seen where even these large,
again, cloud providers or security
providers have had, in some cases,
almost catastrophic events that I think in
the past were not really conceived.
They were thought to be almost
untouchable, always available and secure.
And at the end of the day,
you know, there's threat actors out there
who are going to impact
every organization.
The day drags on, more screens
hang, more calls go unanswered.
Work arounds begin to appear the way
they always do: Pen and paper, manual
logs, people building little bridges
over a river that used to be a highway.
And still no one can point
to a single broken machine
because the machine is not broken.
Not exactly.
It has been touched, tampered with,
by someone who is already inside.
For some of the aspiring
cybersecurity leaders in the audience
who have never been in
the position to be with a professional
when they set up a tabletop like you do.
Can you walk us through
what does that feel like?
What does it look like?
Start to finish it an encapsulated way.
Give us a little taste of it if you can.
First, we start with the client
and understand at a high level
what their goals are and what type
of exercise are they looking for?
Is it
ransomware, insider threat, data loss?
And then we lay that across.
I like to say we make the exercise
relevant, realistic and plausible.
Right?
So are there threat actors out there
that would target this organization?
What tactics techniques, procedures
what they use?
How can we align that
with the goals of the exercise?
And then another critical component
that I add talking with the CISO is,
are there any agenda items that you would
like to achieve out of this exercise?
We rehearse breaches, tabletop
incidents, and ransomware scenarios.
Why are third party failures like Change
Healthcare so rarely practiced?
Is it because of the scale?
The other part of the reason is these
third parties are trusted organizations,
and both parties need to come to the table
and potentially expose
some of their weaknesses
and vulnerabilities.
And of course, from a business
point of view,
most businesses
don't want to do that, right.
They want to
they want to prove that they're secure.
They're safe.
For independent pharmacies,
it becomes a choice.
That's not really a choice.
Dispense on credit
and hope that claims clear later,
or send people away
and live with the consequences.
Hospitals
feel it as a different kind of pressure.
Cash flow and continuity.
The American Hospital Association
documents widespread disruption,
including delays directly
impacting patient care.
And at the end of the day,
they don't want to lose that contract.
In my experience, though,
we are starting to see organizations
bring third parties together.
In fact,
I conducted an exercise back in December
where one organization
brought their third party in.
It actually exposed some of the weaknesses
in the third party, and both parties
were amenable
to working through fixing the issues
and that third party
was not looked at in a negative light.
In fact,
they were looked at it in a positive light
because they recognized
what those security issues were
and they wanted
to continue the relationship
and build a path forward,
which is a win-win, in my view.
By the end of the first stretch of public
reporting,
the shape of the truth begins
to show through the fog.
This was not a random outage.
It was not a glitch.
This was a deliberate shutdown
in response to a hostile presence.
In other words, the interruption
is not the beginning of the crime.
It is the moment the rest of the country
notices the crime has already happened.
Act Two: Leverage.
By the time the country realized
what was wrong.
The most important decisions
had already been made.
Not by executives, not by regulators,
but by strangers
who had been quiet long enough
to understand where to apply pressure.
Looking back at incidents
you've lived through.
Is it fair to say
that some risks only become visible
once they are already too late to avoid?
And why do you think that might be?
I absolutely think that, you know,
we're in the
we're in the business of risk management.
And if you make a decision today,
you have to take into account
like the factors, the business impact,
the resiliency, the customer.
You have to take all of that into account
when you're making the decisions.
Sometimes
decisions are made without any type
of foresight into future breaches.
Nobody wants to think of
what could go wrong.
Everybody wants to think about
serving their customers, making
sure everybody's happy,
making sure their system is online,
available,
and customer satisfaction is high.
It's not about getting it right.
It's about making the right decision
at the time.
And I think that if there ultimately
is a breach or a compromise,
you know, you have to
look at the decisioning at the time.
According to public reporting,
investigators
would later determine that the attackers
did not arrive with noise.
They did not crash through the front door.
They entered through a system
that allowed remote access, a system
that trusted a single factor
when two were expected.
In congressional testimony months
later, UnitedHealth Group
would confirm the detail
that refused to go away.
Multi-factor authentication
was not enabled on the compromised system.
No fireworks, no cinematic exploit.
Just a door closed
but not locked with the assumption
that the wrong person
would never try the handle.
