The Change Healthcare Breach & the Need to Secure Third Party Vendors

The Change Healthcare cyberattack, which exposed data of an estimated 190 million people, cost UnitedHealth Group (UHG) around $2.87 billion in 2024, including $1.7 billion in direct response costs. Final costs after all the regulatory and punitive fines, damages, and restitution could be much higher, as with any healthcare breach.

This was obviously a landslide attack - bigger and more impactful than all other healthcare cyberattacks anywhere in the world. This attack by Russian group ALPHV completely overshadowed the Chinese theft of 78.8 million medical records during a 2015 cyberattack against Anthem, now Elevance Health – at the time the largest healthcare data breach in history.

While any cyber-attack against a critical national infrastructure industry like healthcare is huge, the impact of the Change breach impacted the Availability of healthcare services for a significant percentage of Americans who were unable to receive approval for medical procedures or even to pick up their pharmaceutical prescriptions. Yet our healthcare regulations which date from 1996 are myopically focused on the protection of Confidentiality – something that is already lost to the vast majority of Americans thanks to countless overlapping cyber attacks.

When all is said and done and dust finally clears after the Change attack, a number of smaller hospitals, clinics and other healthcare providers will have gone out of business depriving entire communities of tertiary healthcare, while patient morbidity and mortality figures will have spiked as a result of denial of needed medical procedures, or life extending prescription medications. This may have appeared to be a simple ransomware attack, but the national security implications are significant.

You can bet that the Russians and Chinese watched what happened with the Change failure and took extensive notes.

Above all there is a very concerning danger that a similar or even bigger more impactful cyber attack could be executed against US healthcare through UHG or another dominant third party vendor that controls much of the US healthcare industry. As consolidation and vertical integration of US healthcare continues unabated, the emergence of single points of critical failure is inevitable and nothing is 'too big to fail'. Especially in times of hybrid or grey warfare between states.

CHIMSS

This was the subject of a cybersecurity panel discussion this week at the Colorado HIMSS CxO Advocacy Breakfast Summit, where over 200 local Colorado healthcare leaders gathered with Hal Wolf, President and CEO of HIMSS to discuss the state of the healthcare industry in Colorado.

The Change cyberattack raised many concerns about the security of third-party vendors and single points of critical failure in a highly complex and intertwined healthcare ecosystem.

Huge single points of failure like Optum Health which owns Change Healthcare under UnitedHealth Group, dramatically increases risk impact when that organization is attacked. This is especially concerning where “providers cannot quickly pivot to other healthcare clearing houses and service providers”, claimed Howard Haile, CTO at Intermountain Health. “Very few were able to do this, and very few are setup to make such a switch quickly” he exclaimed.

Another concern raised by Rick Bohm, CISO at Point Solutions Group is that the industry doesn’t properly assess risks of third-party vendors. “We are not testing third party systems to find vulnerabilities until it’s too late. I can guarantee that I can find similar vulnerabilities in the vast majority of vendor systems that healthcare relies upon every day” he claimed.

With literally thousands of third party vendors, suppliers and outsourced services providers its impossible for a Regulated Entity (RE) to audit each of its third parties or to collect and validate SOC2 attestations of security compliance.

“Furthermore, we don’t know what connects to our medical networks” added Richard Staynings, Chief Security Strategist with Cylera. “75% of connected assets – network endpoints – are not managed by IT and at most providers, security teams currently have very limited visibility into these IoT systems.

“Many of the medical devices on our networks are 20+ years old, written in eProm, a programming language from the 1980s – and they are the secure ones! The newer devices run on Windows Embedded, in many cases using the same generation of code as Windows 95 or Windows XP and we all know how secure each of those are today. No one in this room would conduct their Internet banking on a Windows 95 or XP machine, yet we keep patients alive using similar era technology,” Staynings concluded.

Yet, identifying assets, and assessing risks of IoT can be very time consuming and resource intensive. This is where AI comes into its element by automating the entire process because hospital CISOs can’t hire and retain enough staff to do this by any other means.

“Used correctly, AI can be very powerful and very time saving. At Cylera we use Machine Learning (ML) to run passive protocol analysis engines that tell us what systems are communicating over the medical network and from that, can easily identify and risk assess devices unmanaged by IT,” Staynings stated. “That helps healthcare providers build ‘Zero Trust’ across their networks through segmentation and isolation of at-risk devices and other medical systems."

There are certainly many good uses of AI across healthcare to help drive improvements in accuracy and efficiency, as other panels at the CHIMSS event discussed. The concern is when AI algorithmic / training data is poisoned by mis-labeled or deliberately inaccurate data. “We need to be on the lookout for adversarial machine learning and data poisoning,” agreed both Staynings and Bohm.

The recent supply chain attack against GitHub Action and other third parties is a growing concern and in healthcare we use hundreds, if not thousands of third-party vendors, suppliers, and outsourcers. Knowing that your vendors and their systems are secure and meet or exceed your security standards is now absolutely critical for an industry like healthcare.

Read More

North Korea pulls off largest-ever theft in digital asset history

The 21 February heist of Bybit, a Dubai-based cryptocurrency exchange removed a staggering $1.46 billion in cryptoassets according to initial reports. In fact, this incident is likely the biggest known financial theft of all time. Bybit is the world’s second-largest cryptocurrency exchange by trading volume, with over 50 million registered users worldwide as per a September 2024 report.

Bybit disclosed that over 400,000 Ethereum and staked Ethereum coins were stolen during the heist. These were initially stored in a "Multisig Cold Wallet," however the funds were somehow transferred to a hot wallet and then siphoned into wallets controlled by the attackers.

"The incident occurred when our ETH multisig cold wallet executed a transfer to our warm wallet. Unfortunately, this transaction was manipulated through a sophisticated attack that masked the signing interface, displaying the correct address while altering the underlying smart contract logic," Bybit explained.

Investigation

According to crypto fraud investigator ZachXBT, the exploiter has already split 10,000 ETH out of the roughly 401,346 ETH stolen in the attack to 48 addresses.

