Predictable ransomware tsunami hits healthcare sector after $22m payout

There was a time when, even in the cutthroat world of ransomware crime, there was a bit of honor among thieves. Never in writing or contractual, but the mostly unspoken agreement among attackers was to lay off healthcare providers. The goal of the attack was money — not to kill people.

Those now sound like the good old days. Now, putting the privacy, health, and lives of patients at risk is leverage — an easier, faster way to a much bigger payday. That incentive, along with the dismissal of even a shred of morality, has put crosshairs on the healthcare industry, creating a figurative tsunami of attacks.

There are plenty of examples of what creates that incentive, but the highest-profile of the year was in February, against Change Healthcare, one of the largest health payment processing companies in the world. “It acts as a clearinghouse for 15 billion medical claims each year — accounting for nearly 40 percent of all claims,” according to a post from the U.S. House Energy and Commerce Committee.

The damage from the attack, launched by a group known as AlphV or BlackCat, was varied and devastating. It wasn’t just that data was encrypted, which took the company offline, thereby disrupting services and creating a backlog of unpaid claims that caused major cashflow problems for doctors’ offices and disrupted hospital operations. It also exfiltrated up to 4TB of data, including personal information, payment details, insurance records and other sensitive information.

“…[M]illions of Americans may have had their sensitive health information leaked onto the dark web,” according to the House committee’s post. Indeed, the ransom payment was a reported $22 million, but the company said its total costs might reach $1 billion.

Unfortunately, $1 billion is likely only the start for the healthcare industry overall, given that the ransom payment was a signal to other criminals about how much quick money they can make. Rick Pollack, president and CEO of the American Hospital Association told Security Intelligence that the attack was “the most significant and consequential incident of its kind against the U.S. healthcare system in history.”

Pay more, lose more

Significant and consequential because, as noted, the ransom payment would lead to lots more attacks.

Wired magazine reported that in April, the cybersecurity firm Recorded Future had “tracked 44 cases of cybercriminal groups targeting healthcare organizations with ransomware attacks, stealing their data, encrypting their systems, and demanding payments from the companies while holding their networks hostage.”

“That’s more healthcare victims of ransomware than in any month Recorded Future has seen in its four years of collecting that data,” Allan Liska, a threat intelligence analyst at the company, told Wired, adding that, “These kinds of large payments are absolutely going to incentivize ransomware actors to go after healthcare providers.”

Among those attacks was one on July 31 against OneBlood, a not-for-profit blood center serving more than 250 hospitals in the southeastern United States. While the damage was not catastrophic and company officials said OneBlood “remains operational and continues to collect, test and distribute blood, [we] are operating at a significantly reduced capacity.”

All of which raise the usual troubling questions. Among them, why are ransomware gangs so often successful, especially when there are constant horror stories about such attacks — some of them making national news. Attacks on healthcare providers have been rising for years — the JAMA Health Forum reported nearly two years ago in a post on Lawfare that “the annual number of ransomware attacks on healthcare delivery organizations more than doubled from 2016 to 2021, exposing the personal health information of nearly 42 million patients”

So it can’t be a lack of awareness — ransomware has been in the headlines for decades, and the worst attacks are frequently labeled “wake-up calls.” But the fact that the label is so frequent is proof that if there is any waking up going on, it’s usually just the victim organization and maybe some of its customers.

Why? There aren’t any defensible reasons. Perhaps it’s the same mentality that led drivers to ignore the risk of not wearing a seatbelt (until their vehicles started harassing them into doing it) — the delusion that car crashes happen only happen to other people.

Fundamental failure

In the Change Healthcare case, it was a failure to provide a security fundamental. According to the House committee post, the attack succeeded because Change Healthcare wasn’t using multifactor authentication (MFA), “which is an industry standard practice, to secure one of their most critical systems.”

That’s not the only reason why it still isn’t that hard for attackers to get inside organizations. Sergio Figueroa Santos, staff consultant with the Synopsys Software Integrity Group, noted that ransomware attackers frequently succeed via “a very simple approach: asking.”

“Phishing attacks are a popular way of distributing ransomware encryptors because many victims eagerly click links in emails without verifying the origin or giving it a thought,” he said, adding that “technical entry points traditionally used to deliver malware also remain useful: If there is an open file share, the attacker can deploy the file into the target system, then find another vulnerability to execute it.”

Santos said cryptocurrency has also made it easier for criminals to get paid anonymously. While that method is not entirely secure — law enforcement has been able to track and identify some attackers — the reality remains that “the international availability of a means of payment that is not linked to an actual identity has made it much easier for criminals to receive their payments and much harder for law enforcement to track them,” he said.

