Search
Close this search box.
EPISODE 156
Change Healthcare

EP 156: Change Healthcare

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

April 23, 2024

What happened in the Change Healthcare cyberattack? What are the impacts and how can cyber resilience be a competitive advantage? Let’s find out with your hosts Kip Boyle, CISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.

Tags:

Episode Transcript

Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle, Virtual Chief Information Security Officer at Cyber Risk Opportunities, and Jake Bernstein, partner at the law firm of K&L Gates. Visit them at cr-map.com and klgates.com.

Jake Bernstein: So Kip, what are we going to talk about today in episode 156 of the Cyber Risk Management Podcast?

Kip Boyle: Hi, Jake. We got a good episode here. So this-

Jake Bernstein: Whoa, whoa, whoa. We always have good episodes, so I just want to point that out.

Kip Boyle: Well, then I keep saying it. I don't know. There could be new listeners this time and they're like, "Do these guys have good episodes? We don't know." I'm telling you, it's a good one. Okay?

Jake Bernstein: That's fair, that's fair. So what's it about?

Kip Boyle: Okay, it's about a cyber attack against an organization that's called Change Healthcare. And what we're going to do is we're going to learn what happened. We're going to learn about some of the impacts. They're big. And finally, we're going to wrap up with a little bit about cyber resilience and how cyber resilience can be a competitive advantage. In other words, the business value of cyber resilience. And we're going to use Change Healthcare as the poster child for explaining all this.

Jake Bernstein: That sounds like a lot of fun. And I think this is a throwback in some ways to our original Anatomy of a Hack episodes and CLEs way back in the day.

Kip Boyle: Yeah, those were fun.

Jake Bernstein: I remember doing that fondly. They were fun. I think the first one we did was on the Panama Papers. And if I think back to that, I don't think we could have gotten much about cyber resilience from that example.

Kip Boyle: No, no. That was not about cyber resilience.

Jake Bernstein: No, they weren't resilient. And I'm immediately going to go off script and ask you, what is cyber resilience? What does resiliency mean in this context?

Kip Boyle: Yeah, that's a great question. So much of the work that we do is ethereal and abstract and difficult to understand. So I always like to use real world examples whenever I can. So in the movies, you see this all the time. There's some person standing at the bar, somebody comes up behind them, grabs a bottle, smashes it over their head. And if you are resilient, all you're going to do is you're going to go, "Ow, who did that?" You're going to turn around and then you're going to beat this guy up.

So if you're not very resilient, you're going to crumple like a ragdoll and that's the end of you. You're not going to get back up again. That person's going to take your wallet or kick you or whatever it is they're up to. So resilience is about sustaining a blow and coming back as fast as possible. And in a corporate context, that's like getting cyber attacks, getting ransomware. That's what we're going to talk about today with Change Healthcare. And then how badly is it going to affect you?

Jake Bernstein: Would you like me to read the definition of resilience that I had in mind when I asked you this question?

Kip Boyle: Well, as an attorney who thrives on definitions, how can I deny you?

Jake Bernstein: I do like definitions. This one is actually from the AI Risk Management Framework, which we have just finished discussing, and I thought this was helpful. It says, "Resilience or a system may be said to be resilient if it can withstand unexpected adverse events or unexpected changes in its environment or use, or if it can maintain its functions and structure in the face of internal and external change and degrade safely and gracefully when this is necessary." A very much shorter way of saying all of that is that resiliency is the ability to return to normal function after an unexpected adverse event.

Kip Boyle: That would be the bottle over your head at the bar.

Jake Bernstein: That would be the bottle, yes. Bottle on the head and the bar. So I think it's worthwhile, particularly since for a while, I haven't heard it as much recently, but there was this push for some time to make it the CIA triad plus R, which was of course resiliency. And I think it's probably worthwhile to think of cybersecurity as including resilience.

Kip Boyle: It's coming to.

