Change Healthcare exposed data on over two thirds of Americans due to a cyberattack. Among others, they are fully compliant with SOC2, HITRUST r2, and PCI DSS.
So what happened?
There was a publicly accessible Citrix portal. The threat actors used compromised credentials to log in. MFA was not enabled.
- Did Change Healthcare realize this asset was exposed?
- Did they realize that compromised credentials would have worked in this portal?
- Do they have an MFA policy but it wasn't enforce on this asset for some reason?
All good questions.
Yes, penetration testing is required to achieve compliance with these frameworks, but the scope can be very focused - or very broad - to achieve what's required.
Compliance = fundamentals.
Whether we like it or not, we're all playing in the NBA when it comes to cybersecurity.
Just having the fundamentals won't cut it.
What would have caught this?
- External Network Penetration Testing
- Red Teaming (Traditionally full-scope engagements)
- Attack Surface Management
Attack Surface Management is the lowest lift for the organization and would have absolutely caught this.
An attack surface refers to all the points where an unauthorized user can try to enter data to, or extract data from an environment. The larger your attack surface, the more opportunities there are for attackers.
Change has a large attack surface. Most organizations do nowadays.
Attack Surface Management is running 24/7. It allows you to:
- Detect new risks introduced by network changes or newly discovered vulnerabilities.
- Reduce the overall attack surface by eliminating unnecessary access points and harden security configurations.
- Enhance incident response times by quickly identifying where attacks are occurring and how they are happening.
Why wasn't something like this implemented at Change?
Budget? Burnout? Lack of understanding?Who knows.
But what I do know is that this is serious business and we need to do better.
Here's a list of other Change Healthcare certifications and accreditation's: https://www.changehealthcare.com/accreditations-certifications
%20Learned%20from%20the%20Change%20Healthcare%20Incident){kind=link}