These projections are supported by the 2024 Ponemon Healthcare Cybersecurity Report, which found that 92% of organizations experienced a cyberattack in the past 12 months—up from 88% in 2023, and that the cost of a healthcare data breach topped $4.7 million in 2024, making healthcare the single most expensive industry for ransomware and other cyber-attack clean-up costs.
The FBI via its Internet Crime Complaint Center (IC3) states that healthcare is now the primary industry target for ransomware gangs, while HHS OCR acknowledges that ransomware attacks against the industry are up a staggering 278% since 2020.
Two Landmark Attacks
Twenty Twenty-Four will also go down in history as the year of the single biggest, most disruptive, and most expensive healthcare cyberattack to-date, when in February, United Healthcare Group’s (UHG) Change Healthcare was attacked and breached by Russian-speaking ransomware group ALPHV/BlackCat, impacting nearly every American and exposing the PHI of at least 150 million individuals.
While the Change Healthcare attack becomes the new record holder, it effectively doubled breach numbers from the prior holder of the title - Anthem Health which in 2014 exposed the PHI of 78.8 million individuals in a landmark case.
Despite paying the criminals a staggering $22 million ransom, UHG was unable to retrieve its data and was then hit with a second extortion demand not to publish stollen PHI the perpetrators had exfiltrated. This was according to UHG CEO Andrew Witty when on May 1st this year he was hauled in front of Congress to explain the breach that had paralyzed much of US healthcare and what UHG was doing about the mess. At the hearings, lawmakers described the UHG Change Healthcare attack was ‘the most significant and consequential cyberattack on the U.S. health care system in American history’.
The Change Healthcare attack severely disrupted healthcare billing and payment operations for months, creating a huge backlog of unpaid claims, including problems with insurance approvals and Medicare reimbursements. It caused unprecedented financial and operational chaos for hundreds of medical facilities, physicians, and pharmacies as well as patients unable to gain approval for scheduled procedures or to pick-up their medications. It has placed hundreds of small and rural providers of healthcare at risk of closure, potentially depriving entire communities of tertiary health services.
The cyberattack has been attributed to Qilin, a Russian ransomware-as-a-service (RaaS) crime gang, this time with dual motivations so it seems. Qilin demanded $50 million in extortion, which was not paid in accordance with UK government policy, which prohibits making extortion payments to terrorists. The attack paralyzed services at London hospitals for many weeks. According to a recent report by Bloomberg, while responding to questions about the breach through a messaging account long associated with the gang, a representative for the hackers said that they were very sorry for the people who suffered but refused to accept responsibility for the human cost. They suggested 'the attack was justified because it was in retaliation for the British government’s involvement in unspecified wars'.
In the first half of 2024, ransomware victims have paid an astonishing $459.8 million to cybercriminals, setting the stage for a potentially record-breaking year. These extortion payments are also fueling the growth of the ransomware industry, so attacks are only likely to get worse in future years so long as ransoms are paid.
A Common Thread
Both Change Healthcare and Synnovis cyberattacks are indicative of a broader trend in healthcare, in that attacks are targeting third parties or business associates (BAs) to healthcare providers. According to John Riggi of the American Hospital Association (AHA), Fifty-eight percent of the 77.3 million individuals affected by data breaches in 2023 were due to an attack on a health care business associate - a 287% increase compared to 2022. Based upon the sheer size and impact of both Change Healthcare and Synnovis, it is highly likely that once the data is in for the year, 2024 will further drive this percentage. In other words, it’s no longer just healthcare payers and providers being attacked but their business associates which are now being actively targeted.
Hospitals and other providers have done a great job over recent years of improving their security posture with better risk analysis, risk remediation and implementation of security controls, yet overall healthcare attacks continue to increase. This is largely because cyber criminals and pariah nation states are focusing on the weakest link, in this case, the huge number of third parties now involved in modern healthcare delivery.
According to Riggi, "simply put, the 'bad guys' - foreign ransomware groups, primarily Russian speaking - have mapped the health care sector and identified key strategic nodes to attack that would provide the most disruptive impact and access across the health care sector. These "strategic nodes" translate to ubiquitous third-party technology and service providers. The more widespread and critical the impact, the higher the ransom payment demand and the higher the likelihood that the victim will succumb to making the payment". Why hack or attack 1,000 hospitals when they can target the one common business associate and get all the data or disrupt all the hospitals that depend on that single mission-critical third-party provider?