But it shouldn’t be this easy for the bad guys. While there is no such thing as perfect security, the ways to drastically diminish the risk of and/or mitigate such attacks are now well established and effective. They include

• Back up everything: If you have a backup, you can rebuild files without paying for a decryption key from the attackers. But it’s crucial to make sure backups aren’t connected to the network. If they’re accessible through a network that gets breached, they’re obviously worthless — they will be encrypted as well.

Santos said it’s also crucial to rehearse a response to an attack. “Many companies have backup processes in place. Fewer have recovery plans describing what to do with the backups to return to a working state,” he said. “Only a small minority regularly test those backups to ensure that they can, in fact, be relied upon. This makes the recovery process clunky and often unsuccessful.”

• Improve detection and protection: Ransomware has observable patterns that ransomware protection software can detect. It’s crucial to have antiransomware software and to keep it up-to-date.
• Think like attackers: Besides email phishing, other popular intrusion methods include unsecured remote desk protocol endpoints and the exploitation of corporate virtual private network appliances for those working remotely. So organizations should harden the security of those parts of their networks through upgrades and patches, and also require strong passwords and MFA for users.
• Limit plug-ins: They can be an entry point. Either disable them or make sure they are updated regularly.
• Verify before you trust: All documents should have viewable file extensions from trusted sources. Don’t let your system download irrelevant documents that may be coming from malicious sources.
• Track your software and maintain it: Keep an inventory of the software components running applications, systems, and networks, and keep them up-to-date. Failing to install an available patch for a known vulnerability is like leaving the door to a vault wide open. A Software Bill of Materials can help with that, and ought to be mandatory.
• Train your workers: Most employees want to protect the organization’s assets. But if they fall for a phishing email, reuse passwords, or don’t create complex ones, the best technology in the world can’t overcome those failures. That’s why more than 90% of all attacks on organizations are phishing. So organizations should train workers to avoid clicking any unknown link or attachment, even if it appears to come from a trusted source.

Adam Brown, associate managing consultant with the Synopsys Software Integrity Group, said that “team education, architectural understanding via threat modelling, code and composition analysis, implementation assessments environment are all important domains to address.” He also noted that the annual Building Security In Maturity Model report (better known as the BSIMM) by Synopsys is “a useful document that tracks what firms with mature software security initiatives do — well worth a read to understand where your firm’s software security practices fit in.”

• Limit access: Employ network segregation to limit access, known as the principle of least privilege. That means granting employee only the level of access required to perform necessary tasks.

Those steps make any organization a much more difficult target. But there is no such thing as 100% security. So the dilemma, especially in the healthcare field, is how to respond when an attack does succeed.

Experts, lawmakers, and law enforcement are close to unanimous about making ransom payments. Their message: Don’t — for very good reasons. The FBI website declares that “The FBI does not support paying a ransom in response to a ransomware attack. Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.”

Indeed, as noted, the Change Healthcare payout was a major incentive to attackers.

Santos agrees, for the same reasons. “Do not pay,” he said. “Paying ransom perpetuates this practice and is illegal in several jurisdictions. Get the system offline and try to rebuild it from the backups.”

But, as attackers well know, healthcare organizations often can’t afford to have services down even for a couple of days — sometimes even for a few hours. It’s not a matter of inconvenience or lost profits. It’s a matter of patients losing care that could affect their lives.

That, regardless of what public statements might be made, is likely the reason that Change Healthcare paid the ransom.

Government intervention?

And that is likely to continue unless government gets involved, according to JAMA. Among other recommendations, the organization called for better data collection and more transparency, contending that 20% of ransomware attacks in the healthcare sector don’t even get reported.

In its Lawfare post, JAMA acknowledges that reducing ransomware attacks and damages is a very heavy lift. “The list of recommended IT best practices for avoiding ransomware attacks is long and expensive. It’s not clear to us whether these recommendations are actionable for the average hospital, let alone most clinics (which represent the plurality of ransomware victims among healthcare providers), given existing IT budgets and workforce challenges.”

Moving the needle in the right direction, JAMA contends, “will require both sticks (requiring minimum cybersecurity standards) and carrots (subsidies and technical assistance). And the approaches will have to be tailored to the healthcare provider at issue: a one-size-fits-all solution is unlikely to fit anyone particularly well.”

Which sounds like it could help. But history indicates the likelihood of it happening is low. Exhortations like that have been made for years. And keep in mind that the JAMA post was written more than a year before the Change Healthcare attack.