Hackers Target Healthcare

Brought to you by CYRIN

As reported in The Washington Post and other major news outlets, on February 21, 2024, there was a catastrophic attack on the nation’s largest medical claims clearinghouse, Change Healthcare, which is owned by UnitedHealthcare Group. Change Healthcare was infiltrated and taken down by cybercriminals affiliated with hacker collective AlphV. Some of the same AlphV attackers are credited with the 2021 attack on the Colonial gas pipeline system.

Such a serious breach has dangerous implications for the healthcare industry and has reinvigorated conversations in the private sector and government on how to best protect sensitive medical information.

UnitedHealthcare Group is the nation’s largest private health insurer and largest employer of physicians. For decades, UnitedHealth’s staggering growth attracted relatively little Washington scrutiny, but the recent hack changed all that. According to The Washington Post, “Change Healthcare is a juggernaut in the health-care world, processing 15 billion claims totaling more than $1.5 trillion a year. It operates the largest electronic “clearinghouse” in the business, acting as a pipeline that connects health-care providers with insurance companies who pay for their services and determine what patients owe.

According to Jeff Goldsmith, an industry analyst, “It does not make sense to have a third of the health system’s payments going through one company’s pipes, as that becomes a national security problem.” Goldsmith estimates that more than 5 percent of U.S. gross domestic product flows through the company’s systems. In this case, hackers “used compromised credentials” to access Change Healthcare on Feb. 12 and reportedly spent the next nine days moving within Change Healthcare’s systems and stealing sensitive data linked to tens of millions of patients nationwide. Analysts estimated that doctors, hospitals and other providers were collectively losing as much as $1 billion a day.

Health care hacks are costly and potentially deadly. Studies have shown that hospital mortality rises in the aftermath of an attack. According to Steve Cagle, chief executive of Clearwater, a health care compliance firm, “Cybersecurity has become a patient safety issue.” As noted in the same NY Times article, attacks have cascading effects. For example, doctors are unable to look up past medical care, communicate notes to colleagues or check patient allergies and specific prescription protocols. Scheduled surgeries are canceled, and ambulances are sometimes rerouted to other hospitals even in emergencies because the cyberattack has disrupted electronic communications, medical records, and other systems. Research suggests that hacks have other cascading effects, lowering the quality of care at nearby hospitals forced to take on additional patients.

Why Is The Healthcare System So Vulnerable?

The cyberattack on Change Healthcare revealed the growing vulnerabilities that exist within the U.S. health care system. The massive ransom paid to retrieve the information, in addition to the leak of patient records, has alerted industry leaders and policymakers about the urgent need for better digital security. Hospitals, health insurers, physician clinics and others in the industry have increasingly been the targets of significant hacks, which is expensive and dangerous. Multiple media sources have reported that UnitedHealth paid $22 million in the form of bitcoin.

Cybercriminals target healthcare systems because it’s easy, valuable, and the data and information have real, long-standing value with the potential to disrupt and even destroy lives. For example, medical records can command multiple times the amount of money that a stolen credit card does. Unlike a credit card, which can be quickly canceled, a person’s medical information cannot be changed. Speaking to the NY Times, John Riggi, national advisor for cybersecurity and risk for the American Hospital Association, a trade group, said, “We can’t cancel your diagnosis and send you a new one.” But he also said the records had value “because it’s easy to commit health care fraud.” Health insurers, unlike banks, often don’t employ elaborate methods to detect fraud, making it easy to submit false claims.

According to Geetha Thamilarasu, an associate professor of computing and software systems at the University of Washington, Bothell, patients’ health information is worth a lot of money to hackers. Once someone gets hold of a stolen medical record, they can buy fake prescriptions, file bogus insurance claims, participate in identity theft and sell it online, among other things, she said. “There is a huge underground market on the dark web,” said Thamilarasu, who specializes in health care security. “Research shows that if a compromised credit card sells for about $1 to $5 each, a compromised medical record can sell anywhere from $400 to $500 — sometimes even $1,000.”

According to Thamilarasu and other industry analysts, health care organizations, like many others, have spent the last decade moving toward total digitization, creating some new risks. “Health records are no longer paper,” Thamilarasu said. “While having digital technologies is often great and provides more convenience, it also opens them up to these security vulnerabilities. I think this is becoming more of a problem in health care than any other institution.”

Last year (2023), HHS reported the highest number ever of major health data hacks: 725, and people impacted by those hacks: 133 million. Those numbers eclipsed the previous record in 2015 when hackers targeted the health insurance giant Anthem.

Response To The Threat

Cybersecurity consultants and government officials have consistently identified health care as the sector of the U.S. economy most susceptible to attacks, and as much a part of the nation’s critical infrastructure as energy and water.

Experts say applying minimum cybersecurity standards to the health care industry is possible, but complicated. The regulatory framework for healthcare is also old and fragmented. Even as attacks on health care facilities have exploded in recent years, it can be hard for small and medium-sized health care entities to spend significant sums on cybersecurity. Costs for personnel and equipment, along with day-to-day expenses, can limit investments in cybersecurity. Some have argued for a new regulatory entity to enforce standards for health technology stakeholders or financial support to invest in cybersecurity personnel and technology.