In fact, healthcare cyber attacks are all about maximizing disruption, not only to maximize payment pressure for the perpetrators, but also to cause damage and mayhem to critical national infrastructure in countries opposed to Russia’s expansive foreign policy stance, or to gain political advantage in the case of China or Iran. Together, these three adversaries of western liberal democracy are behind, or support and protect, the criminal actors involved in the majority of healthcare cyberattacks worldwide.
So how is it that third parties are now the weak link in healthcare security? The fact is that modern healthcare relies upon literally thousands of different vendors, suppliers, service providers and IT and business processing outsourcers. Everything from core EMR / EPR systems like Epic and Cerner-Oracle, to hundreds of different medical device manufactures and third-party management companies that now adorn our modern digital care centers. From insurance, billing, and collections to lengthy supply chains for medical equipment and supplies, vendors who often have remote access to hospital networks. The list is almost endless, and many providers don’t even have a good understanding or an accurate inventory of who or what, has access to their medical networks, let alone the risks each group, device or system may introduce. IoT is a particular problem, and many unpatched and insecure medical devices are easily compromised by criminals.
The Change Healthcare attack was the result of the vendor, Optum (part of UHG) failing to use multi-factor authentication (MFA) or privileged access management (PAM) on a legacy jump server used to administer the Change environment by systems administrators. It is thought that Optum did not own software licensing for the jump server running an out-of-date operating system it inherited as part of the Change Healthcare acquisition. And since the whole Change Healthcare environment was in the process of being replaced with new applications built to Optum standards, the short-term risks were considered acceptable rather than to spend the time and money building a new temporary jump server accessible only to a small number of trusted internal staff. However, one of the authorized users of this system had reused a password on another account which had previously been compromised. With a little research, hackers were able to put two and two together and gain access to the complete Change Healthcare environment.
Conversely, the Synnovis attack appears to have leveraged credentials from one of two prior attacks by a different Russian group, Black Basta, against its parent company, Synlab. Credentials, including VPN and MFA passwords that evidentially were not reset, nor was the Synlab environment really secure against common malware and other attacks. What was more alarming was that Synlab-Synnovis had very poor business continuity, disaster recovery and security incident response plans (BCP/DR/SIR) resulting in weeks lost restoring systems. This is something totally unacceptable to an ‘operations-critical’ industry like healthcare, where even short outages can lead to dramatic increases in patient morbidity and mortality.
Lessons Learned and Tougher Regulations
Plainly the lessons here are that providers of healthcare services – in the US, HIPAA ‘covered entities’ [CEs], need to mandate that every one of the hundreds of its third parties adhere to the same security standards, capabilities, and controls as hospitals themselves are required to meet. That means more regular and thorough security audits of all third parties. This is especially important, where the vendor is not big enough to provide evidence of ISO 27001 certification, or a SOC2 attestation that it meets key control objectives of the CE in question. [The Cylera platform, used by many providers across the world is ISO 27001 security certified as an example.]
In Europe that means compliance to NIS2 standards, which in the UK translates to adoption of the National Cyber Security Centre’s Cyber Assessment Framework (CAF) supported by regular Data Security and Protection Toolkit (DSPT) reporting. [CAF and DSPT reporting are built into the Cylera platform, which secures many UK NHS Trusts.]
2025 will likely see new US healthcare regulations with the Health Infrastructure Security and Accountability Act (HISAA). This aims to transform healthcare cybersecurity by setting minimum standards and throwing much-needed financial support to healthcare providers. HISSA is still in the drafting stage at present, but will likely impose stricter cybersecurity standards, require audits, and stress tests, implement serious consequences for non-compliance while providing financial support to healthcare organizations that need help to enhance and improve their cybersecurity capabilities.
HISSA will no doubt help to continue to move the needle, just as NIS2 and CAF are already beginning to do, but the threats from criminal and pariah state actors are unlikely to be reduced, at least in the immediate term. With an ever-expanding attack surface as new healthcare technologies including AI, mHealth, consumer medical wearables, and more and more medical devices are adopted and deployed, securing healthcare has become of game of cat-and-mouse or whack-a-mole. A seemingly never-ending cycle of identify, protect, detect, respond, and recover as new risks and vulnerabilities are discovered and addressed through remediation, or the implementation of compensating security controls.
This blog was first posted at the following location.