Many companies wait for a while before installing patches. They have good reason to do that since patches sometimes break things. If you wait, then other people get to deal with the fallout from bad patches.
My bet is that Change Healthcare uses that strategy. Or at least used to. They might change their strategy once they rebuild their entire network.
Because they were hit by a ransomware attack.
Reports are that the hackers exploited the recently published ConnectWise Remote Management Software to break in. Using those bugs the hackers bypassed the need for those pesky userids and passwords and just walked in.
The bugs were discovered on February 15th and the five-alarm fire alert went out from ConnectWise on the 19th – four days from discovery to alert – that is a good schedule.
On February 21st United Healthcare, parent of Change Healthcare, filed the legally mandated 8-K report of a breach with the SEC. It says they discovered the attack that same day – also pretty quick.
Change Healthcare has not confirmed that ConnectWise was the culprit, but that seems to be what the experts are saying.
So, in summary, there were only 4 days between discovery and alert and only two days between the alert and it being used in a major cyberattack.
If you wait for a couple of weeks or a month to install patches, that could be a problem.
For those of you who have not been impacted by the Change Healthcare ransomware attack, Change Healthcare helps pharmacies figure out whether your insurance is going to pay for your prescription and what your share might be – among many other things.
With them being shutdown for a week so far, pharmacies have to resort to other ways to get that information. For some of the mega-pharmacies, they have direct connections to the insurance companies, but for the local pharmacies and even the midsize ones, they are dependent on Change and their competitors.
Some pharmacies are telling patients that they have to pay for their prescriptions and figure out how to get reimbursed by their insurance later. That can get very complicated if the insurance company has (and they usually have) negotiated a discount with the pharmacy. Now you get to sort all that out.
I am sure there will be a lot of lawsuits over this later and some people may actually die because they could not afford their medicine this way – more lawsuits.
The point here is that you need to review your patch management program and, at a minimum, triage patches to figure out which ones can’t wait.
Need help with this? Please contact us.