Skip to content

Cyberattack on major health-tech company was caused by weak security infrastructure, Northeastern cybersecurity experts say

A sign outside of a UnitedHealth Group building.
Change Healthcare’s systems have been offline since Wednesday, causing disruptions at major pharmacies in the United States. (AP Photo/Jim Mone, File)

A nearly weeklong cyberattack at Change Healthcare has caused prescription delays at thousands of pharmacies throughout the country, highlighting the fragility of our health care systems and their reliance on third-party software makers for key infrastructure, says Kevin Fu, a Northeastern college of engineering professor and cybersecurity expert.   

“I think it’s really a house of cards,” says Fu. “I think a lot of times companies, whether they are big or small, don’t realize how much they depend upon thousands of pieces of software. This particular [software] happens to be keystone to the whole practice of the delivery of health care. It’s deeply embedded into pharmacies. That’s why we are seeing these outages.” 

Change Healthcare is a health-tech company that provides thousands of pharmacies and health care providers in the U.S. with tools that allow them to process claims and other essential payment and revenue management practices. The company reported it was under a cyberattack last Wednesday. 

Headshot of Kevin Fu.
Kevin Fu, a professor in the Department of Electrical & Computer Engineering, studies cyber-physical systems. Photo by Matthew Modoono/Northeastern University

A day later, it informed the U.S. Securities and Exchange Commission of the incident, noting that it had “identified a suspected nation-state associated cyber security threat actor who had gained access to some of the Change Healthcare information technology systems.” 

In response to the attack, the company, which is a subsidiary of United Healthcare, took its systems offline as it worked to investigate and resolve the issue, causing prescription delays at pharmacies like CVS and Walgreens.  

As of Tuesday, Feb. 27, its systems remain offline, but 90% of the pharmacies affected by the attack have found workarounds to continue to provide services to customers, according to a statement Change Healthcare’s parent company, UnitedHealth, provided to CNBC.

Reuters has reported the attack was carried out by hackers who are part of the notorious ransomware gang Blackcat. Change Healthcare representatives, however, have not confirmed that or shared more details on the attackers. 

Fu says the fact that the company had to shut down its systems at all is a major indication that its systems were not designed properly with cybersecurity in mind. 

“If the cybersecurity designs were done right, we wouldn’t have needed to pull the plug, but there’s quite a lot of legacy software out there that is simply not resilient against an adversary,” he says. “Essential clinical functions need to be available for performing, whether or not the network goes down. … But today, the way things are written it’s all too common that if one piece goes down, the entire house of cards falls as well.” 

Aanjhan Ranganathan, a professor in the Khoury College of Computers Sciences and cybersecurity expert, says these attacks highlight the need for systems that are more distributed, less tied down, and more flexible and resilient in the face of attack. 

“I think the biggest lesson again and again that these attacks are teaching us is the requirement for decentralized systems, being able to not have a single point of failure.” 

Building these kinds of systems is not easy, Ranganathan explains, as it often requires operators to rethink and rebuild their networking systems from the ground up. 

“It’s one of those things where you always go for functionality and you don’t build systems with security and privacy by design,” he says. “There has been a recent trend with building systems with privacy and security by design.” 

But what does a decentralized cybersecurity system look like? 

“For example, you could first of all, not store everything in one place,” says Ranganathan. “You could store all critical data in multiple places with different keys. There are ways in which you can store parts of the data in different places, and even if one part is inaccessible, you can recover that part based on information that you have in other places. By doing this you are forcing an attacker to successfully target more than one endpoint.” 

He adds, “You’re kind of building the infrastructure in such a way that there is no one place to take down the entire system. You have to take down many different parts of the puzzle to actually cause any impact.”