An independent investigation has revealed connections to the infamous Lazarus group. A day after the attack was disclosed by ByBit, Blockchain investigator ZachXBT shared findings connecting the hack to the DPRK-backed hacking group. ZachXBT submitted a detailed analysis of test transactions and connected wallets used just before the exploit, along with multiple graphs and timing analysis, which were added in its X post.

DPRK Crime State

The United States, South Korea, and Japan said in January that North Korean state-backed hacking groups stole over $659 million worth of cryptocurrency last year. Indeed, crypto and other financial theft is the primary avenue through which the heavily sanctioned Hermit Kingdom is able to obtain hard currencies for trade in illicit goods for its nuclear weapons and rocket programs. 

However, one month earlier, blockchain analysis company Chainalysis painted a more dire picture, saying North Korean hackers stole $1.34 billion in cryptocurrency in 47 cyberattacks throughout 2024, breaking their previous record of $1.1 billion from 2022.

Read More

2025 Proposed HIPAA Security Rule Changes

Much Needed Update to HIPAA coming in 2025.

A long overdue update the HIPAA Security Rule, last updated in 2013, is currently being drafted. Many things have changed in digital healthcare since the rules’ last update and today, the healthcare industry is near wholly reliant upon technology for the delivery of services to patients. This includes a rapid expansion of medical devices and other IoT systems, the widespread use of AI and in particular Machine Learning (ML) to mine vast data lakes of medical information now being generated by the industry. The updated rules also take account of widespread use of cloud and virtual technologies and includes provision for even newer technologies including virtual reality, and quantum computing.

The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996, at a time when few hospitals or health insurance groups had made the transition to digital records and most users considered a 28.8kbps internet connection to be fast. WiFi, mobile devices, and 5G cellular were still distant dreams as was the meaningful exchange of information in digital format between all those involved in treating patients. The HIPAA Security Rule in particular, was considered out of date the moment it was published, although the act’s Privacy Rule has faired better. In 2009 the HITECH act updated the security requirements of HIPAA Covered Entities (CEs) and Business Associates (BAs) to take account of changes in technology and some major ambiguities in the language of the original rule. A further Omnibus update took place in 2013 for similar reasons.

What is Happening?

On December 27th, HHS OCR announced a Notice of Proposed Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule to strengthen cybersecurity protections for electronic protected health information (ePHI). The rule “seeks to strengthen cybersecurity by updating the Security Rule’s standards to better address ever-increasing cybersecurity threats to the health care sector.

What is Changing?

The NPRM proposes to strengthen the Security Rule’s standards and implementation specifications with new proposals and clarifications, including:

• Remove the distinction between “required” and “addressable” implementation specifications and make all implementation specifications required with specific, limited exceptions.
  
  
• Require written documentation of all Security Rule policies, procedures, plans, and analyses.
  
  
• Update definitions and revise implementation specifications to reflect changes in technology and terminology.
  
  
• Add specific compliance time periods for many existing requirements.
  
  
• Require the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, but at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.
  
  
• Require greater specificity for conducting a risk analysis. New express requirements would include a written assessment that contains, among other things: A review of the technology asset inventory and network map.
  
  
• Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI.
  
  
• Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems.
  
  
• An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities.
  
  
• Require notification of certain regulated entities within 24 hours when a workforce member’s access to ePHI or certain electronic information systems is changed or terminated.
  
  
• Strengthen requirements for planning for contingencies and responding to security incidents. Specifically, regulated entities would be required to, for example: Establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours.
  
  
• Perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration.
  
  
• Establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents.
  
  
• Implement written procedures for testing and revising written security incident response plans.
  
  
• Require regulated entities to conduct a compliance audit at least once every 12 months to ensure their compliance with the Security Rule requirements.
  
  
• Require that business associates verify at least once every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate.
  
  
• Require encryption of ePHI at rest and in transit, with limited exceptions.
  
  
• Require regulated entities to establish and deploy technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner. New express requirements would include: Deploying anti-malware protection.
  
  
• Removing extraneous software from relevant electronic information systems.
  
  
• Disabling network ports in accordance with the regulated entity’s risk analysis.
  
  
• Require the use of multi-factor authentication, with limited exceptions.
  
  
• Require vulnerability scanning at least every six months and penetration testing at least once every 12 months.
  
  
• Require network segmentation.
  
  
• Require separate technical controls for backup and recovery of ePHI and relevant electronic information systems.
  
  
• Require regulated entities to review and test the effectiveness of certain security measures at least once every 12 months, in place of the current general requirement to maintain security measures.
  
  
• Require business associates to notify covered entities (and subcontractors to notify business associates) upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.
  
  
• Require group health plans to include in their plan documents requirements for their group health plan sponsors to: comply with the administrative, physical, and technical safeguards of the Security Rule; ensure that any agent to whom they provide ePHI agrees to implement the administrative, physical, and technical safeguards of the Security Rule; and notify their group health plans upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.

HHS OCR has requested feedback on the proposed rule changes be received from REs by March 7, 2025, after which the new rule will be drafted, and a final rule enacted approximately 6 months after that.

Most of these proposed requirements are already being followed by larger and better funded HIPAA CEs, though not all BAs it seems. The proposed rules spell out in a more granular format, each of the ‘required’ and ‘addressable’ rules that CEs and BAs should already be following. What was considered ‘addressable’ is now however, a ‘requirement’ under the proposed rule changes.

Of Specific Interest:

• Language of the proposed rule change removes the distinction between ‘Covered Entity’ (CE) and ‘Business Associate’ (BA) and instead employs the term ‘Regulated Entity’ (RE).
  
  
• Removal of distinction between ‘required’ and ‘addressable’. All are now requirements and must be implemented. Time limits are added to meet requirements and to become compliant.
  
  
• Changes various terms in the HIPAA Security Rule such as ‘electronic media’ to take account of the wider use of VOIP technologies, telehealth, digital messaging, cloud, and AI.
  
  
• A complete asset inventory of all network-connected assets is now required along with a network map that illustrates the movement of ePHI throughout the RE network. This needs to be updated at least every 12 months or when new assets are joined to the network.
  
  
• Each RE needs to know where all of its PHI resides on its network and in which systems, whether owned and operated by the RE or some other entity.
  
  
• Makes it a requirement for network segmentation between operational and IT networks.
  
