Cybersecurity Management Lessons from Healthcare Security Breaches
Ransomware attacks and data breaches make headlines when they shut down huge connected healthcare providers such as Ascension Healthcare or Change Healthcare. Examining the available details of these breaches will help you learn key lessons from their pain to avoid suffering the same humiliating and expensive situations.
Recent Healthcare Attacks & Breaches
Large breaches affected over 88 million individuals in the USA in 2023, a 60% increase from 2022. 2024 looks like it will only increase the number of affected individuals considering the scale of ransomware attacks from the first half of the year in the USA, Canada, and Australia.
Ascension Healthcare Ransomware Shutdown
Unusual activity detected on May 8, 2024, caused Ascension healthcare to shut down affected systems, notify authorities, and engage cybersecurity professionals. The attack caused major disruptions throughout the non-profit healthcare provider that operates 140 hospitals and 40 senior care facilities in 19 states plus the District of Columbia. Unfortunately, the disruptions remain unresolved in many places significantly affecting patient welfare.
Known Disruption & Damages
Ascension Healthcare continues to publicly disclose initial disruptions, including:
- Disrupted operations: Cited issues include diverted ambulances for emergency services, inoperative phone systems, and disrupted clinical operations.
- Unavailable health records: All electronic patient information became unavailable, including the MyChart patient self-service database, hospital records, and the systems used to order tests, procedures, and medications.
- Canceled treatments: The network paused all elective procedures for the first week and delayed providing the results of many completed medical tests.
The Detroit free press interviewed stressed employees who complained of “waiting four hours for head CT (scan) results on somebody having a stroke or brain bleed.” Others complained that multiple patients received the same temporary medical records, so there’s no confidence that blood test results will match the correct patients.
CNN reported the Black Basta ransomware gang performed the attack, although the company hasn’t officially confirmed the information. As of the last official confirmation on May 21, many facilities still operate using paper, many pharmacies remained closed and unable to supply medicine, and talks with vendors and partners to reconnect systems just started.
Exposed Technical Issues & Other Consequences
No clear information on the specific entry or the specific systems infected, so we can’t speculate about the potential breach or cause. However, it’s obvious that Ascension failed to restore systems quickly or accurately. This betrays a lack of preparation for disaster recovery and ineffective penetration testing of systems.
Ascension might try to blame financial troubles for lack of preparation. Ascension lost $2.66 billion on $28 billion in revenue in 2023, and cost cutting efforts narrowed the loss to $237.8 million for the first three quarters of FY 2024. However, this attack also comes three years after Ascension fired hundreds of local IT staff in a cost-cutting effort to outsource IT services to India.
Outsourcing alone doesn’t cause problems, but perhaps the Ascension’s management needs to make IT a larger priority. For the most recent year available, Ascension’s 2021 Form 990 shows:
- $13 million in CEO compensation for Joseph Impicciche
- $22 million in executive compensation for the next 8 highest paid executives
- $6.4 million in information technology expenses
- $1.3 million in consulting fees potentially for IT including $987k earned by World Wide Technology, a St.Louis IT services provider, and $306k for Accenture.
IT should never be the top expense for a healthcare organization. Still, after massive disruption and impact on patient welfare, it’s very difficult for Ascension to justify why the CEO earns roughly twice as much compensation as the organization’s investment in IT and the top 9 executives earn almost 580% of the IT spend at a non-profit organization.
Change Healthcare Ransomware
The United Healthcare Group (UHG) acquisition of Change Healthcare in 2022 started paying the wrong type of dividends this February when stolen credentials led to over $870 million in damages. The costs, affected patients, and consequences continue to be tallied.
Known Disruption & Damages
Ransomware attackers used stolen credentials to access a Change Healthcare Citrix portal setup without any multi-factor authentication (MFA) protection. Within nine days, the attackers navigated laterally through the network and executed a ransomware attack that shut down Change Healthcare’s processing and payment service that facilitates orders and payments for pharmacies, hospitals, and clinics nationwide.
