UnitedHealth Group CISO: We had to ‘start over’ after Change Healthcare attack
DENVER — UnitedHealth Group is still in the recovery process months after a ransomware attack on its Change Healthcare subsidiary, with its chief information security officer saying the company has essentially “started over” with regard to its computer systems.
“When I say start over, I really, truly mean start over,” Steven Martin said Thursday at the Mandiant Worldwide Information Security Exchange (mWISE). “The only thing that we kept from the old environment into the new environment was the cables. New routers, new switches, new compute infrastructure, deployed everything from a safe environment, truly started over. I felt like that was the only way that we could really ensure that we ended up with something that we could stand behind for the health care space, because it’s what it deserved.”
The February attack on the UnitedHealth-owned medical payment processing company roiled U.S. health care providers and threatened some with financial ruin. A criminal group known interchangeably as ALPHV or BlackCat was responsible for the attack. Several cybercrime researchers believe the group earned $22 million in ransom payments as a result. UnitedHealth Group CEO Andrew Witty confirmed the $22 million figure during a May congressional hearing.
Martin said his team has been working to repair the damage since February, with some of that work continuing to this day.
“We’re almost complete with the restoration process, but we worked for months — particularly in those early days, incredibly long hours — to restore those services,” he said.
He further explained the work that his team, along with the help of Mandiant’s incident response unit, conducted after the attack, spelling out the long, arduous recovery process that included dozens of people working 20-hour days for weeks at a time.
“You may not be able to muscle your way through [restoration] with 20-hour days,” he said. “We tried for three weeks. That doesn’t work. I think you have to get yourself in the mind frame that this is more like a marathon than a sprint. Make sure that you’re staffed in a way that allows you to get all the way through that event in a really, really thoughtful way, because you’re going to make hundreds of decisions.”
Martin chronicled some of those decisions on the conference stage, including those that weren’t directly related to the recovery process.
“If your playbook for running [incident response] only includes dealing with the incident itself, you’re missing a lot of surface area.”
One particular area Martin concentrated on was communications, constantly staying in touch with customers and other CISOs about UnitedHealth’s recovery process.
“We did a public call across the industry where we outlined what had happened, and we outlined what we were doing,” he said. “We did those meetings multiple times a week in the beginning, and getting on those calls and taking those questions in an open forum was tough, but it was the right thing to do. I don’t know how many calls I ended up taking. I don’t know how many text messages I ended up responding to. There was a lot, but I tried to be as available as I possibly could.”
Martin emphasized the importance of monitoring the mental health of recovery team members. Due to the high pressure of restoring normal business operations, he ensured health professionals and counselors were available for the dozens of staff involved in the recovery process.
“Life happens during these events,” he said. “You have to acknowledge it, and you partner with the people that you’re working with so, so, so intensely. And there’s a bond that forms there with those folks and that you get to a point where you’re looking each other in the eyes, and you’re asking that critical question, ‘Are you OK?’”