The more important bit
in any type of root cause analysis,
you need to be able to learn from it
and make that system more resilient.
In Change Healthcare, multi-factor
is a very small security hurdle.
A lot of times some of this decisioning
is absolutely,
you know, mind blowing, at the time.
That Change Healthcare impacted over
60% of the United States population
in terms of just raw records
and a single decision to, you know, omit
MFA from a Citrix server
was ultimately
the root cause of this breach.
And you can't go back in time
and kind of make it right.
But you can kind of build for resiliency,
build for the future, build
for better experiences.
And, you know, multi-factor in
this case is a super low bar.
You know,
hindsight
doesn't prevent the next incident,
but being able to be honest
and learn from it...
...hopefully will.
The final number was north of 190
million Americans were affected.
MFA, or the absence of was
seen as a big contributing factor.
And of course, I believe
also the CEO ended up getting called
in front of Congress.
And this is not five years ago
or ten years ago.
We're talking 12 months, 18 months ago,
maybe less than that.
Obviously, hindsight, as you mentioned,
it's easy to slam folks in the past.
If you had to guess, why do you think that
that oversight happened?
You can go back and look at root
cause and start to point fingers.
But at a minimum,
I think the security industry
needs to uplevel their baselines and MFA,
simple security measures,
absolutely need to be in place.
It's heartbreaking to hear that, you know,
people are unable to get their cancer meds
for a week.
You know, system pharmacies are not able
to serve their clients because of this...
...of Change Healthcare’s downtime.
And ultimately, it's
kind of like a siren’s call
to make sure that everybody up-levels
some basic security.
And I think MFA impacting events
should not be the case.
And, you know, unfortunately,
I think we'll see more before
these events are rooted out.
It brought the United States pharmacies
to a halt.
And events like this shouldn't happen.
Exactly when the attackers arrived
is still unclear.
UnitedHealth has not published
a precise dwell time
timeline, and investigators
have been careful with their language.
But according to Reuters
and other outlets, what is clear
is the order of operations.
First access, then movement,
then copying, and only later encryption.
When this attack is explained
publicly, people
look for a sophisticated exploit,
but in reality it starts with access.
What does that say about how ransomware
groups now think about winning?
You know, a lot of people think that there
is some type of sophisticated attack,
but that's really not the case.
Most threat groups are going
after really three main
avenues of attack at the moment.
So one of them is the external facing,
as you said, the Citrix VPN servers.
And with that, with no multi-factor
authentication,
if I can, as a threat actor,
find security, your security credentials,
username and password,
and I can log into your system,
then I'm going to certainly do that.
And that's not hard to do given people
put information out on social media.
There's information out over the dark web.
So that's one security path.
Public reporting linked the attack
to ALPHV, also known as BlackCat,
a ransomware operation that had already
built a reputation for patience.
BlackCat did not rush.
It did not need to.
Its preferred targets were organizations
that could not simply shut down
without hurting people:
Hospitals, infrastructure, systems
where uptime was not a preference,
but a requirement.
Change
Healthcare fit that profile perfectly.
And then the third way is really the human
right, the weakness and the human,
whether that's through social engineering,
through phishing email, or through kind
of contacting the organization's
helpdesk, service desk,
and trying to get them to reset accounts
that are really the threat actor
and not the actual user themselves,
which is also a way to potentially bypass
multi-factor authentication.
Organizations need to be aware
that these are the most common paths in
and then prepare themselves around
how can we defend against these
and add that to their security
and prioritize that Thomas mentioned
some pretty critical points,
but the attackers are always going to
be knocking at the door.
And if they find a loose,
you know, window, a loose something ajar,
they're not – nine times out of ten,
they're not using sophisticated attacks,
they're using some of the basics.
And as we saw with the previously
mentioned, the HubSpot and Klaviyo breach,
you know, it's a simple attack
to try and go after somebody.
And then once they're inside,
they're going to,
you know, knock on all the doors,
they have the initial access.
And, you know, if you could log
in, if you could steal credentials
with some of the most basic attacks,
they're going to come
and take over your systems.
It does not take a lot
to gain access.
It does it.
There's a video going around about outside
of Atlanta's team, the physical access.
And over there you see
Atlanta Football Club founded in 1907.
And then they go up to the door,
door code and they push in 1907
and the physical gate opens up.
Listen, it is basic.