Jake Bernstein: It is, yeah. Well, and I think maybe on one hand, if you think about resilience negatively, you could be like, well, if I have to look at my resiliency, that means that I failed in protecting or preventing the cyber attack in the first place, which I mean strictly speaking is true, but that's not necessarily a failure in this day and age.

Kip Boyle: Well, could we just say that it could be a failure, but could we say that nobody should be judged harshly for that?

Jake Bernstein: Agreed.

Kip Boyle: Because if we're going to talk about, as cybersecurity professionals, if we're going to talk about, "Well, you should assume breach," and if we're going to talk about zero trust networks and all that stuff, well, aren't we really saying that everyone's going to get breached? And if that's true, if we really are saying that, then why are we judging people so harshly when it happens?

Jake Bernstein: That's a good point. And I think ultimately what people care about more is actually resiliency. Okay, you got owned. Can you come back from it? And how quickly?

Kip Boyle: That, that's right.

Jake Bernstein: Okay, so let's go through this and let's talk about this Anatomy of a Hack episode

Kip Boyle: Right now. I want to talk about, I want to open this up simply by acknowledging that you love the Anatomy of a Hack stuff. I do too. And I think everybody that we've presented are CLEs where we take the Panama Papers and go deep and explain what happened, or we've done it on the Paradise Papers, we've done it on a number of different ones. And people really, really like it. And I think they like it for a number of reasons. The first is, well, it's in our DNA. Everybody loves a good story, and that's so human right? Like, "Tell me a good story." So that's a reason.

Another reason is because there's usually a bunch of surprises in here. So the Panama Papers, that's a vague thing, but when we actually tell you like, "Oh, but do you know how that happened?" There's a lot of surprises in there. And this is one of those times when surprises can be fun. And failure, oh my gosh, we just talked about it. Failure is the greatest teacher of all, right? You never learn more from any other source than failure, but the best choice isn't to learn from your own failures, to learn from what other people did wrong.

Jake Bernstein: Oh yeah, of course.

Kip Boyle: So that's what we're going to do. That's what we're going to do. Okay, so we're going to talk about-

Jake Bernstein: So Change Healthcare.

Kip Boyle: Yeah.

Jake Bernstein: Who are they? What happened? How recent was it? All that stuff. I think you're going to tell us.

Kip Boyle: I am, and this is welcome back to Anatomy of a Hack. So Change Healthcare, it's a strange name, but they're a subsidiary of UnitedHealth Group, and I think UnitedHealth Group is something that people might be more familiar with, but Change Healthcare is their subsidiary. Now, they haven't released a lot of details, unfortunately. Not yet. But we've been able to get bits and pieces here and there, and I was able to cobble together a basic timeline from a number of different open sources. So this is what we believe that is true, that it was a ransomware attack and that it was by the Black Cat Gang, which is, these guys are infamous at this point, and I'm not going to read you a long list of their victims, but I believe MGM and Caesars Palace were recent victims of these guys. Now, this ransomware attack happened on February 21st, 2024.

We're recording this one month plus one day, right? March 22nd. So it's only been a month, but what happened was it shut everything down. So Change Healthcare, what do they do? Well, they're a critical component of the healthcare system based in the United States. They have about 900,000 physicians, so almost a million. 33,000 pharmacies, 5,500 hospitals, and at least 600 laboratories. And what do they do? Billing. Billing between healthcare providers and insurance companies. So if you are a healthcare provider and you want to get reimbursed for something you did, Change Healthcare is one way to do that is to file a reimbursement and then you'll get reimbursed. Now, Change Healthcare isn't the only clearinghouse of payments, but they're a big one, as I just demonstrated from the numbers.

And it turns out too, by the way, that all military pharmacies for the United States, armed forces around the world, also are dependent on Change Healthcare for insurance. Not just reimbursements, but also insurance approvals. You have to get an approval in many cases before you deliver the service and if you can't get the approval, then you can't even think about delivering the service. And I thought it was interesting. This is one of those times where I actually got caught up in this because I had an annual physical right after the attack, and my doctor was talking about getting refills for a couple of my prescriptions.

