Change Healthcare Lessons Learned: What happened to Basic Security Controls?

Change Healthcare Lessons learned basic security

The Wall Street Journal scoop from April 22nd about what led to the Change Healthcare breach came after HHS created an FAQ about the incident. The scoop summary pulled these top 3 points about basic security:

  • Compromised credentials to log into an application that allowed Change staff members to remotely access the network
  • Multifactor authentication reportedly wasn’t activated on the program.
  • The cybercriminals moved “laterally” as they lurked in the network, suggesting they had ample time to steal from the company’s massive troves of data.

In other words, Change Healthcare’s basic security controls seem to either have been missing or were somehow bypassed.

Let’s start with multifactor authentication.  We all know what MFA is. I mean, we even have to use it to access our Netflix accounts when we sign in on a new device, never mind our bank accounts and credit cards.  It’s one of the essential endpoint protections that HHS points to as an “Essential Goal” (i.e., the floor of cybersecurity protections) of its voluntary Cybersecurity Performance Goals

And how about audit logging and monitoring, and incident handling? These requirements have been part of the HIPAA Security Rule since it became effective in 2005. They are basic information security hygiene that means (non-technically) that:

  • every transaction needs to create a log of who did what when,
  • those logs need to be monitored,
  • and that organizations need to be able to detect and respond to security incidents as they occur.

Example – geo-blocking.  It’s not clear that the bad guys worked from off-shore, but assuming they did, shouldn’t (at least) most off-shore addresses have been blocked, and only the “whitelisted” ones let in?

Now obviously, an organization of the size and scope of Change shouldn’t be ignoring basic information security – but neither should your organization, no matter its size. 

Keep top of mind that even prior to the Change Healthcare incident, the OCR made it clear that 2024 was the year to enforce the HIPAA Security Rule.  Plus, in early May 2024, the OCR Director confirmed in an interview that during the next seven months, the Agency will restart HIPAA Audits, focusing on the Security Rule (particularly risk analysis and risk management). Plus, a Notice of Proposed Rulemaking (NPRM) to update the Security Rule will be released by year end.  It’s time to make sure that your security house is in order!

Julia Huddleston, CIPP, CIPM, CCSFP, Principal Consultant, works with Apgar & Associates’ clients on certification readiness, compliance assessments, security risk analysis and policy and procedure review and implementation.