You absolutely need to test
and make sure these systems are resilient.
That's where, you know, good penetration
testing comes in as well.
Right?
A good penetration test is going
to perform a password spraying attack.
And if you have a good team
they can even perform
physical security attacks
as Scott mentioned.
According to United Health's
disclosures, attackers exfiltrated data
before deploying ransomware.
The company later confirmed
that the data included a mix of personally
identifiable information
and protected health information: names,
addresses, dates of birth, social security
numbers, insurance details
and clinical data
were all impacted to varying degrees.
The exact volume remains unknown.
That uncertainty is not an oversight.
It's part of the damage.
Either identity is treated
as critical infrastructure
or every other control is conditional.
Which of those truths do
most organizations still avoid facing?
Do you think? That is a true statement!
And in risk management,
you know, as CISOs, as developers, as,
you know, cloud infrastructure engineers,
everything is kind of conditional.
It's risk management.
But identity failure
is going to bring down an organization.
Identity is the only boundary
that you need to protect.
It controls access to systems.
It controls access to your critical data.
All types of controls need to be behind.
Identity is, should be,
and is critical infrastructure, period.
In standard ransomware tradecraft,
exfiltration serves two purposes:
First, it gives the attacker leverage, and
second, it turns recovery into theater.
Even if the systems are restored,
the data has already left the room.
From the attacker's point of view,
why was this system
the right place to strike instead of, say,
a hospital or a pharmacy directly?
Threat actors are looking for ways
that they can gain leverage, right?
Because especially at the end of the day,
if it's a ransomware group,
they're ultimately looking to get paid
as a criminal.
So typically, the greater
the impact that they can have,
whether that's through mass encryption
or through sensitive data or targeting
choke points that may have access
to multi downstream systems
or organizations, really become
big targets for threat actors
because they know, at the end of the day
that the bigger the impact, the larger
the organization, potentially
the higher payday for them and potentially
the organization may pay that ransom
because of that impact.
When outages start affecting patient care,
how fast does the security incident
stop being your problem and start becoming
something much bigger, much broader?
Change Healthcare impacted humans
from getting critical care,
and from the moment that that happens,
it's not a security problem.
It's about
getting everything back to normal.
It shouldn't be treated
as a security event.
It's a life event.
By late February, the outlines of
the extortion were visible.
BlackCat
published claims on its leak site.
Proof samples were circulated
and the implication was clear
even when the demands were not spelled out
publicly. Pay.
Or we decide what the world gets to see
and when.
In the incidents you respond to,
what's the moment when leadership realizes
this will not be resolved quietly?
In many cases, organizations are...
the event occurs, they're
working internally, and that information
may not be public, but at some point
that information can become public.
Usually it's because either
a third party vendor
that they're working with catches
wind of it,
or you start to isolate the networks
that third parties are interfacing
with or the information
finds itself out on social media.
UnitedHealth Group faced a problem
that spreadsheets cannot model very well.
Every hour offline compounded
harm downstream.
Pharmacies could not bill,
hospitals could not collect,
and patients were caught between systems
that could no longer communicate
with one another.
And in those cases,
that event becomes public information
literally within seconds.
And organizations need to be prepared for
that in their incident response, right?
They may think, oh, great,
we caught this, it's internal.
We're going to deal with it.
And then later on, you know, I like to say
that the adversary gets a vote.
Right. So and things happen.
So as organizations prepare
or have that initial notification
that this is an event,
they need to start right then and there,
preparing for how that information
will be shared externally.
Because at some point
it more than likely will require that.
Where the threat actor
is the one making the public statement
coming out first ahead of the victims.
Is that something that you see
10% of the time or 70% of the time?
I would say that's pretty low, but
there have been cases where threat actors,
for example,
have contacted the SEC for an organization
that was publicly traded and said, hey,
how come this organization
has not filed a report with you
because they've had a breach
and their past their four days
or 96 hour reporting window?
I'll just add, like very rarely
have I seen
incidents or actors
kind of play the public card.
This is a RaaS,
you know, it's a ransomware as a service.
They are in a business
looking to get paid.
And it's very infrequent that, you know,
they hit the public button so soon.
According to Reuters, UnitedHealth
made the decision to pay.
The company did not announce the amount,
but blockchain analysis cited by
multiple outlets suggested a payment
of roughly $22 million in Bitcoin.