Well, we do it electronically, of course. And so she asked me, "Hey, if I write this prescription to your current, if I renew it to your current provider, are you going to be able to get it?" And I said, "Well, I think so. Why?" And she said, "Oh, well, I have all these other patients that I can't renew their prescriptions because of some hack." I was just like, "Wow."

Jake Bernstein: Oh, there you go.

Kip Boyle: Okay, so let's keep going with the timeline. So on March 1st, which was about three weeks ago, there was a Bitcoin address that was connected to Black Cat based on research that other people have done, and it received 350 Bitcoins in a single transaction. That's about $22 million at current exchange rates, which is an enormous amount of money. So we thought, "Oh, somebody's paid a ransom." Well, then two days later, somebody else on a hacker bulletin board said, "Well, we're an affiliate of Black Cat, and we just got ripped off. They Black Cat said they got 22 million bucks, but they didn't give us our cut." So we think-

Jake Bernstein: Maybe these hackers should have had appropriate affiliate agreement so that they could then complain to each other and go to their little hacker courts.

Kip Boyle: Right. Well, I don't want to go to their hacker courts.

Jake Bernstein: No, that's a very sarcastic statement.

Kip Boyle: I don't think it'd be fun.

Jake Bernstein: No.

Kip Boyle: But anyway, I point out this because Change Healthcare won't confirm or deny that they made a ransomware payment to Black Cat, but I want people to know that there is strong indications it happened. And I pointed out, because we're talking about cyber resilience here, that's kind of where this is all going to end up. So I want listeners to be thinking about, before we get to the end of the episode, based on what I've shared with you so far, how cyber resilient do you think Change Healthcare is? Do you think that a ransomware payment is a reasonable way to purchase resilience as needed? Purchasing resilience on demand, so to speak?

Jake Bernstein: Well, so let me ask this. Have they recovered yet?

Kip Boyle: No. No, they're still not recovered. And we know that even when people pay ransoms for data, that doesn't automatically mean that the sun comes out and everything's great. It could take as long to recover from a ransomware payment as it can when you don't pay, is what we know from the data.

Jake Bernstein: That's right.

Kip Boyle: But we can talk about the impacts. So Change Healthcare is not in business yet, but there's some amazing impacts that get around to underscore the idea of cyber resilience. And more importantly, I think to underscore the idea of cyber resilience as a competitive advantage in the marketplace, and this is amazing business value, I think. So first of all, healthcare providers that are dependent upon Change Healthcare, they're losing about a billion dollars a day.

Jake Bernstein: That's a lot of money. I mean, how are they going to stay in business?

Kip Boyle: I would love 1% of that, right? No more podcasts for Kip. I'm going to the beach. But let's unpack that because we're used to throwing big numbers around, but a billion dollars a day, let's think. That's really threatening the very existence of a lot of small medical clinics and their doctors' ability to deliver care. Because if you can't get pre-approvals from insurance companies, then if you deliver the service, you may never get paid, no matter how big of a deal it is. So we're talking about not just big healthcare centers, right? We're talking about urgent care, we're talking about cancer treatment centers, standalone clinics, primary care doctors.

And I want to share a quote. So Reuters published an interview that they had done with a clinical social worker who has about 30 clients each week that she works with and depends on insurance claims for reimbursements in order to pay her bills. And her name is Jenna Wolfson. She's based in Felton, California. And she said she has about, at the time that she gave the quote, she had about $4,000 of claims in limbo. She had no idea when she was going to get paid, and she said, "This could be catastrophic for me and other small business mental healthcare practitioners. I mean, $4,000 doesn't sound like much, I suppose, when you're talking about a billion. But think about it. That's, hey, I can't pay my rent."

Jake Bernstein: Yeah, no, that's bad.