Disclosed damages and costs include:
- 4TB of stolen data
- $22 million in paid ransom
- $593 million direct response costs
- $279 billion in business disruptions
- $1.6 billion in total potential damages by year-end
Although the impact on Change Healthcare and UHG will be quantified for the US Security Exchange Commission (SEC), the impact on the US healthcare industry is more difficult to measure. CNN interviewed small practitioners stranded without payments, and UGH wound up providing $6.5 billion in advanced financing to thousands of providers by April.
UGH admits to paying $22 million to the ALPHV (aka: BlackCat) ransomware-as-a-service (RaaS) group to prevent patient records from being leaked to the internet. Unfortunately, the ALPHV gang posted a faked law-enforcement take-down notice on their site and disappeared. The ‘notchy’ affiliate that executed the breach didn’t receive their payment and took the data to a new RaaS gang known as RansomHub, which began leaking patient data.
Exposed Technical Issues & Other Consequences
The initial information exposes the critical importance of using MFA to protect remote access systems and testing backup systems for disaster recovery. Companies should also use free tools available to them. Hudson Rock, a cybercrime intelligence tool vendor with free services, posted that they detected Citrix credentials stolen from Change Healthcare using infostealers a day after the initial attack.
UHG didn’t do itself any favors with their communication strategy. In UHG’s 10-K filing with the SEC at the end of February, the CEO signed off on a statement that claimed “as of the date of this report, we have not determined the incident is reasonably likely to materially impact our financial condition or results of operations.” While this denies certainty, it also implies that UHG still hoped that they could avoid financial repercussions for a nationwide outage.
Predictably, the US Congress soon called upon Andrew Witty, the top paid healthcare CEO with a compensation of more than $23 million, to testify about healthcare breaches. Witty’s testimony admits that the healthcare provider can’t identify the exfiltrated data or affected patients. Senator Thom Tillis replied, “shame on internal audit and external audit and your systems folks tasked with redundancy. They’re not doing their job. And as a result we have a data breach.”
Other Healthcare Ransomware Attacks
While the sheer scale and scope of the Ascension and Change ransomware attacks steal the headlines, many other healthcare providers also suffered attacks this year. Notable other events include:
These attacks don’t offer many details to learn specific technical lessons, but they highlight that attackers pursue all sizes of organizations anywhere in the world.
Non-Ransomware Breaches
Given all the noise about ransomware, it can be easy to forget that there are other attacks and causes of breaches. While the damage might be reduced, the public embarrassment and fines will still cause reputation damage and potential business losses.
Notable alternative sources disclosed this year include:
- Email account compromise: The Los Angeles County Department of Health Services disclosed the data breach letter to individuals affected by a phishing attack that stole credentials and gained access to 23 employee email mailboxes.
- Online trackers: Kaiser Permanente disclosed a HIPAA breach of 1.34 million patient’s information caused by a third party tracker installed on the Kaiser patient portal.
- Social engineering: The US Office of Information Security issued a sector alert to warn of threat actors using social engineering tactics on the IT help desks for healthcare and public health providers to gain access to systems and hijack payments.
Note that only two of these breaches stem from external attacks. Kaiser Permanente intentionally added the third-party tracker that caused the data breach without understanding its full consequences and capabilities.
5 Key Cybersecurity Management Lessons to Learn
You can’t just hope to avoid cyberattacks or other disasters, you have to expect that something bad will happen. Learn lessons from the misery of others and plan for failure, cover the basics, take advantage of free resources, guard against third-party breaches, and watch out for potentially costly narratives.
Plan for Failure
Never assume everything will be fine. “It’s imperative for hospitals and all public and private sector organizations to have an assumed breach mindset,” explains Dan Lattimer, Vice President at Semperis. “Preparing now for inevitable disruptions will dramatically improve an organization’s operational resiliency and better prepare them to turn away adversaries, leading the threat actors to softer targets downstream.”
Plan, implement, and regularly drill for potential failure using:
- Integrated risk management: Aligns operations goals with security risk to identify and protect the critical points of failure to limit the blast radius of potential issues.