UnitedHealth
framed the decision as necessary
to protect patients
and accelerate restoration.
The payment did what ransom payments
usually do.
It restored some access,
it bought some time,
and yet it solved nothing permanently.
Within weeks, the story twisted again.
BlackCat’s
infrastructure came under pressure.
Law enforcement
activity disrupted parts of the operation.
Affiliates splintered in public posts.
One black Cat affiliate claimed
that the group's administrators
had lost control of Change
Healthcare's stolen data.
Whether that claim was entirely true
remains unresolved,
but the implication mattered
more than the certainty.
If control fractured, then no single
payment could guarantee containment.
Copies
could exist beyond the original attackers.
Data could be traded, warehoused
or held for future use.
The ransom in that light
was not an ending.
It was an inflection point.
What is the likelihood that if we pay
them, we will get a valid decrypt key?
Or if they stole data
that they will not post it if we make that
payment, many components going into that,
into those decisions and the aftermath
of the ransom attack itself
and time may not be on your side
in terms of your response
and the impacts of the business overall.
Inside UnitedHealth recovery accelerated.
Systems were rebuilt, network segmentation
tightened, and emergency
funding programs were expanded
to keep providers solvent while claims
backlogs were cleared outside,
a different realization was spreading.
This breach did not succeed
because of cutting edge malware.
It succeeded because leverage
had accumulated quietly over the years.
A single intermediary
had become too central,
too trusted, too invisible.
The attackers did not need
to destroy the system,
they only needed to apply pressure
in the right place.
And once that pressure was detected,
everything else followed.
By the time Change
Healthcare began to come back online,
one question remained unanswered:
Not whether the attackers had been paid,
but whether anyone still knew
where all of the data was.
And now for this episode’s Quick question
for CISOs
and security leaders: In this case,
what was the real root failure?
A) A missing baseline control;
B) Over-centralized infrastructure; C)
Third-party risk governance; Or D)
Board-level visibility into dependencies.
Drop your thoughts in the comments below
and add your voice to the conversation.
Now back to the episode.
Act Three: Residue.
The systems return quietly.
No announcement, no victory lap,
just a gradual easing of pressure
as claims begin to move again,
prescriptions clear again,
and the long queues
of stalled transactions thin out.
Screens refresh, dashboards tick forward
and phones ring a little less often.
To anyone watching from a distance,
it looks like recovery,
but inside the system
it feels more like exhaustion.
First few hours again,
most organizations are focused inward
in terms of isolating containment,
understanding what's going on.
Once the organization receives
the ransom demand, what they're balancing
is, you know, ultimately
for the executive team, the decision of
do we pay the ransom demand or not?
There's many factors that go into that.
You know,
what does your insurance policy cover?
If not, do
we have to cover the difference?
If we do pay the threat actor,
how long will it take for us to get a
valid decrypt key? If we need that?
UnitedHealth Group tells investors
that the disruption will cost
$1.5 billion.
That figure includes
response expenses, technology rebuilds
and the emergency programs
used to keep hospitals
and pharmacies solvent
while the pipes were frozen.
It is a large number,
but it is a finite one.
It can be booked, it can be amortized,
it can be explained.
The harder costs do not behave that way.
In the weeks
that follow, envelopes begin
to arrive in mailboxes across the country.
White paper, plain language,
carefully measured sentences
explaining that personal and health
information may have been accessed.
They list categories without specifics,
and they offer
credit monitoring and identity protection.
They promise vigilance.
What they do not promise is certainty.
By mid 2024, public reporting indicated
no confirmed evidence
of widespread misuse directly
tied to the Change Healthcare breach.
There was no wave of fraud
that can be cleanly traced, no single
leak dump that resolves the question
of where the data went.
That absence of evidence
becomes its own kind of unease.
What we're doing now, the last year,
a lot of organizations are taking us up
on the offer to conduct executive
level exercises around specifically
around decisions that they would
likely face during a ransomware event.
The decision to pay
the ransom is certainly one of those.
And when we build an exercise around that,
we look at who's the threat actor
that they would likely face,
and then we do some of our own internal
analysis to determine what we think
that ransom demand would be.
We also ask the organization
if they'll share with us
what their insurance policy is,
and in some cases,
the ransom demand
would likely exceed their policy.
So for those exercises then
then we bring the executive team together.