Kip Boyle: That's, "I can't buy groceries for myself because I can't pay myself." And if Jenna has an assistant, if Jenna has a cell phone bill, I mean, think about just the small things that all come together that lets Jenna serve people who need therapy, and $4,000 is a lot in their world, and just multiply that. How many $4,000 do you have to multiply to get to a billion? You can do the math, right? It's not that hard. So this is happening everywhere. There's a lot of pain. In fact, I've seen news reports where some doctors who have clinics are thinking about, "I'm going to have to mortgage my house to raise enough money to stay open until this thing resolves."

Jake Bernstein: Yeah. And this is just one attack.

Kip Boyle: Yeah, it's just one. And this goes back to something that I can't stand. It's one of the reasons why I do the work that I do. This idea that these amoral, and I have many other words for them, people who can reach into the United States and other countries and do this and face no consequences at all for this. They're completely unaccountable. There's no way to bring justice to them for the things they're doing and to their victims. It's just unconscionable. And it just really strikes at my sense of, okay, I'm a Boy Scout, I admit it. Truth, justice and the American way, whatever.

I just don't think people should have to put up with this. They're just trying to serve other people, and they're in business. They're doing all these things. I've ranted about this before and I don't feel any less intense about it, just so you know. Now a few other impacts. So let's see. The government is almost powerless to stop these cyber criminals. And so I think there's a big impact on trust in government. They're just impotent, and this is awful, and it's just another data point in the series of data points that really proves this idea that we're on our own. We could be watching the collapse of a major segment of the healthcare financial ecosystem.

Jake Bernstein: We could be, we could be. And the government, this is one of those really tough policy questions, obviously, because the government isn't going to... Well, I suppose we could set up a great firewall like China has.

Kip Boyle: China and Russia both have national firewalls.

Jake Bernstein: Yep. And then we could just dramatically restrict internet traffic in and out, which it's hypothetically an option.

Kip Boyle: It's anathema to our values.

Jake Bernstein: It is anathema to our values. One of the things that I think we still haven't really fully explored is just saying you need to... Well, and maybe we'll get there, but let's make a few other points before we go down into the details of this and the, if you know what I mean.

Kip Boyle: Now, we've talked a lot about in terms of root cause, we've talked a lot about the fact that not only healthcare, but everybody's deeply dependent on computers and data networks, right?

Jake Bernstein: Yeah. I mean, that's not changing. So like we say, we've said it many times, everybody's an IT company and they just don't know it until suddenly the IT stops working, right? There's nothing new there. We also know that government, let's phrase it this way, we don't want to pay the price that would be necessary for government to be able to routinely stop these attacks from happening in the first place. The infringement on freedom and the internet working the way that it is supposed to work would be too great. So this is not just a matter of cyber hygiene, and I hesitate here because these types of attacks, I don't know how sophisticated the defenses were.

Kip Boyle: We don't know.

Jake Bernstein: And I don't know how sophisticated the attackers were, but as these ransoms get bigger, and if we just assume for the moment that this is related to the MGM and Caesar's hacks, where the ransoms were, what? They were 20 million or more.

Kip Boyle: 40 million was the reported number for one of them.

Jake Bernstein: And if we assume that this is one of those 20 million plus ransom attacks, I think we can assume that these aren't script kitties, right? This was probably, you know, Kip, it's getting harder and harder to say with a straight face that clients aren't targeted, because I feel like that is less and less true. For a long time, it was absolutely the case that you could be victimized through random chance, and you still can, to be very, very, clear.

Kip Boyle: There's still drive by hacking.

Jake Bernstein: You still can. There's still, shall we call them, hacks of opportunity. That still happens all the time. But I think it is also true that, call it whaling, right? It's obviously that refers to a form of high value phishing attacks. But that is realistically what's happening here is that there are gangs who want larger payouts, who are willing to invest more time and energy into getting through defenses. So it isn't just cyber hygiene. It really means a culture change and a shift in the way that we see ourselves. And why? Because everyone has to take up a more serious and role appropriate set of responsibilities to protect from and mitigate the damage from, and then recover from cyber failure.