  
• Requires improved regular testing and security risk analysis that includes:
• technology asset inventory and network map.
• improved identification of threats, vulnerabilities, and risks to the CIA of PHI
  
  
• Requires improved audit of access to PHI by users.
  
  
• Requires improved business continuity, contingency planning, and security incident response capabilities.
  
  
• Requires the use of multi-factor authentication.
  
  
• Sets minimum 24-hour notification time. This applies for BAs to notify CEs, and for subcontractors to notify BAs.

What is Impacted?

If a Regulated Entity (RE) is fully compliant with the HIPAA Security Rule (as updated by HITECH and Omnibus) then very little changes. However, this is unlikely. The updated Security Rule proposal itself states that while conducting an audit of regulated entities against the current Security Rule, OCR found that “94 percent failed to implement appropriate risk management activities sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.”

This means that most REs have some work to do in order to catch up with existing Security Rule requirements, let alone the additional effort that will be required to come up to speed with the updated requirements. It also means that more effective risk assessment and analysis is required moving forward.

The intent of this proposed rule change is to remove inconsistent application of the Security Rule across REs. In so doing, it removes the option for ‘reasonableness and appropriateness’ in connection with the costs of security controls, along with often misinterpreted ‘addressable’ implementation specifications to mean they are ‘optional’. These are now ‘required’ and are mandatory.

Furthermore, the rule changes introduce the need to evaluate the ‘effectiveness’ of security controls in supporting the resiliency of the regulated entity. ‘Resiliency’ refers to the entity’s ability to withstand and recover from adverse events. In this regard the changes appear to recognize the vulnerability of REs to denial of service (DOS) and ransomware attacks, and the need to protect against these ‘availability’ attacks through increased resiliency.

This implies the need for much improved business continuity, disaster recovery, and security incident response capabilities so that REs can be back up and running quickly following an incident or attack. It also implies the need for more resiliency in technology architectures using n+2 architectures where a second or third copy of an application can be used in times of need and switched into production quickly. The protracted healthcare downtimes that have impacted the industry recently have been largely caused by single points of failure, an encrypted EMR or other core system with no hot or warm standby, or the ransoming of a critical third party like Change Healthcare as examples.

In Conclusion.

This long-awaited update to healthcare industry security requirements will help to address the chronic imbalance between a growing number of attackers and a largely weak and ill prepared cyber defense across payers and providers. It is intended to lead to massive improvements in security risk assessment and analysis, and the speedy remediation of identified security vulnerabilities. As such, the new rules should reduce the number of successful cyber-attacks, and thus will help to ensure that hospitals and other delivery partners are available in times of medical need by patients and the communities that they serve. Furthermore, these changes will help to reduce growing patient safety concerns, including increased morbidity and mortality when hospitals are under attack.

The need to identify and keep track of connected assets, to know where data resides and moves across medical networks, and to segment operational and IT networks under the proposed rules will be a real deal changer for security. This is well known as the weakest link and is often referred to as the ‘open back door to healthcare security.’ Medical networks and IT / IoT have changed greatly over recent years, as has our reliance upon technologies to diagnose, monitor, treat, and manage patients in our largely digital healthcare system. It's therefore vital that our security controls keep pace with these and other changes.

Read More

2025 Healthcare Cybersecurity Predictions

Twenty Twenty-Five

As someone who has been evangelizing the need for improved healthcare cybersecurity for decades, every year I am hopeful that the new year will be better for healthcare security - that there will be fewer breaches, less supply chain attacks, fewer denial-of-service attempts, and less ransomware attacks. However, statistics don’t lie, nor do trends, so it’s unlikely that I will get my wish in 2025.

The Global Cybersecurity Landscape

Each year, more and more healthcare payers, providers, and life sciences organizations are hit with devastating and costly cyber-attacks. Increasingly these cyber-attacks can impact entire communities. We saw this in West Texas in September and October of 2024 when both UMC and Texas Tech University Health Sciences Center were hit with separate ransomware attacks. This essentially denied Level 1 trauma care to multiple communities impacting an area greater than 250 miles in diameter. It’s likely that we could see more of these high impact overlapping attacks in 2025, for various reasons, as I shall explain shortly.

Healthcare is in the cross hairs and is both an easy and soft target for a growing number of opportunistic perpetrators. It has a large and sprawling supply chain, which when attacked can have sweeping implications for industry players themselves. On top of that, as a critical national infrastructure industry, and in times of geopolitical conflict and cyber warfare, the industry is also a strategic political target. It is being hit from all sides - from organized crime syndicates to state actors, with a rising body of evidence to suggest collaboration and coordination between the two groups.

As a critical national infrastructure industry, healthcare will I believe, be the recipient of increasing levels of government direct and indirect cyber assistance in 2025. Expecting small, independent, or even state-run healthcare providers to defend themselves against the might of the highly organized Russian Mafia crime syndicate or the offensive instruments of a pariah state’s military and intelligence organizations, makes absolutely no sense. Thus, government will need to step in. We are seeing this already in the UK, EU, and Australia with much higher levels of direct involvement and intelligence sharing by government agencies. The US is expected to follow suit in 2025. However, very few governments are ready and prepared to directly protect their healthcare systems at present.

2025 will likely see even more ransomware attacks against healthcare providers. This will no doubt continue until such times that ransom payments and other forms of cyber extortion demand are finally and fully made illegal. Ransomware is a very lucrative industry, whose growth is being fueled by larger and larger payments from victims. Lack of resiliency across the healthcare industry combined with the critical need for operational availability, makes healthcare a prime target for such attacks. As such, expect many more.

Supply chain attacks against the thousands of third-party vendors, suppliers, and services providers will continue to be the open back door to a secure healthcare industry. Software supply chain attacks and strikes against critical single points of failure across the array of healthcare infrastructure will likely continue for as long as the war with Russia does. This means that payers, providers, and life sciences organizations need to develop much stronger risk management processes around their multitude of third-party vendors. This should include full inventory and risk analysis of all organizations who have direct or indirect access to medical networks including third party applications and devices. Cyber-attacks against Synnovis, Change Healthcare, Microsoft, SolarWinds, and others have wreaked havoc across hundreds of organizations with the attack of a single third-party. The return on investment for perpetrators is therefore huge. Expect many more in 2025.