Healthcare
data is not like a credit card number.
It does not expire.
The diagnosis does not rotate
every three years.
And a history of prescriptions
does not change.
When you call a hotline.
Once copied,
that private personal information
remains accurate
until the body itself changes.
We run through that scenario,
and that's a question that gets asked.
I recently did an exercise for a college
that in
this case was tied to a government.
In our assessment,
the ransom demand was higher than what
that organization
would likely be able to pay,
and they would have to go back
to government,
not only their board of directors,
but also to the government side
to figure out how
they could cover the difference in costs.
That obviously
would not be a rapid process.
That was one of the takeaways
from the exercises that they need to, one:
look at, assess their insurance policy,
whether it's at the right level;
and two: go back
and have these discussions
so that they can make this process
much more efficient, so
that if they are ever in that situation,
things can move very rapidly.
You're very right.
Like a ransomware operator,
it is almost like a ticking time bomb,
like they have their customer list
and that
they're just going to keep working it
and they're going to put pressure on you
to pay out that.
Something Tom said cued something for me.
When you're figuring out
kind of the cyber security coverage,
the liabilities and everything,
make sure that you have a conversation
and you have a conversation
internally and potentially
with the insurance company.
You don't want that first interaction
to be talking about a real life event.
You need that relationship.
You need to understand the parameters.
And more importantly,
and you guys touched on
the frequency
of what needs to be adjusted and when.
Scott, as a CISO,
when you were asked for guidance
on paying a ransom,
how do you navigate the fact that you have
influence on the decision but you don't
necessarily own it and have final say?
You're already
bringing credibility to the decision.
You have to act professionally
and you have to act responsibly.
And it's not kind of a binary decision.
It's a decision that the board, the
leadership team, is going to come up with.
Thomas, in your experience
in the organizations you've worked with,
who ultimately owns that decision?
Right?
It's really
the CEOs in charge and the board directors
of making the decision that's
the best decision for their organization
as to whether to pay the ransom or not.
So by adding or allowing folks in the room
really are not part of that decision,
what you can what can happen
is you're slowing the process down
and creating more friction.
That needs to be.
And for the CISO
or the CIO, that information
that they're providing is usually around
kind of the technical information.
You know,
can we recover without paying the ransom?
Well, how much data was actually taken?
Which is a very hard question to answer.
Those are the kinds of inputs
that you could expect the CISO or the CIO
to provide into the decision-making
around the paying the ransom decision.
Public reporting confirms no arrests tied
directly to the Change Healthcare attack.
BlackCat, the name attached to the breach,
fragments under pressure
and reappears
elsewhere as ransom groups often do.
Affiliates scatter infrastructure
dissolves
and accountability diffuses.
When payment is made,
but control is not fully restored,
what does that do to trust inside
the organizations that you typically help?
A lot of things happen.
So once the payment is made,
right, in particular
if you need a valid decryption tool
to decrypt that data, you're still going
to have to go through all of that process.
And in some cases, the decryption does not
work as fast as it was encrypted, right.
So the decryption may take days, weeks,
which is just eroding
trust over time because there could be
a false sense of security.
And that, okay, we paid the ransom.
We got the decryption key.
You know, we're out of the woods.
We're going to be back up and operational.
And, you know, in a short period of time,
that's not always the case.
The other big challenge is, you know, do
we understand the root cause
of how the threat actor got in?
Is the threat actor
still in the environment, or did
we actually effectively evict them out?
Because even if we're ready to recover,
if the threat actor
still in the environment,
they can still influence our operations.
And again,
all of that work may be for nothing.
For patients.
The story ends without a satisfying
conclusion prescriptions or refill again,
insurance cars work again,
but the knowledge lingers that something
private has left a place
it was never meant to leave,
and that no one can say with any certainty
if or how that private information
may be used.
Now, that's not to say that
you won't get attacked again,
because we have seen organizations
that six months later fell victim again.
But in many of those cases,
those organizations
didn't close the original security gap
that the other threat
actor used to gain access
into the environment.
Identity is the perimeter.
And for those accounts
that are long lived,
for those service accounts
that exist that,
you know, credentials are God
forbid hardcoded in,
you absolutely need to kind of manage
every account –
service accounts, human accounts,
API sessions – as critical.
And they need to be managed well.