- Disaster recovery: Exceed the compliance minimums and implement data loss prevention best practices, as well as back up critical systems such as Active Directory, server configurations, and network equipment settings.
- Table top exercises: Talk through potential disasters and steps in advance so teams can identify points of failures and address them; where possible, execute recovery drills to gain experience with procedures and verify that disaster recovery plans actually work.
Steve Stone, the Head of Rubrik Zero Labs, adds that “we advocate that governments and private industry evaluate and enable recoverable backups for healthcare and a recurring sensitive data evaluation/reporting construct. “The University of Twente recently studied factors contributing to paying a ransom and recoverable backups were the single largest delineator with organizations having recoverable backups being 27 times less likely to pay a ransom.”
Cover the Basics of Cybersecurity
While you must plan for disaster, it’s even better to avoid it. Fortunately, a small number of basic security principles can prepare every organization for the bulk of attacks:
- Protect identity: Credentials will be stolen so implement MFA to make attacks harder to execute, implement active directory (AD) security to catch attempted credentials abuse.
- Test systems: Don’t assume correct installations and configurations, use penetration testing to validate initial and ongoing status of externally facing and high value systems.
- Patch known weaknesses: Vendors regularly issue patches to fix discovered flaws, so use patch or vulnerability management to prioritize, track, and implement fixes.
- Identify and manage assets: To ensure no overlooked devices, perform asset discovery and implement IT asset management – especially for high risk systems.
- Control regulated data: Use data tracing and identification through data loss prevention (DLP) and other tools to find data, control access, and protect it with encryption.
Yossi Rachman, Senior Director of Security Research, Semperis, emphasizes that “Active Directory environments are the most vulnerable entry points and one of the most negatively impactful attacks; hackers frequently target these environments, making it imperative that organizations have real time visibility to changes to elevated network accounts and groups.”
Use Free Resources
Healthcare, like most organizations, struggles to grow IT budgets. However, teams can invest a little time to use free resources without causing financial strain.
While these tools may require more time and expertise than commercial tools, helpful tips can be easily found in a large number of online articles, videos, and community forums.
Prevent Third-Party Breaches
As MediSecure experienced, trusted partners can become the source of attack. Jeremy Nichols, NTT Security Holdings Director, Global Threat Intelligence Center, recommends that “healthcare providers need to strongly assess supply chain providers, third party integrations, and customer and insurance web portals. These present major publicly facing entry points to provider, insurance, and patient data that leave both healthcare organizations and their patients at risk.”
- Track vendor risks: Third-party risk management tools help to track partners and to even conduct risk assessments against their infrastructure.
- Monitor software supply chains: Use software and website vulnerability scanners to scan libraries and software supply chain components for flaws and malware.
- Understand web plug-ins: Fully understand the capabilities and consequences of installing third-party plugins to websites to avoid inadvertent security breaches.
- Apply API security: Application programming interfaces (APIs) create fast software connections, but API vulnerabilities can be very hard to detect and quite dangerous.
Beware the Narrative
Overly optimistic initial assessments and denials not only create backlash, but also provide motivation and ammunition for punitive litigation. To make matters worse, recent decisions regarding IT spending or resource allocation will always be examined more than might be reasonable after a breach.
- Consider future optics: Before making outsourcing, budgets, and management pay decisions, consider how they might look in context to significant breaches.
- Avoid false certainty: Press teams always push for strong, confident statements to boost stakeholder confidence, but avoid optimistic interpretations.
While doom and gloom are equally useless, optimism provides more fuel for backlash. Keep statements simple, clear, and to the point.
Bottom Line: Learn Healthcare’s Lessons Before Suffering Pain
Ransomware and other attacks will continue to surge so long as attackers continue to profit. To avoid joining these high profile healthcare organizations in public shame and financial pain, apply the five key lessons to improve your organization’s security today. Security will never be completely foolproof, but it certainly can decrease the blast radius of a successful attack and keep you out of the news.
If you don’t have the resources to act, explore outsourcing as an option for improved security and read about managed security service providers (MSSPs).