2025 will also see the rise of nation-state attacks. The recent Salt Typhoon attack against critical infrastructure telecommunications providers by the Peoples Republic of China, and a dozen other Chinese Typhoon attacks, are an indication of growing geopolitical tensions as China, Russia, Iran, and the DPRK face off against the western world in what is being termed the ‘Axis of Resistance’. With Russia and Iran already engaged in hybrid and proxy wars, cyber is being viewed increasingly as a convenient weapon of choice that inflicts damage and retribution without crossing a line that will result in a kinetic response from the attacked nation. All critical national infrastructure industries could be the target for increased attention by Axis powers and will need to prepare accordingly. Nation-state cyber-attacks will be 2025’s biggest single threat.

Regulatory Changes

2025 will likely see major changes to US healthcare regulation with the passage (sometime during the year) of the Health Infrastructure Security and Accountability Act (HISAA). This is the long-awaited update or replacement of the ailing and out-of-date 1996 HIPAA security rule which has governed the US healthcare industry for over two decades now. HISAA aims to transform healthcare cybersecurity by setting minimum standards and throwing much-needed financial support to healthcare providers. HISSA is still in the drafting stage at present, but will likely impose stricter cybersecurity standards, require audits, and stress tests, implement serious consequences for non-compliance while providing financial support to healthcare organizations that need help to enhance and improve their cybersecurity capabilities.

HISSA will no doubt help to move the cybersecurity needle, just as NIS2 in Europe and CAF in the UK are already beginning to do. But ‘compliant’ does not mean ‘secure’ and most regulations are out of date the day they are enacted. Its therefore important for healthcare entities to adopt a risk-based approach to security rather than a compliance-based one in its place. That means understanding what, and who, connect to hospital networks, assessing people, processes, and technologies, and conducting a full risk analysis to identify, track and remediate security vulnerabilities on an ongoing basis. This will become ever more important as new innovative technology is added to medical networks.

New Technology

The healthcare industry creates more data than any other industry. To say that there are now healthcare data lakes would be an understatement. Each patient that is seen, diagnosed, and treated, creates vast amounts of useful medical data. This data can then be mined by healthcare data scientists and used to train artificial intelligence (AI) algorithms for machine-learning-based applications used for clinical decision support, and many other areas of medicine.

2025 will see these data lakes become even larger and combined with improvements in AI training to enhance the tools available to clinicians. But just like all data repositories, this highly valuable data needs to encrypted and protected. The RSNA Conference in November highlighted once again, the need for better encryption while revealing new advancements to radiological and medical imaging, thanks in part, to improvements in AI. This is leading to earlier diagnosis and opportunity to medically intervene in patient care, thus driving outcomes while reducing cost. 2025 will see a continuous growth in the capabilities of medical AI, including advances in precision medicine which one day, will totally change the entire paradigm of medical care and treatment of patients.

But often AI is a new technology that introduces new risks. Its data, its algorithms, and its applications all need to be secured from new types of cyberattack, including data poisoning and adversarial machine learning. AI is also being used to weaponize existing malware strains and employed to attack victims by making that malware stealthy, almost impossible to detect, and deadly when its payloads are deployed on unsuspecting networks. 2025 will likely see the continued development of offensive AI attack tools by hackers. At the same time security software companies will be engaged in an arms race to quickly develop defensive AI capabilities in their NDR, XDR and other security applications. Cylera, as an example, and as a next generation IoT security platform, has invested heavily in AI since the company’s founding. It continues to build and deploy new and enhanced AI capabilities that help to automate the orchestration of improved cybersecurity for customers. We will see a lot more AI in 2025 along with better automated security tools and platforms with much faster-than-human response times and the need for less intervention.

Cybersecurity Resource Shortage

 

The shortage of security professions reached 4.8 million in 2024, a growth of 19% over 2023. There simply aren’t enough soldiers to defend the fort against a rising number of attacks. In fact, according to the World Economic Forum, the global talent shortage, could reach 85 million workers by 2030. While universities and training academies have stepped up their education offerings in cybersecurity, it will take many years before this shortage is addressed – if ever, given rising needs.

Burn-out and retention of cybersecurity professionals is a growing problem as the job of defending an organization, sometimes against truly overwhelming odds, becomes even tougher. The ‘Buck’ really does stop at the CISOs desk, yet CISOs remain relatively unempowered to make decisions around enterprise security risk. Many security leaders still lack direct access to the board to properly relay cyber-risk, despite years of industry groups telling CEOs they need to do so. That is slowly changing, and 2025 will likely see an evolution in the partnership between CISOs and their boards.

While job satisfaction and not feeling ignored remain critical for retention, so too does work-life balance for security teams and their leaders. ‘Return to the Office’ for many, has done little to off-set the practice of working around the clock, something that started during the COVID pandemic, covering for sick collogues and dealing with a huge uptick in security needs. It’s important that security teams and their leaders feel needed and respected yet empowered by senior management not to feel the need to work every weekend. Achieving better work-life balance will be a major objective for many security leaders in 2025.

In Conclusion

2025 will be an evolution of what we saw in 2024 rather than any sort of revolutionary change in January. Domestic and international politics may have a significant role to play in both attack and defense, as both sides re-arrange their players and adjust their cyber strategies. The healthcare security threat surface will continue to expand as more and more devices and applications connect to medical networks and interoperability between healthcare systems continues to advance. Diligence will be critical, as will visibility and understanding of risk. Automation of security tools will become ever more important, as the shortage of people to watch screens becomes critical, and various forms of AI will likely play an increasing role in both healthcare applications and security.

This blog was first posted at the following location.

Read More

Healthcare Cybersecurity Year in Review

Twenty Twenty-Four will go down in history as another watershed year in healthcare cybersecurity. With 386 reported healthcare cyberattacks by the beginning of October, this year is on target to surpass even 2023, which was in itself, an especially bad year for healthcare cybersecurity attacks and breaches.