Particularly any code that has a username
and password built into the code,
particularly if that code is out on GitLab
or other sites that may be public,
threat actors are looking
for those credentials in that code
where they can find it.
For pharmacies and hospitals,
there is relief mixed with recalculation.
Trust is rewritten into contracts.
Workarounds that were meant to be
temporary are studied far more closely,
and questions that once felt academic
have suddenly become urgent.
After an incident like this,
how does the relationship between
a CISO and the board change,
even if the organization fully recovers.
As a CISO, your relationship
with leadership in extended leadership,
the board of directors is crucial,
and as any relationship, it's
going to have ups and downs.
I think trust is absolutely key,
but transparency and being able
to confidently work through these problems
so that the system,
the teams, are better
is ultimately the end goal.
Thomas, in your view, what do you think
is the hardest lesson from incidents
like this that organizations
just still resist acting on?
Yeah, I think one of the hardest lessons
is really trying to understand
what those risks are and share
with the board, particularly for CISOs.
Because in some cases, as we brought up,
there could be lower layer dependencies
and trying to understand
what those risks are and then go back and
try to share that with the board. Right.
In many cases,
you're trying to define something that is
maybe very technical,
and the board just might not be able
to wrap their head around
what it is that you're asking for.
Right?
So even like multi-factor authentication,
as we talked about earlier,
organizations
may not really understand what that is.
For security leaders
watching from other industries,
the lesson is not about malware families
or ransom negotiations.
It's about gravity.
A system designed to be invisible
became indispensable.
A single point of access
carried the weight of millions of people's
health and safety.
When that system paused,
everything downstream paused with it.
Scott, if another CISO listening
today could ask just one question
of their organization
because of this case,
what should that question be?
Do you think.
Often the right question is more valuable
than the right answer.
And it is about building a better system.
It’s about building a stronger system.
It's about building trust
that is better tomorrow than it is today.
And I think as a CISO,
you need to explore all avenues
and make sure that you're not just
accepting today's control environments,
today's assumptions, but you're actually
building something better
and something that's stronger
for ultimately the trust for your company.
Thomas, Scott, thank both of you
gentlemen for being on the show.
Really appreciate it.
It was great conversation and hope you
come back again soon and join us again.
Appreciate it. Thanks, Jeremy.
Nice to meet you.
Thank you.
Change Healthcare now
fades back into the background.
The claims move, the lights stay on.
The machinery hums again.
But now there is a residue.
Recognition that ordinary operations
can conceal extraordinary risk.
That the most dangerous failures
do not always look like failures.
That sometimes the system performs
exactly as designed.
And that design carries the flaw.
And while the country moves
on, the data does not.
Healthcare was built to route
and verify and settle,
to convert illness into codes, codes
into claims, and claims into payments.
It was not built to remember that
every code is a human story.
For the grandmother at the pharmacy
counter, the breach was not simply
a headline.
It was a very dangerous pause
in healthcare.
In the months that followed, boards
convened, budgets shifted, multi-factor
authentication became mandatory
where it was once deferred.
Segmentation diagrams
grew sharper,
remote access was reconsidered.
These are the visible corrections.
They are necessary. They are measurable.
Harder to measure
is the recalibration of belief.
For years, scale was celebrated.
Centralization was praised.
Efficiency was rewarded
until one morning scale became leverage.
Today, the system runs again.
The dashboards tick forward, but somewhere
beyond the walls of the clinics
and hospitals and pharmacies, copies
of private data still exist.
Archived, bought, sold, traded
and stored for a moment
when pressure is useful again.
In a world where infrastructure
is invisible until it fails,
we do not have the luxury of assuming
the machinery
will protect us or itself.
We can only listen more carefully, design
more deliberately, and question
more relentlessly because the next attack
is being planned right now.
And so we must remain forever vigilant
and always listening for The CISO Signal.
If you
enjoyed this episode, please like,
share and subscribe.
If you didn't, thanks for listening
this long.
We'll see you
on the next episode of The CISO Signal.
All episodes are based
on publicly available
reports, postmortems, and expert analysis.
While we've done our best
to ensure accuracy.
Some cybersecurity incidents
evolve over time
and not all details have been confirmed.
Our goal is to inform and entertain,
not to assign blame.
Where facts are unclear,
we've used cautionary language
and we always welcome your corrections.
Thanks for listening to The CISO Signal.
