Tech News

After Years of Ransomware Attacks, Healthcare Defenses Still Fail

Federal officials and industry leaders have known for years that the U.S. health care system was one of the critical sectors most vulnerable to hacking, but they failed to make improvements that could have stopped attacks. attacks like the one that paralyzed pharmacists and other medical providers for three years. weeks.

The danger was evident in 2021, when Ransomware gangs have hit hospitals already overwhelmed by the covid-19 pandemic, forcing some to divert incoming emergency patients to other facilities and potentially contributing to deadly treatment delays.

But while private-sector lobbyists oppose new safety requirements, Congress and the regulatory machinery have moved slowly, mostly promoting best practices that hospitals can — and choose — to ignore.

The same goes for relatively unknown electronic clearinghouses like UnitedHealth Group’s Change Healthcare, which has been the subject of attack launched last month by a hacker affiliated with the ALPHV ransomware gang that severed a key link between medical providers and their patients’ insurance companies in the worst healthcare hack ever reported. Change Healthcare said Monday it has provided $2 billion in advances to pharmacies, hospitals and other providers that were unable to get insurance reimbursements when its network went down.

Critics say the Change Healthcare fiasco, which interfere with patient care in nearly three-quarters of American hospitals, shows that defensive efforts are woefully insufficient. They say a comprehensive response would include strict security requirements for the most critical elements of the sprawling system, followed by less stringent but still sufficient rules for large hospital systems. Smaller providers, who sometimes don’t have security personnel, should receive help, as the administration’s proposed budget calls for.

“We need to make sure we know where those vulnerable points are,” Nitin Natarajan, deputy director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, agreed in an interview. “We are looking at what levers exist.”

Some members of Congress believe this should have already happened.

“The government must prevent this kind of devastating hack from happening again and again,” Sen. Ron Wyden (D-Ore.) told the Washington Post. “I want to work with the Biden administration to ensure that mandatory and specific cybersecurity rules are in place as soon as possible and to ensure CEO accountability.”

Deputy National Security Advisor Anne Neuberger said the White House was studying laws it could use to impose such standards on a reluctant industry, while telling executives they were expected to comply immediately with the guidelines. volunteers.

“The Hill has not passed any legislation requiring authorities to impose minimum standards, which is why we have resorted to emergency authorities or sector-specific rulemaking,” Neuberger told the Post on Monday.

She said some requirements are coming soon for providers who accept Medicare and Medicaid.

Last year, more healthcare targets reported ransomware attacks to the FBI’s Internet Crime Complaint Center than any other sector of the 16 critical infrastructures, according to the annual summary. released this month.

Experts said industry resistance to mandatory safety was only part of the problem.

Hospitals are preyed upon because they represent “easy money,” said Greg Garcia, executive director of a health care industry cybersecurity group and former deputy secretary of Homeland Security. “If the choice is to pay the ransom and save a life and not pay the ransom and risk losing a life or going bankrupt if it’s a small system, it’s a no-brainer for the hacker.”

When asked why he hadn’t prepared better, Natarajan said the “complexity of the industry” was partly the reason.

A single healthcare service can bring together countless participants – doctors and hospitals, insurance companies, drug manufacturers, pharmacies and platforms like Change Healthcare – all connecting electronically. This makes each room, with its own technology and priorities, a potential gateway to the entire medical universe.

So when hackers break into providers and others, encrypting health and billing records and demanding money to unlock them, they can also break into adjacent targets.

More than half of all attacks on health care come from third parties, according to Garcia, whose organization is called the Healthcare Sector Coordinating Council Cybersecurity Task Force.

The complexity is compounded by the fact that separate regulators apply to many sectors of the healthcare economy, some of which offer different or no security guidelines from each other. The largest authority, the Department of Health and Human Services, enforces rules to secure sensitive healthcare data and is investigating the Change Healthcare breach. HHS did not respond to requests for comment.

Last year, CISA named healthcare as one of its top technology security priorities, alongside water, public schools and election systems. The agency offers free vulnerability assessments and training, and it was able to warn about 100 health care providers over the past year that their systems were under attack before it was too late.

One of the key questions is whether to pay a ransom to unlock systems after hackers take control.

In a statement, the White House said it “strongly discourages the payment of ransoms, in order to stop the flow of funds to these criminals and deter their attacks.”

But many cyber insurance companies suggest paying if data backups are not available.

When healthcare providers don’t pay, the results can be catastrophic. Change Healthcare’s parent company, United Healthcare Group, has not denied reports that it waited two weeks before sending $22 million to the Russian-speaking ALPHV ransomware gang.

In this case, most of the damage hit other organizations that relied on Change Healthcare, as well as patients who found they couldn’t get life-saving medications without paying the same price as someone without insurance.

There was also serious collateral damage after a major attack on the Scripps hospital network in San Diego in 2021, according to a May report. article in JAMA, the journal of the American Medical Association. Scripps did not pay the ransom, according to reports at the time. The study found that the time lost by patients due to being redirected to other emergency departments more than doubled in the first days after the attack.

At Scripps hospitals, critical equipment was unusable, a doctor told the Washington Post, including electronic patient records. Some young doctors who had never used paper records before simply went home.

“You had to rely on the patient to tell you what medications they were taking, what surgeries they had had, if they remembered them,” the doctor said. “I’m sure we made mistakes.”

Some security industry veterans, who had witnessed a series of data breaches in the medical sector before Covid-19, foresaw the rise of ransomware that would follow and formed a group of volunteers to help in March 2020. Called the Cyber ​​Threat Intelligence League, they analyzed hospital networks. remotely, searching for vulnerabilities and alerting installations in danger.

Members also informed hospitals already under attack and in poor condition.

“Personally, I have no doubt that lives were lost,” said Marc Rogers, co-founder of the CTI League. “When you talk to a hospital in the wee hours of the morning and they have no way to access patient medical records and use more advanced systems, you know it’s going to cost lives.”

In many cases, hospitals were reluctant to take advice from outsiders, even when CISA or the FBI vouched for them, Rogers recalls. Smaller hospitals often had no connection to the industry’s nonprofit safety information sharing. band. Through trial and error, the league found that the best way to convey advice and fixes was often to equipment and software vendors who already had a technical contact within the league. ‘establishment.

The league’s biggest successes were the few times it discovered a critical software flaw at a hospital, confirmed that ransomware hackers were exploiting the same flaw elsewhere, and explained the situation to the hospital in time to that it can detect hackers in its systems before they do. encrypted them. CISA now uses the same approach.

Rogers, a former chief security officer at internet security company Cloudflare, said greater collaboration and better guidance from federal agencies is only part of the answer. What remains unchanged is the fact that many hospitals are small nonprofits without anyone capable of implementing even minimal controls over online access, such as multi-factor authentication, instead of just passwords.

“None of this takes into account the lack of funding to do this stuff,” Rogers said. “These hospitals still lack resources. If you go to a rural hospital, you’ll be lucky to find any cybersecurity expertise there.

The government’s approach so far, he added, means that “you give them a list of things they have to do, but you don’t give them the means to do it.”

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button