These projections are supported by the 2024 Ponemon Healthcare Cybersecurity Report, which found that 92% of organizations experienced a cyberattack in the past 12 months—up from 88% in 2023, and that the cost of a healthcare data breach topped $4.7 million in 2024, making healthcare the single most expensive industry for ransomware and other cyber-attack clean-up costs.

The FBI via its Internet Crime Complaint Center (IC3) states that healthcare is now the primary industry target for ransomware gangs, while HHS OCR acknowledges that ransomware attacks against the industry are up a staggering 278% since 2020.

Two Landmark Attacks

Twenty Twenty-Four will also go down in history as the year of the single biggest, most disruptive, and most expensive healthcare cyberattack to-date, when in February, United Healthcare Group’s (UHG) Change Healthcare was attacked and breached by Russian-speaking ransomware group ALPHV/BlackCat, impacting nearly every American and exposing the PHI of at least 150 million individuals.

While the Change Healthcare attack becomes the new record holder, it effectively doubled breach numbers from the prior holder of the title - Anthem Health which in 2014 exposed the PHI of 78.8 million individuals in a landmark case.

Despite paying the criminals a staggering $22 million ransom, UHG was unable to retrieve its data and was then hit with a second extortion demand not to publish stollen PHI the perpetrators had exfiltrated. This was according to UHG CEO Andrew Witty when on May 1st this year he was hauled in front of Congress to explain the breach that had paralyzed much of US healthcare and what UHG was doing about the mess. At the hearings, lawmakers described the UHG Change Healthcare attack was ‘the most significant and consequential cyberattack on the U.S. health care system in American history’.

The Change Healthcare attack severely disrupted healthcare billing and payment operations for months, creating a huge backlog of unpaid claims, including problems with insurance approvals and Medicare reimbursements. It caused unprecedented financial and operational chaos for hundreds of medical facilities, physicians, and pharmacies as well as patients unable to gain approval for scheduled procedures or to pick-up their medications. It has placed hundreds of small and rural providers of healthcare at risk of closure, potentially depriving entire communities of tertiary health services.

Another highly disruptive cyberattack took place in the United Kingdom when in July this year Synnovis, a joint venture pathology partnership between SYNLAB, Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospitals NHS Trust, was hit by a cyber-attack. The ransomware attack impacted most NHS providers across South London and caused 800 life-saving operations to be cancelled, along with over a thousand other appointments to be forcibly rescheduled. It also led to hospitals being placed on divert and emergency ambulances redirected to the other side of London or to the home counties.

The cyberattack has been attributed to Qilin, a Russian ransomware-as-a-service (RaaS) crime gang, this time with dual motivations so it seems. Qilin demanded $50 million in extortion, which was not paid in accordance with UK government policy, which prohibits making extortion payments to terrorists. The attack paralyzed services at London hospitals for many weeks. According to a recent report by Bloomberg, while responding to questions about the breach through a messaging account long associated with the gang, a representative for the hackers said that they were very sorry for the people who suffered but refused to accept responsibility for the human cost. They suggested 'the attack was justified because it was in retaliation for the British government’s involvement in unspecified wars'.

In the first half of 2024, ransomware victims have paid an astonishing $459.8 million to cybercriminals, setting the stage for a potentially record-breaking year. These extortion payments are also fueling the growth of the ransomware industry, so attacks are only likely to get worse in future years so long as ransoms are paid.

Alarmingly, much of this illicit money ends up in Russia via a global money laundering network involving the Chinese triads and other organized crime groups. It thus acts as very useful form of hard currency for the country which is under massive trade and financial sanctions as a result of its war with Ukraine. It's no wonder then, that the Kremlin provides safe harbor and tacit protection for transnational crime groups operating out of the Russian motherland. 

A Common Thread

Both Change Healthcare and Synnovis cyberattacks are indicative of a broader trend in healthcare, in that attacks are targeting third parties or business associates (BAs) to healthcare providers. According to John Riggi of the American Hospital Association (AHA), Fifty-eight percent of the 77.3 million individuals affected by data breaches in 2023 were due to an attack on a health care business associate - a 287% increase compared to 2022. Based upon the sheer size and impact of both Change Healthcare and Synnovis, it is highly likely that once the data is in for the year, 2024 will further drive this percentage. In other words, it’s no longer just healthcare payers and providers being attacked but their business associates which are now being actively targeted.

Hospitals and other providers have done a great job over recent years of improving their security posture with better risk analysis, risk remediation and implementation of security controls, yet overall healthcare attacks continue to increase. This is largely because cyber criminals and pariah nation states are focusing on the weakest link, in this case, the huge number of third parties now involved in modern healthcare delivery.

According to Riggi, "simply put, the 'bad guys' - foreign ransomware groups, primarily Russian speaking - have mapped the health care sector and identified key strategic nodes to attack that would provide the most disruptive impact and access across the health care sector. These "strategic nodes" translate to ubiquitous third-party technology and service providers. The more widespread and critical the impact, the higher the ransom payment demand and the higher the likelihood that the victim will succumb to making the payment". Why hack or attack 1,000 hospitals when they can target the one common business associate and get all the data or disrupt all the hospitals that depend on that single mission-critical third-party provider?

In fact, healthcare cyber attacks are all about maximizing disruption, not only to maximize payment pressure for the perpetrators, but also to cause damage and mayhem to critical national infrastructure in countries opposed to Russia’s expansive foreign policy stance, or to gain political advantage in the case of China or Iran. Together, these three adversaries of western liberal democracy are behind, or support and protect, the criminal actors involved in the majority of healthcare cyberattacks worldwide.

So how is it that third parties are now the weak link in healthcare security? The fact is that modern healthcare relies upon literally thousands of different vendors, suppliers, service providers and IT and business processing outsourcers. Everything from core EMR / EPR systems like Epic and Cerner-Oracle, to hundreds of different medical device manufactures and third-party management companies that now adorn our modern digital care centers. From insurance, billing, and collections to lengthy supply chains for medical equipment and supplies, vendors who often have remote access to hospital networks. The list is almost endless, and many providers don’t even have a good understanding or an accurate inventory of who or what, has access to their medical networks, let alone the risks each group, device or system may introduce. IoT is a particular problem, and many unpatched and insecure medical devices are easily compromised by criminals.