And it can't just be IT's problem to deal with. We talked about that way back in episode 88. We've also talked about how this is an identity crisis, not quite so way back in episode 104. And this applies to all industries, not just healthcare. And I don't know, what does it take to get people to invest in cybersecurity, and what can we learn when we have situations like this where we don't have technical details? I mean, we've said before, one of the things we've always talked about is cybersecurity is a question of reasonableness. Well, is it reasonable to expect any individual private entity of almost any size, now obviously it does start to shift at a certain point, to be able to routinely defend against concerted attacks by highly sophisticated cyber foes? I don't know. I mean, I'm not saying yes or no. I'm saying I don't know.

Kip Boyle: Well, it's a rhetorical question that could be answered in many different ways. One way I would answer it is I would say, no, we cannot. It's unreasonable to expect that everybody will, no matter what your size, and especially as it slews towards the larger ones, will be able to avoid having this kind of a thing happen to them sooner or later. It's unreasonable. That's again why we talk about assumed breach and zero trust and all that stuff. But is it reasonable to expect that they'd be resilient? Yeah, I think it is. I think it's reasonable.

Jake Bernstein: I think it is, and I think it is reasonable to expect that. And the difference here between resiliency and preventative measures and protection, let's put it this way. There's a reason that respond and recover are two core functions of the Cyber Risk Management Framework. Did I just call it the Cyber Risk Management Framework?

Kip Boyle: You did.

Jake Bernstein: I did. I meant the Cybersecurity Framework.

Kip Boyle: Yeah, the NIST Cybersecurity Framework. So let's think about this. The NIST Cybersecurity Framework is all about resilience, and it was created by an executive order from President Obama in what year? 2013.

Jake Bernstein: 2013? Okay yeah, I don't really know.

Kip Boyle: 2013. It's 2024. For 11 years, the federal government has been saying to critical infrastructure and now to everybody, "Hey, you need to be resilient." So this is not new. This isn't even close to being new. So the idea of resilience is reasonable. It's reasonable at this point.

Jake Bernstein: Yep. Well, and let's think about what these types of attacks mean. I think Moody's, the ratings agency, has warned that even large providers that have thin margins and weak liquidity are not immune and could eventually struggle to keep their doors open. That actually begins to pose severe threats to any healthcare system or any critical infrastructure. Kip, when this kind of thing happens, it's frustrating to a point because you're like, oh, I mean, you know this is going to happen. And part of me doesn't understand why and how people allow this to keep happening. But again, without the technical details, it's easy to kind of say that. Right?

Kip Boyle: Right.

Jake Bernstein: On the other hand, given the cost of this, I mean, they could have spent a lot. If they spent 10 million more on cybersecurity, and I'm not suggesting anything with this hypothetical, but let's just say that they could have, that it would've been possible to spend 10 million more to prevent completely this attack. They're way ahead already because they've already paid more than double that potentially as a ransom, which as we know, is only the beginning of the actual costs.

Kip Boyle: Although my hypothetical would be to spend $10 million more on becoming better at respond and recover.

Jake Bernstein: That's true.

Kip Boyle: Right?

Jake Bernstein: That's true.

Kip Boyle: And by the way, you don't need to spend 10 million on respond and recover, because most of that is about training and procedurals and tabletop exercises, and it's not this capital expense intensive part of the framework. The capital intensive part of the framework is protect and detect, because you do have to spend money on tooling and blinky lights and so forth. But respond to recover, no, that's just training. It's just training and practice. That doesn't cost $10 million a year.

Jake Bernstein: It doesn't. And again, because we don't have the technical details, it's awfully easy for us to sit here on this podcast behind our mics and our comfy chairs and complain about it.

Kip Boyle: Anybody can be a critic.

