Skip to main content Link Search Menu Expand Document (external link)
LIS 640

Week 12 Studio: Blackcat and UnitedHealth

Today’s case study is still current news, and is the subject of Congressional inquiries already this year. Let’s see if we can make a serious attempt at suggesting new policies to try to help this with problem.

Today we are going to discuss the UnitedHealth / Change Healthcare ransomware attack that was done by the ALPH-V / Blackcat ransomware group. But first, some valuable background:

In May 2021 (3 years ago), a ransomware group called “Darkside” managed to break into computers at the Colonial Pipeline Company and install ransomware on its systems. This shut down the company’s systems and halted all pipeline operations, which caused gasoline shortages across the east coast. After a speech by President Biden, the Darkside ransomware group apologied, and said “our goal is to make money, and not creating problems for society.”

After this, Darkside and other similar ransomware groups kept up their attacks, but tried to avoid the large-scale infrastructure damage that the Colonial Pipeline attack caused. That is, they tried to stay under the radar with the attacks. That lasted until December 2023 (last December), when the FBI seized the website of the ALPHV / BlackCat ransomware gang and released a tool for its victims. After this action, ALPHV/BlackCat promised “open season on everything from hospitals to nuclear power plants.”

True to their word, on February 21, 2024 (two months ago), AlphV/BlackCat managed to break into the computers of Change Healthcare, a unit of the company UnitedHealth that processes payments for a large number of clinics, hospitals and pharmacies in the US. BlackCat installed ransomware that prevented payments from being processed for over two weeks.

This caused a surprisingly large number of pharmacies and clinics to not be paid for weeks, which endangered their ability to keep functioning and to keep drugs in stock. Many pharmacies and clinics had to purchase and switch to backup payment systems, and even to date, not all payments have been processed. There were a number of people who were unable to get their medicines on time because of this attack.

Policy Suggestions

Read about what happened in that article. Now imaging working in the health care industry and being asked to write a “boss report” about this incident: your boss comes to you, asks you about the incident, and asks what can be done to protect against similar incidents in the future?

The New York Times (sort of) wrote up one of these in their “4 things you need to know” article.

Let’s use the knowledge we have been working on in this course to analyze the situation, and see if we can come up with serious, substantial, realistic policy suggestions.

First, grab the Policy Worksheet. We’ve been using that this whole semester.

Step 1: Understand the situation

The first side is all about trying to understand the situation. Look at the articles about ransomware attacks above, think about the way they affect the health care sector, and try to fill out the first side of the worksheet.

You can also fill out the first question on the back (about weakest link vs. best shot).

As you try to answer each of these questions, go back to the relevant notes on strategic incentives, externalities, and information asymmetry.

Step 2: Find analogies

Once you’ve got an understanding of the economic properties of this situation, let’s find some analogies. What are some other situations in the world – not cybersecurity related – that have similar economic properties? For example, if you identified a negative externality, you can look for other negative externalities like pollution.

First, start by looking at the answer to each question separately, and identify similar situations that we have talked about that have similar properties.

Second, look across the situations you’ve identified and see if any of those situations have more than one of the properties. Try to find one or more situations that has most (or all) of the properties in common with this one.

Step 3: Identify Potential Solutions

Now that you’ve identified similar situations, look for potential policy solutions. Start by using the notes on strategic incentives, externalities, and information asymmetry to identify potential policy ideas. Also, look at your similar situations, and think about ways that we have tried to deal with those problems.

Brainstorm. Make a list of more than one policy idea that be able to help with this situation. The goal of step 3 is really to identify multiple potential ideas.

Step 4: Cybersecurity Arms Race

There are a lot of good policy ideas out there, but not all of them work for cybersecurity. Once you have more than one idea, step back and think about the arms race problem. Once we implement a new policy, the attackers will adjust their behavior around that policy. Sometimes that adjustment will still leave the world in a better place, and sometimes the policy just creates more problems.

For example, we discussed earlier in the semester the new SEC policy requiring companies to report cyberattacks. The ransomware group BlackCat (yes, the same one from today’s case) then weaponized this policy by reporting their victims to the SEC.

For each of your potential ideas, think about whether it would likely be helpful in the cybersecurity context or not. Use this information to make your final recommendations.