The Change Healthcare attack was the result of the vendor, Optum (part of UHG) failing to use multi-factor authentication (MFA) or privileged access management (PAM) on a legacy jump server used to administer the Change environment by systems administrators. It is thought that Optum did not own software licensing for the jump server running an out-of-date operating system it inherited as part of the Change Healthcare acquisition. And since the whole Change Healthcare environment was in the process of being replaced with new applications built to Optum standards, the short-term risks were considered acceptable rather than to spend the time and money building a new temporary jump server accessible only to a small number of trusted internal staff. However, one of the authorized users of this system had reused a password on another account which had previously been compromised. With a little research, hackers were able to put two and two together and gain access to the complete Change Healthcare environment.

Conversely, the Synnovis attack appears to have leveraged credentials from one of two prior attacks by a different Russian group, Black Basta, against its parent company, Synlab. Credentials, including VPN and MFA passwords that evidentially were not reset, nor was the Synlab environment really secure against common malware and other attacks. What was more alarming was that Synlab-Synnovis had very poor business continuity, disaster recovery and security incident response plans (BCP/DR/SIR) resulting in weeks lost restoring systems. This is something totally unacceptable to an ‘operations-critical’ industry like healthcare, where even short outages can lead to dramatic increases in patient morbidity and mortality.

Lessons Learned and Tougher Regulations

Plainly the lessons here are that providers of healthcare services – in the US, HIPAA ‘covered entities’ [CEs], need to mandate that every one of the hundreds of its third parties adhere to the same security standards, capabilities, and controls as hospitals themselves are required to meet. That means more regular and thorough security audits of all third parties. This is especially important, where the vendor is not big enough to provide evidence of ISO 27001 certification, or a SOC2 attestation that it meets key control objectives of the CE in question. [The Cylera platform, used by many providers across the world is ISO 27001 security certified as an example.]

In Europe that means compliance to NIS2 standards, which in the UK translates to adoption of the National Cyber Security Centre’s Cyber Assessment Framework (CAF) supported by regular Data Security and Protection Toolkit (DSPT) reporting. [CAF and DSPT reporting are built into the Cylera platform, which secures many UK NHS Trusts.] 

The Digital Operational Resilience Act (DORA) which goes into effect on 17 January 2025 does not currently apply to healthcare providers, though it may have some impact on insurers. DORA is designed to “consolidate and upgrade ICT [information and communications technology] risk requirements” for the financial services industry and interestingly, has a major focus on third-parties and the impact of third-party risk. Whether some of its provisions are incorporated into NIS2, CAF and HISAA remain to be seen, but its impact on building resiliency and incident reporting and threat sharing is already having an impact across Europe. 

2025 will likely see new US healthcare regulations with the Health Infrastructure Security and Accountability Act (HISAA). This aims to transform healthcare cybersecurity by setting minimum standards and throwing much-needed financial support to healthcare providers. HISSA is still in the drafting stage at present, but will likely impose stricter cybersecurity standards, require audits, and stress tests, implement serious consequences for non-compliance while providing financial support to healthcare organizations that need help to enhance and improve their cybersecurity capabilities.

HISSA will no doubt help to continue to move the needle, just as NIS2 and CAF are already beginning to do, but the threats from criminal and pariah state actors are unlikely to be reduced, at least in the immediate term. With an ever-expanding attack surface as new healthcare technologies including AI, mHealth, consumer medical wearables, and more and more medical devices are adopted and deployed, securing healthcare has become of game of cat-and-mouse or whack-a-mole. A seemingly never-ending cycle of identify, protect, detect, respond, and recover as new risks and vulnerabilities are discovered and addressed through remediation, or the implementation of compensating security controls. 

While compliance helps focus senior management attention and much needed resources for security, the principal security driver will always be risk and the need for improved visibility. But if you can't see 'what' and 'who' connects to your medical network how can you be expected to risk-assess an operations-critical, rapidly expanding healthcare threat surface to keep your patients and key health systems protected?

This blog was first posted at the following location. 

Read More

Experts address AI, global security threats, & solutions to cybercrimes

The annual cost of cybercrime is expected to reach $10 trillion dollars next year. To put that figure into context, in terms of GDP it would be the third biggest economy in the world after the US and China.

From deep-fakes and disinformation to hacks and attacks on infrastructure, healthcare and security networks, cybercrime is becoming the number one challenge for law enforcement and intelligence agencies. And artificial intelligence is already changing the rules of the game.

Our increasingly connected digital world makes us all more vulnerable to criminal gangs and state-sponsored hackers who can access our data and devices. Imagine handing over control of your bank account, your electric vehicle, even your pacemaker.

So how is the international community responding? To gain insights into the scale and nature of the problem, Al Arabiya News’ Riz Khan met leading experts at the Global Cybersecurity Forum in the Saudi capital Riyadh.

Read More

UK Ambulance Service

The UK Ambulance Service is the latest target of Russian hackers according to a recent report.

Like much of the NHS and other critical infrastructure service providers across the country, Russian FSB, SVR, and GRU spies along with criminal proxies have been engaged in a coordinated campaign to infiltrate and reconnoiter large parts of the UK’s critical infrastructure services. This includes the Civil Service, the Ministry of Defence, and many of their contractors.

One of the objects of these cyber-attacks has been key suppliers to the UK Ambulance Service. Here individuals working on the Ambulance Radio Program have been targeted from multiple directions by hackers in a credentials-harvesting campaign to potentially crash the entire communications system. This would leave ambulance command centres unable to communicate with drivers and the police or fire services or prevent them from receiving vital location information.

The incident is believed to form part of a new Russian cyber warfare campaign dubbed by UK intelligence sources “Cyber Wagner”, in reference to the hardline Russian mercenary group run by the late Yevgeny Prigozhin.

“This is the new front in Russia’s aggression against the West,” a western intelligence source monitoring the activity reported “We need to prepare Western states for more aggression and hybrid warfare from Moscow.”

This week, MI5 director Ken McCallum announced that Russia is on a “sustained mission” to create “mayhem” across Britain and Europe. The UK's "leading role" in supporting Ukraine means "we loom large in the fevered imagination of Putin's regime" and further acts of aggression on UK soil should be expected, he warned.

