UnitedHealth, Ascension Attacks Feed Debate Over Health Care Security

The devastating ransomware attacks this year on a subsidiary of UnitedHealth Group and, more recently, nonprofit healthcare giant Ascension are adding fuel to the White House’s months-long plans to establish minimum cybersecurity standards for hospitals and the industry’s belief that voluntary practices are enough.

Anne Neuberger, deputy national security advisor for cyber and emerging technology, said during the Bloomberg Tech Summit last week that the Biden Administration plans to issue proposed rules in the coming weeks, putting an even tighter focus on an industry that has become a top target of cybercriminals.

The government has stressed the need to bolster the cybersecurity of 16 critical infrastructure sectors, including healthcare and public health. The call for greater security measures in the industry escalated with the massive data breach in February of Change Healthcare, the UnitedHealth subsidiary that processes payments, insurance claims, and prescription orders for hundreds of hospitals, clinics, and pharmacies in the United States.

UnitedHealth has more than 152 million customers and the disruption to services was nationwide. The American Hospital Association (AHA) said that 94% of hospitals were hurt financially by the attack, with more than half of those reporting “significant or serious” impacts.

At the same time, UnitedHealth said in a statement late last month that the bad actors – an affiliate group of the BlackCat ransomware gang – stole files that contained the personally identifiable information and protected health data of a “substantial proportion of people in America.”

A ransomware attack on the Ascension health care system – likely by the threat group Black Basta – led to disrupted operations throughout its network of hospitals in the United States. CISA, the FBI, and other federal agencies issued an advisory about Black Basta soon after.

White House, AHA at Odds

The cybersecurity standards being developed by the White House are aimed at forcing health care companies and hospitals to strengthen their cybersecurity practices and protect the vast amount of personal data they hold.

Those standards won’t come without opposition. The AHA last month argued in a letter to a Congressional subcommittee that hospitals and health systems already have spent billions of dollars and taken myriad steps to protect their networks against intrusions and that the bulk of the most significant data breaches were the result of outside non-hospital third parties.

The group, which represents almost 5,000 hospitals, health systems, and other health care organizations, said it is ok with voluntary security practices but not standards that come with penalties if they’re not met.

“No organization, including federal agencies, is or can be immune from cyberattacks,” the AHA wrote. “Imposing fines or cutting Medicare payments would diminish hospital resources needed to combat cybercrime and would be counterproductive to our shared goal of preventing cyberattacks.”

Neuberger reported pushed back during a talk at the RSA Conference last week, saying that “People now often say, ‘Well, they’re revictimizing the victim. And I think we need to look at it as, by the time a Change Healthcare attack happens, when for a decade, we’ve been calling and saying ‘Companies, encrypt your data, use MFA,’ are they still a victim? Or is there a question of, is this negligence?” according to a report in The Record.

Christopher Budd, director of threat research at cybersecurity company Sophos, noted that the Change attack was a big source of discussion at the RSA conference. “Just two months ago, Change Healthcare was the victim, leaving its patients severely at risk and the company owing nearly $900 million. These attacks will keep annihilating businesses until we take steps as an industry to combat the problem,” he said.

Hospitals Under Siege

Hospitals and other healthcare facilities have become a top target of ransomware and other groups, given the tremendous amount of personal and health date they hold and the large number of connected devices they use. The U.S. Health and Human Services Department (HHR) reported a 93% increase in large data breaches recorded between 2018 and 2022 – including a 278% increase in those related to ransomware – and of the 16 critical infrastructure sectors, health care was the most attacked by ransomware last year, according to the FBI. Of the 1,193 complaints received from critical infrastructure organizations, 249 were from health care entities. Critical manufacturing was next, with 218.

And breaches are costly. IBM said the average cost of a health care breach between 2022 and 2023 was $10.93 million, a 53.3% increase over the previous three years and the highest amount of any sector. The average for all breaches was $4.45 million.

An analysis by Healthnews of data breaches reported to HHR this year found that 32.4 million patients in the United States have been affected by 275 health care data breaches so far. According to Sophos, 67% of health care organizations were targeted by ransomware attacks last year.

“These continued cyberattacks against health care organizations have devastating implications for patients across the United States, but we can’t be surprised that it keeps happening,” Sophos’ Budd said. “Health care organizations are major targets for cybercriminals precisely because adversaries know how important their operations are and how valuable their data is.”

A FedRAMP for Health Care?

Given that, voluntary security practices like those supported by the AHA have proven to be ineffective, according to cybersecurity company stackArmor. More than a decade of trying such models have only resulted in more serious security breaches, the company wrote in a blog post, adding that FedRAMP – the Federal Risk Assessment and Management Program, which sets security standards for cloud products and services delivered to the public sector and defense industry – offers a template that can be used in other sectors. The program was launched in 2011 and codified two years ago.

The company proposed a HealthRAMP, using the same security standards and processes that are found in FedRAMP, noting that the attack was Change was launched by bad actors exploiting a security flaw in ConnectWise’s ScreenConnect product.

“Healthcare industry members would be responsible for paying a fee and must maintain their Authority to Operate (ATO) through a formal and mandatory assessment & accreditation regime,” stackArmor wrote. “For example, if Change Healthcare wanted to use ConnectWise software then both would have to obtain a HealthRAMP ATO at the level data security classification level.”

StackArmor added that “evolving the cybersecurity regulatory framework based on lessons from the past can inform our path forward.”