Jake Bernstein: Anybody can be a critic, and this company is big enough. It's not like they didn't have cybersecurity in place. It was clearly bypassed, likely, as we said.

Kip Boyle: I don't even want to talk about, "They should have prevented it." Who cares? They didn't. And again, it's unreasonable to expect that everybody can prevent everything. So the question that I would rather focus on is why is their respondent recover so lackluster? That I think is the question. And I think that other people are asking that question too, right? There's lawsuits.

Jake Bernstein: Well, there's going to be investigations. I mean, there probably already have been those launched by the-

Kip Boyle: There are. Six class action lawsuits already.

Jake Bernstein: Yeah. HHS is going to do it. The Office of Civil Rights will come in, because I would not be surprised if this was also a data breach.

Kip Boyle: Maybe not, maybe not. Maybe it was a highly targeted ransom attack, but it likely involved some kind of data exfiltration.

Jake Bernstein: Okay, so let's think through this. It can get worse. It has lost hundreds of thousands of customers. We already know of at least-

Kip Boyle: Yes, yes. This is the part about cyber resilience as a competitive advantage. Please tell this part of the story.

Jake Bernstein: So this is fascinating. After the hack, which remember is at the time of recording, maybe only about a month old, at the time you're listening to this, it will be maybe be...

Kip Boyle: Two months.

Jake Bernstein: Two and a half, two and a half months old, give or take. But a competitor named Availity, which by the way is a hilarious take on availability, set up a stripped down claims processing service that medical providers can use for six months at no cost. The company has set up around 300,000 or about a third of the 900,000 medical providers that use Change Healthcare and has a backlog of another 50 health systems waiting to start using the platform. It has processed more than $5 billion, that's billion with a B, in claims that couldn't go through Change Healthcare systems.

Kip Boyle: Ouch, ouch.

Jake Bernstein: That's ouch. That's real ouch.

Kip Boyle: If you're Change Healthcare, you've got to be noticing that Availity is eating your lunch, just completely eating your lunch, as if they were running some kind of a special promotion. If a competitor that they just showed up and said, "By golly, we're going to take market share away from Change Healthcare no matter what." Well, even if that's what they wanted to do, Change Healthcare is face down in the mud. They're rifling through the pockets and taking the wallet.

Jake Bernstein: I have to say, Kip, this is a slight aside, but not really because it very much goes to resiliency. If we think back to the design goals of the internet itself, what was it really designed for? It was designed...

Kip Boyle: Survivability messaging?

Jake Bernstein: In a...

Kip Boyle: Nuclear war?

Jake Bernstein: In a nuclear war.

Kip Boyle: That was its core mission.

Jake Bernstein: Right. That was ARAPANET's core mission. Now, how do you survive? How do you keep messaging alive during a nuclear war? Well, you have a lot of small, redundant nodes, and you do not put all of your communications in one spot.

Kip Boyle: No single point of failure.

Jake Bernstein: If you put anything in one spot, it doesn't have to be a single point of failure. If you congregate, it's like this is the interaction of cybersecurity and nuclear strategy. If you congregate anything in a nuclear war, it gets hit because it's a big target. Now, you look at, inaudible, but the reality is that absent just complete Armageddon, you can't realistically use nuclear weapons to take out mosquitoes.

Kip Boyle: Right.

Jake Bernstein: And that's kind of what the internet is, the giant network of mosquitoes.

Kip Boyle: Those are tactical nukes that you're talking about.

Jake Bernstein: They are. And where I'm going with this is availability is a good example of maybe some of these entities are just too big and they're too large as attempting target. And maybe size itself creates a problem with resiliency because the whole bigger they are, harder they fall type of concept. And I don't know for sure that this applies, but I do know that if there's five claims processing organizations and one of them gets taken down by a ransomware attack, that the whole system has a major, major problem. But if there's 100 claims processors and even one or 10 get taken down, the system itself is more resilient.