This would not be the first time that critical UK systems have been besieged by cyber adversaries. Russian GRU agents have carried out "arson, sabotage and more dangerous actions conducted with increasing recklessness" since the UK backed Ukraine in its war with Russia, he added.

The revelations come just months after hackers behind a catastrophic NHS cyber-attack in the summer were identified to be part of a wider cyber army working under the Kremlin’s protection trying to destabilise the UK.

In June, healthcare services were disrupted across London after a major cyber-attack targeted Synnovis, a pathology testing organisation, severely affecting services. This led to the cancellation of 8,349 acute outpatient appointments and 1,608 elective procedures across much of South London at King’s College Hospital, and Guy’s and St Thomas’ NHS Foundation Trusts and their associated hospitals and clinics.

Qilin, which was held responsible for the assault, is merely one arm of the wider web of hacking affiliates, using servers based in Russia to carry out attacks on UK critical infrastructure. The hackers said the incident was in response to “unspecified wars”. The attack on the NHS was a “major escalation” of the Kremlin’s use of cyber warfare through use of criminal proxies.

As tensions continue to escalate, these attacks become less about opportunity for criminal profits and more about the desire to inflict damage to the critical infrastructure of another country. The fact that the Kremlin appears to be enlisting the support of criminal groups is not exactly a surprising development for many. It is widely acknowledged, that for many years, the Russian State has been providing safe harbour to Russian organised crime syndicate members accused of crimes in other countries by refusing arrest or extradition requests. So long as perpetrators direct their criminal business to organisations outside of the Russian Federation, they are allowed to operate with near impunity.

Although no definitive connection has been proven between the Russian State, criminal gangs, or the Russian Mafia, a close working arrangement has been evident for quite some time according to cybersecurity experts. Despite this, certain state and non-state actors within Russia appear to be intent, if not on the cusp of, launching a cyberwar with the UK, Europe and North America.

Read More

The Pulse of Security

“Healthcare is increasingly reliant upon technology, whether interconnected systems or online platforms to deliver vital services, but with that reliance comes growing cyber threats. In fact, recent research from Check Point Software shows that the Healthcare Sector experienced an average of around 2,000 cyber-attacks per week in the second quarter of this year, increasing by 15 percent compared to last year. That puts healthcare in third place just behind education and military as one of the most targeted sectors.

“Hackers target hospitals not just because they are gold mine of data but because many facilities are easy targets operating on outdated systems and devices. Needless to say, this is a very serious issue. Cyber-attacks are not just about accessing health insurance information and medical records, but they can force hospitals to shut down critical systems, putting patient care and even lives at risk.

“So how do we navigate this, how can we protect our systems while still embracing innovation in healthcare?

Lara Habib, Senior Presenter, Alarabiya News Channel

Listen to Richard Staynings, Junaid Nabi, and Mike Fell as they explore the challenges facing healthcare and suggest ways in which the industry can better protect itself from a growing wave of cyber-attacks in this 30-minute panel discussion at the Global Cybersecurity Forum 2024 in Riyadh, Saudi Arabia today.

Read More

Rural Healthcare and the Catch22 of Cybersecurity

Rural America and Urban America can seem like two different worlds. Just look at the political map, or the disparity in wealth between ‘country folks’ and ‘city slickers’. Perhaps the most alarming difference, however, is the availability of basic healthcare services.

If you live in rural America, you could be 2- or 3-hours’ drive away from the closest renal dialysis center, or radiotherapy and chemotherapy clinic. You may also be several hours away from the nearest stroke or trauma center which in an emergency, could mean the difference between life and death.

As for many other medical services, rural Americans must make do with what is available in their community - a local midwife rather than a maternity hospital ‘new life center’ staffed with neonatal experts and incubators in case they are needed. Go into labor early or present as a high-risk pregnancy and be prepared to be ambulanced or worse, air-ambulanced at huge expense, to a city hospital where you and your infant can be properly cared for. Today, anything other than basic medical services usually means a long drive to the nearest city.

The trouble is, that what remains of rural health services is rapidly declining. Rural hospitals and entire rural health systems are closing, and those that remain open, are continuously reducing their specialist services, which may not be used enough to remain profitable or even to cover costs.

A new report from the American Hospital Association (AHA) states that 136 rural hospital closures have occurred between 2010 and 2021, and a record 19 closures in 2020 alone. Beckers, in a recent article reviewed a larger period claiming that nearly 200 rural hospitals have closed since 2005. What’s even more alarming is the pace of closure is accelerating. Eight rural hospitals closed in 2023, as many as in 2022 and 2021 combined, according to the Center for Healthcare Quality and Payment Reform's latest report. 2024 could be even worse, given the financial brinkmanship caused by the UHG Change Healthcare cyberattack. 

Just last month, the Eastern Plains Healthcare Consortium (EPHC) stated during its annual conference that 20% of rural hospitals in Colorado are at risk of closing. They require a 4% operating margin to replace equipment and maintain existing services, however, nearly all are currently running in the red, some as much as -17%. EPHC estimates that some 30 rural Colorado hospitals will be forced to convert to emergency only services as Emergency Rural Health Hospitals to save closing altogether.

Some of these hospital closures are the result of cyber-attack and in particular, one recent Illinois hospital closure is blamed upon a 2021 ransomware attack that prevented it from submitting claims to payers for months, killing its cashflow and financial viability. Another small hospital had its entire payroll stolen in a cyberattack preventing it from paying any of its staff and placing it in financial peril.

The Change Healthcare cyberattack earlier this year has exacerbated the plight of small providers and in particular rural clinics and physician practices. Many physicians are struggling to keep their practices afloat according to the American Medical Association (AMA) and even though UHG, the owner of Change Healthcare, has publicly said it will provide relief in the form of Temporary Funding Assistance to impacted providers, this is very selective, one-sided and fraught with caveats according to Richard Pollack of the AHA in a letter to UHG.

Challenges for Rural Healthcare Providers

Rural providers face many challenges: finances, through rural depopulation and a disproportionate number of rural patients on Medicare and Medicaid, general resource constraints, and huge difficulty attracting and retaining nursing, physician, and other staff. Most notable of these is the lack of trained and experienced cybersecurity staff to protect rural providers from an increasing volume of cyberattacks.