Alarmed by the scope and depth of the recent UnitedHealthcare attack, lawmakers and regulators are beginning to frame UnitedHealth’s sweeping operations as an economic and national security concern. The incident has reinvigorated conversations among policymakers in Washington about how to improve the health care sector’s security posture.

A bill proposed by Sen. Mark Warner, D-VA, co-chair of the Senate Cybersecurity Caucus, would allow health care providers who suffer cyberattacks to qualify for advanced and accelerated payments through government programs so long as they and their vendors met minimum cybersecurity standards. Under Warner’s bill, health care providers could be eligible for advanced payments through the Centers for Medicare & Medicaid Services (CMS) if they met so-far undetermined minimum cybersecurity standards established by the secretary of the Department of Health and Human Services. If a provider’s intermediary was the target of the incident, that intermediary would also have to have met those standards, according to the legislation.

Push Toward Cyber Safety

The safety of medical information is top of mind for everyone in the cybersecurity industry, but the industry has been slow to adopt strict cybersecurity standards. However, recent cyberattacks have sparked a renewed push among many health care organizations to bolster protections.


How Can CYRIN Help

It’s clear that minimum requirements and best practices will become more and more incorporated into the healthcare environment. However, all solutions will need training as a central element to recovery. Training or lack of it will have consequences. Government, education, industry, basically all parties to the situation can become part of the solution.

At CYRIN we continue to work with our industry partners to address major challenges including incident response, ransomware, and phishing and set up realistic scenarios that allow them to train their teams and prepare new hires for the threats they will face. Government agencies have been using CYRIN for years, training their front-line specialists on the real threats faced on their ever-expanding risk surface. For educators, we consistently work with colleges and universities both large and small to create realistic training to meet the environment students will encounter when they graduate and enter the workforce.

In an increasingly digitized world, training, and experiential training is critical. Unless you get the “hands-on” feel for the tools and attacks and train on incident response in real world scenarios, you just won’t be prepared for when the inevitable happens. A full-blown cyberattack is not something you can prepare for after it hits. The best time to plan and prepare is before the attack.

Our training platform teaches fundamental solutions that integrate actual cyber tools from CYRIN’s labs that allow you to practice 24/7, in the cloud, no special software required. Cyber is a team effort; to see what our team can do for you take a look at our course catalog, or better yet, contact us for further information and your personalized demonstration of CYRIN. Take a test drive and see for yourself!



You Might Also Read: 

Focus On Education With CYRIN Cyber Range:                                                          _______________________________________________________________________________________

If you like this website and use the comprehensive7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« London Hospitals Held To Ransom
The Cybersecurity Risks Of Generative AI »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Dome9

Dome9

Dome9 is a cloud firewall management service that stops vulnerabilities, secures remote access, and centralizes policy management.

F-Response

F-Response

F-Response is a software utility that enables an investigator to conduct live Forensics, Data Recovery, and eDiscovery over an IP network using their tools of choice.

CERT Polska

CERT Polska

CERT Polska is the first Polish computer emergency response team and operates within the structures of NASK (Research and Academic Computer Network) research institute.

Ionic Security

Ionic Security

Ionic provide a high-assurance data protection and control platform built on strong encryption, fine-grain control and contextual analytics.

LRQA Nettitude

LRQA Nettitude

LRQA Nettitude is an award-winning global provider of cybersecurity services, bringing innovative thought leadership to the ever-evolving cybersecurity marketplace.

AppViewX

AppViewX

AppViewX is a global leader in the management, automation and orchestration of network services in data centers.

Komodo Consulting (KomodoSec)

Komodo Consulting (KomodoSec)

Komodo Consulting specializes in Penetration Testing and Red-Team Excercises, Cyber Threat Intelligence, Incident Response and Application Security.

Honeynet Project

Honeynet Project

The Honeynet Project is a leading international non-profit security research organization, dedicated to investigating the latest attacks and developing open source security tools.

SEC Consult

SEC Consult

SEC Consult is a leading European consultancy for application security services and information security.

UM Labs

UM Labs

UM Labs is a developer of security products for Voice over IP (VoIP), protecting SIP trunk connections, safeguarding mobile phone communications and enabling BYOD.

Joint Accreditation System of Australia and New Zealand (JASANZ)

Joint Accreditation System of Australia and New Zealand (JASANZ)

JASANZ is the joint national accreditation body for Australia and New Zealand. The directory of members provides details of organisations offering certification services for ISO 27001.

WebSec B.V.

WebSec B.V.

WebSec is a Dutch Cybersecurity firm mainly focused on offensive security services such as pentesting, red teaming and security awareness and phishing campaigns.

Future Technology Systems Company (FutureTEC)

Future Technology Systems Company (FutureTEC)

FutureTEC is a leading Information Technology Solutions Provider, delivering world-class Information Security, Information Management, and Business Solutions.

Altospam

Altospam

Altospam is a full service corporate email protection, integrating multiple security levels for your emails.

CyberSanctus

CyberSanctus

CyberSanctus provide clients with a variety of pentest plans from the entry level starter plan, which is tailored for personal websites, to enterprise level pentests, tailored for large scale business

Capzul

Capzul

Capzul are transforming the network security landscape with a new approach; creating virtually impenetrable networks, precluding cybercriminal attacks on your network ecosystem.