While password rotations aren't everything, they can prevent this. With that said, 2FA any remote access. Tends to make simple attacks like this much harder.
Also, where the hell were your backups, why didn't they follow 3-2-1.
There are backups (mostly). To be safe, they picked a restore date before the suspected initial entry date. This is a few weeks before the final attack. Change Healthcare is sanitizing the attacked servers, then migrating data over to the new servers to avoid losing data.
Organizations have been doing 2FA for VPN connections for over a decade. The janky way to do it way back in the day (when people still had RSA token keychains) was to use an authentication server plugin that would require the user to enter their password followed by the token to authenticate at the password prompt. These types of systems are relatively easy to retrofit. I was using a Yubikey with as a second factor on systems that didn't natively support 2FA in a similar manner since the original Yubikey was released.
For RDP it's even easier, RDP is easily configured so that logging in and connecting are two different distinct actions, after connecting you are presented with a login page. If that system is tied to a Windows AD domain, you can enforce MFA via numerous different methods, although unfortunately it's not possible to use Windows Hello over RDP currently (meaning no support for passkeys or biometrics as a second factor). I've used systems in the recent past that enforced smartcard control for RDP access.
The fact that most organizations /don't/ do this isn't due to any technical limitations, it's mostly due to not prioritizing information security at leadership levels combined with an InfoSec industry culture that centers more around box-checking by midwits who have certifications than designing secure systems from first principles within your technical constraints by actual experts.
Now, what is even more concerning is if they didn't have the ability to 2FA on their Citrix, they had to be running a massively old and insecure version.
> It’s crucial to underscore that Hudson Rock had the data of this employee’s compromised data a day after the infection, highlighting a missed opportunity to preemptively safeguard against this incident.
Thanks for doing nothing while people were denied healthcare due to this breach you fucking assholes.
Fucking mob tactics here - "it's a nice company you got here, be a real shame if we knew something you didn't...."
At the end of the day it is not Hudsons job to work for the healthcare companies for free regardless of your view on the morality of it. Having worked with the healthcare industry in the past on things like remote management access it is highly likely this company was told multiple times "We have big fucking problems that are going to lead to a breech" which were ignored for years and put off because the solution was too expensive. I mean, FFS, they paid the handsome, this means they didn't have a viable and separate backup system. Change Healthcare is 100% at fault for operating services that must be secured by law in a deficient manner.
It's likely the only way there might be progress and will to improve the status quo is for these attacks to be so catastrophic, it kills the entire business. Until then, business as usual by the usual corporate cast of characters, considering no legal, regulatory, or material financial repercussions.
“Show me the incentive and I’ll show you the outcome.” - Charlie Munger
Also, where the hell were your backups, why didn't they follow 3-2-1.