These hospitals run on a small number of IT generalists and often find it difficult to patch systems in a timely manner, let alone obtain the budget or expertise to implement security leading practices or the latest security tools and services. Many operate on end-of-life computer hardware and medical devices no longer supported by vendors. Compared to urban providers these hospitals are an easy target for criminals and are frequent victims of PHI breaches, ransomware, and other attacks.

Like their urban cousins, rural hospitals are undergoing a digital transformation to new clinical and IT systems. This involves the addition of more medical and other IoT systems including connected building management systems for HVAC, elevators, proximity door locks, CCTV cameras, and Pyxis drug cabinets. These systems dramatically expand the cyber threat surface and unless secured and maintained, can significantly elevate the risks of attack. But rural providers often lack the specialist skills to safely manage these systems. That is perhaps why, many are turning to a combination of Managed Services Providers (MSPs) and Managed Security Services Providers (MSSPs) to effectively outsource security and much of IT.

Rural Healthcare Needs Help   

MSPs and MSSPs will manage a large number of hospitals at the same time, and through a leveraged model can provide point expertise as needed in more or less any technology or vendor system. They can also implement advanced SaaS tools from Cylera and others to identify the growing number of connected assets and evaluate and prioritize risk remediation. Indeed, the incorporation of SaaS services is rapidly helping to drive improvements in rural provider cybersecurity, especially in medical device security, a growing problem for all healthcare providers.

The advent of managed services has become particularly important given a new assistance program for rural hospitals orchestrated by the White House and the AHA in June of this year. Microsoft and Oracle have agreed to provide free and heavily discounted cybersecurity resources to assist rural hospitals with access to many of their security tools and technologies. However, so far, relatively few rural hospitals are taking advantage of a free program designed to thwart ransomware attacks according to the White House this week. Only 350 of the 1,800 small and rural US hospitals are currently leveraging this assistance program.

It appears that without MSP or MSSP help, many rural providers are simply unable to accept or implement these discounted tools or utilize the free security assessments because they don’t have the manpower bandwidth to do so. This is the Catch22 of providing security assistance to rural health providers. Thankfully, for some, the MSP/MSSP buffer is helping to facilitate this today.

While near term improvements to rural hospital cybersecurity will be of great assistance in helping to reduce cyberattacks, there are still long-term structural problems of maintaining the continued presence of rural providers and access to healthcare services for rural communities. The healthcare industry faces many problems, not least of which is unmitigated cybersecurity risk. While urban providers can rely upon numbers to maintain services and a plentiful supply of cybersecurity talent nearby to avoid the worst of the attacks, rural providers face almost insurmountable challenges. This is undoubtedly a larger political question of healthcare reform that the next administration will need to prioritize.


A version of this blog was initially published here

Read More

Isn't it about time we secured BGP?

Border Gateway Protocol or ‘BGP’ as it is more often referred to as, has been a staple of internet routing since the heady days of 1989 when TCP was finally getting into its stride, and the internet as we know it, was in its infancy.

BGP enables routers to determine the most efficient paths for data to travel across networks to ensure scalability and efficiency. The protocol allows network backbone providers to announce routes across networks and is the primary routing protocol used to exchange routing information between different autonomous systems on the internet. The trouble is that like many things to do with the internet it was never really designed to be secure and this leads to all kinds of problems as we shall see.

BGP has been abused multiple times, since Al Gore claims to have invented the Internet. Joking aside - it was actually Vint Cerf and Bob Khan who are credited with the accomplishment, but BGP has suffered some pretty high-profile attacks that have caused outages, or even more alarmingly, to route traffic through a specific country – one known for its prolific cyber espionage practices.

In 2008, a Pakistani ISP wanted to block access to YouTube within Pakistan but accidentally announced a BGP route that led to all of YouTube’s global traffic being redirected through Pakistan. This caused a worldwide outage of YouTube for several hours, although YouTube has probably never been faster in Pakistan before or since.

Then in 2010, China Telecom “accidentally” advertised incorrect BGP routes that caused a significant amount of global internet traffic, including that of U.S. government and military sites, to be routed through China. Naturally, neither the US government nor the Department of Defense was very happy about that little so called “error”, especially considering at the time, not all government network traffic was being encrypted.

More recently in 2018 cybercriminals hijacked BGP routes for Amazon’s Route 53 DNS service to redirect traffic intended for MyEtherWallet, a popular cryptocurrency wallet service, to a malicious server owned by the perpetrators. The attackers then stole users' cryptocurrency by tricking them into entering their credentials on the fake site.

The White House naturally has been considering options to replace or upgrade BGP with an improved authentication scheme to remove opportunities for abuse and cybercrime, including any cyber espionage that nation states may be considering. Its proposed solution is the Resource Public Key Infrastructure (RPKI) - a security framework designed to enhance the security of BGP by providing a way to cryptographically verify the ownership of IP address blocks and the authorization of networks to announce specific routes.

To that end, the White House has released a guidance document for ways of improving upon BGP in a proposed roadmap to enhance internet routing security. This includes the adoption of new technologies including RPKI. As a government press release stated today, “these recommendations are of particular importance to the networks used by critical infrastructure owners and operators, state and local governments, and any organization dependent on internet access for purposes that the entity considers to be of high value.”

The press release went on to say that “by the end of the year, it is expected that over 60% of the Federal government’s advertised IP space will be covered by Registration Service Agreements (RSA), paving the way to establish Route Origin Authorizations (ROA) for Federal networks.”

The White House is obviously taking the risks of major BGP attacks very seriously and is looking to protect against these apparent threats immediately.

“Internet security is too important to ignore which is why the Federal government is leading by example by pushing for a rapid increase in adoption of BGP security measures by our agencies,” said White House National Cyber Director Harry Coker, Jr. “ONCD, along with our public and private sector partners, are guiding a risk-informed path forward towards our communal objective. We aim for this roadmap to mitigate a longstanding vulnerability and lead to a more secure internet that is vital to our national security and the economic prosperity of all Americans.”

The full roadmap can be read or downloaded in PDF here.

Read More