Ransomware attacks on the healthcare industry and subsidiaries are ramping up in the United States and the United Kingdom, and there are some important takeaways from this trend.
First, these attacks shine a light on common vulnerabilities that ransomware gangs are exploiting — but can be remedied. Secondly, the recent string of attacks isn’t a coincidence — there’s a reason why healthcare continues to be targeted. And finally, the attacks show why companies need to scrutinize their agreements with third parties and contractors to ensure they adhere to strict data privacy and security standards.
Without a comprehensive security assessment and proper redundancies in place, hospital and health insurance systems are vulnerable to these increasing ransomware attacks, which not only can leak sensitive patient information, but shut down systems that provide accurate and up-to-date health records, worsening patient outcomes and care.
Here’s how the attacks have unfolded this year and what the healthcare industry can do.
Compromised credentials, careless clicking
Phishing attacks that trick employees into clicking a malicious link or downloading an infected attachment and exploiting an organization’s Remote Desktop Protocol (RDP) are some of the most common methods ransomware is deployed – and that’s exactly what happened in two high-profile US cases this year.
In February, Change Healthcare, a subsidiary of UnitedHealth Group, the largest health insurance carrier in the US, was attacked by ALPHV/Blackcat. While relatively unheard of, Change handles 15 billion transactions annually, and the attack left healthcare providers unable to receive insurance payments and pharmacies unable to process medications. With providers losing up to $1 billion a day by one estimate, Change reportedly paid a $22 million ransom.
The attack not only shut down payment processing; it also compromised protected health information (PHI) and personally identifiable information (PII), according to UnitedHealth, which said the leaked information could affect “a substantial proportion of people in America.”
How did the hackers get in? UnitedHealth’s CEO told Congress they used compromised credentials to remotely access a Citrix portal that did not have multi-factor authentication. A portal using MFA can reduce or eliminate the chance an unauthorized user could gain access using a stolen or carelessly guarded password.
Two months later, Black Basta hacked the Ascension group of 140 hospitals across the US, affecting phones, scheduling, and electronic health records, and causing ambulances to be diverted. The company said hackers gained access when an individual working at one of the facilities downloaded a malicious link they thought was legitimate.
Ransom target expands
According to Wired, a cybersecurity firm recorded 44 healthcare-related ransomware attacks in April, the month following Change’s ransom payment, a jump from 30 the month before. Because healthcare providers have been willing to pay ransom to regain access to their platforms, ransomware gangs are seemingly emboldened to ramp up attacks.
In June, the ransomware gang Qilin attacked Synnovis, a medical diagnostics service used by several major London hospitals, disrupting blood tests and transfusions, and postponing operations. Earlier this year, Nottingham Rehab Supplies Healthcare, a company that supplies equipment to local UK authorities, was affected by a ransomware attack that breached personal data.
Third-party data security
These recent attacks are a stark reminder of the importance of strong security agreements with third parties, as well as reviewing the security procedures of acquired companies. When healthcare conglomerates add smaller operations or rely on contractors to perform some operations, their security is now only as strong as their weakest link.
Preparing and responding
Healthcare companies concerned about their ransomware risk should conduct a 360-degree risk assessment of their systems that identifies potential weaknesses, then develop an actionable, comprehensive plan for improving defenses. Convergent DS has a dedicated offering for this called Ransomware Assess.
Companies should also implement a plan for regularly backing up all critical information, and then test those backups to make sure the information is actually being saved. The backups should be stored outside the organizational network, possibly offline, to protect them from a ransomware attack.
And above all, organizations should train (and retrain) their team — and ensure their third-parties and contractors are doing the same — to recognize phishing attacks so they don’t click malicious links or download ransomware disguised as PDFs and other files. Companies should also review remote access portals to make sure MFA is enabled.
If an attack is successful, companies should consider contracting with a digital forensics team such as Convergent DS that can diagnose the scope of the ransomware infiltration and, if possible, prevent it from corrupting other parts of your systems. These teams may be able to decrypt your files without paying a ransom to the attackers, or clean your systems and restore your files from previously created backups.
If your company wants to assess your ransomware risk and develop a plan, contact us today.