So maybe what we need to be thinking about, it's not just the resilience of individual actors in a system, it's the resilience of the system as a whole. So I don't know what you really want to take from that, but I think it's an interesting concept. It also might be an argument for organizations that are large enough to deliberately splinter themselves into different operating subunits to prevent this type of thing from happening. Because again, this is a strategic long-term competitive advantage type of thing. But if Change Healthcare had had 10 fully separate subnetworks under its control, highly unlikely that the same cyber attack could get all 10 of them at the same time. Just a thought.

Kip Boyle: Right. That's great. A diversity of defense. And what you're talking about is this too big to fail idea, which has been talked about in terms of financial institutions for a long, long time now. I mean, the financial crisis of 2007, 2008, IG and different organizations, the government made a case that we have to prop them up because if they fail, the consequences would be too great to civil society. So we've got to bail them out. That was the last time that I remember too big to fail. Well, there's books and movies, and we could talk a lot about that, but I think this is a good example of that. I really do.

And I think that's going to probably be something we're going to have to talk about in aftermath. But this also reminds me of what happened in 2017. TNT Express and DHL, two small package delivery companies in Europe. Now, they themselves are not small, but the packages that they handle are, and in 2017, NotPetya, this crypto worm, ran through Eastern Europe. It started in Ukraine, caused $10 billion of global damage minimum, and TNT Express, just like Change Healthcare, fell right on its face. Couldn't pick up new packages, couldn't deliver packages it already had, didn't even know where packages were. If you had given them a package to deliver, and you called them and you said, "Where's my package?? They couldn't tell you because all their computers were offline. And what happened, you can see this if you look at the financial publications downstream from the hack, DHL stayed in business, and everybody who used to use TNT Express, which is now owned by FedEx, they just switched over.

Jake Bernstein: I bet you FedEx got a good deal on that purchase.

Kip Boyle: No, actually they didn't because they actually bought them prior to the hack.

Jake Bernstein: Oh, that was unfortunate.

Kip Boyle: That was unfortunate. And Fred Smith, the CEO of FedEx at the time, about eight months after the attack in an earnings call, said that if TNT Express hadn't been owned by FedEx during the hack, they would've went bankrupt because the cost to recover was out of reach without massive injections of additional capital from FedEx, which had just bought them.

Jake Bernstein: That makes sense.

Kip Boyle: So I mean, so look at DHL thrived downstream of that because they were able to stay in business even though they were hit as well as TNT Express was. Right? So what's the big takeaway from all of this in terms of business value? It's that cyber resilience is a long-term competitive advantage. Once people switch, the odds of them going back are really small.

Jake Bernstein: Oh, very much so. Why would you?

Kip Boyle: Nope. Why would you? I mean, you've had a bad experience, and people don't generally switch providers once they sign up. It's a sticky kind of a situation.

Jake Bernstein: So let's kind of wrap this one into a bow here. Cyber resilience is a long-term competitive advantage. Why, Kip? What specifically does it do?

Kip Boyle: Because when you get cyber attacked, you can stay in business. When your competitor gets cyber attacked and they're not resilient and they can't stay in business, you are the alternative to the people who cannot get served, to the people that you would've loved to have had as your customer all the way along. And now they have a great reason to come to you, and you've got a halo over your head. And you didn't reduce prices. You didn't run any specials. You didn't have to send out a bunch of salespeople to convince folks that they should change over to you. I mean, you just kept your doors open and people just started showing up and you signed them up and you served them.

Can you predict this? No, you can't predict this. But I mean, let's be serious. The data is clear. This is a situation that's bad and is getting worse. This is going to happen more and more often in the future. And I mean, look at me. I'm not switching from my pharmacy. My pharmacy was open when I needed them, and I heard that all these other people couldn't get their prescriptions refilled because their pharmacies couldn't function. So now I've automatically become more loyal to my pharmacy because of this experience. It's an emotional thing. It's an attachment thing. Now, how do you become more resilient? That's really the question that I think people should be asking.

Jake Bernstein: It is. And unfortunately, there is no easy button that can do these things for us. You have to accept that the world has changed. We have to change with it. I suspect there's still a lot of IT departments, maybe even some security departments, but definitely leadership who are stuck in a way of thinking that isn't that old. "Protect the castle" isn't that old of a way of thinking about this.

Kip Boyle: But it's bankrupt.

Jake Bernstein: It doesn't work. I mean, you've got to focus on that response in the recovery and resiliency, which is really one way to think about resiliency is just the respond and recover aspects of the cybersecurity framework. That's part of what it is.

Kip Boyle: I mean, that's the essence of it.

Jake Bernstein: It's the essence of it.

Kip Boyle: But you have to have all the other pieces in place. You have to have the detection capability.

Jake Bernstein: You do. They all build from and require each other. So yes, from the top down, implement the NIST Cybersecurity Framework, which was just recently released as 2.0. We probably will do another episode about that.

Kip Boyle: Yep.

Jake Bernstein: We will also need to talk about get busy implementing essential eight, cyber hygiene is still important. Nobody's ever going to say that you don't need a firewall anymore because you're just going to focus on resiliency. No, no, no, no. You still have to practice cyber hygiene. You still have all of these practices in place. You still have to identify, protect, and detect, and of course, govern, but we're going to save that. And if you want to learn more about the essential eight, that would be podcast episode 63. You feel free to go listen to that again. And I wanted to mention one thing before we wrap this episode up, or maybe you're supposed to mention it, but whatever. There are examples of organizations that have shown cyber resiliency, and why don't you tell about Norsk Hydro?

Kip Boyle: Yeah, happy to do that. So in 2018, Norsk Hydro, which is a massive organization based in Scandinavia, they retrieve aluminum ore from the ground and smelt it into ingots. That's what they do. And they had a ransomware attack, and they were completely taken out. They were knocked back into paper and pencil based ways of operating their organization, but their ability to recover from what happened to them was exemplary. They are the poster child for how to do it right, and they were acknowledged for this.

So in the show notes, I'm going to put a link into a profile, a case study that Microsoft did on them, because their ability to recover was so phenomenal. They were very transparent about how they did it, and they shared how they prepared themselves to do this. So if you are an organization that wants to be more cyber resilient, absolutely have to go study Norsk Hydro and learn about what they did. There's videos, there's white papers, and there's so much great information that's available that I want everybody who's listening to go, if you don't know about this, to go and check it out. But it's very inspiring and it's incredibly practical.

Jake Bernstein: Yeah, no, it very much is. So any additional words we want to say about cyber resiliency? I think that we will do a future episode about how inaudible cyber resilient. This episode was really, "Look, you need to be cyber resilient, and here's an example of why."

Kip Boyle: Yeah, and this story important because-

Jake Bernstein: The story is important.

Kip Boyle: ... those of you who are listening who may not be a senior decision maker, you need to bring this story to your senior decision makers. Tell them about Change Healthcare and what's happening to them and how Availity is eating their lunch. Tell them about Norsk Hydro. Norsk Hydro's stock price went up following their cyber attack because they publicly confirmed to the world how strong they were, how resilient they were, and investors love that stuff, right? Investors love knowing that you are stronger and resilient. So share these stories with your senior decision makers. Get them to get interested. Get that buy-in, and yes, and then come back because we're going to do an episode in the future and we're going to tell you how you actually make this happen.

Jake Bernstein: Exactly. We will do that. All right. Well, let's wrap up the episode.

Kip Boyle: All right, that does wrap up with this episode of the Cyber Risk Management Podcast. Today we took a closer look at the cyber attack that took down Change Healthcare. We learned what happened, what were the impacts, and how cyber resilience can be a competitive advantage for you. So we'll see you next time.

Jake Bernstein: See you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cybersecurity hurdle that's keeping you from growing your business profitably, then please visit us at cr-map.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.