< + > Reactions to the Ascension Healthcare Ransomware Attack and Suggestions for Healthcare Organizations

It’s been a bad couple months for cybersecurity in healthcare.  Or maybe it will end up being a good thing.  I remember after the devestation of Hurricane Katrina, we all woke up to the need for better disaster recovery and business continuity.  While it’s amazing to consider two breaches and ransomware incidents the size of Change Healthcare and Ascension could happen so closely together, it’s very clear that healthcare is a target and we need to massively increase our investment in security to show we’ve learned from these experiences.

We reached out to our network of security experts to get their opinions and perpsectives on the Ascension ransomware attack and what healthcare should learn from it.  Here are a few of the responses we got from our community.

Mike Semel, President and Chief Security Officer of Semel Consulting

The Ascension health system data breach can’t be easily separated from the United Healthcare Change Health breach that recently caused a huge financial and medical impact across the healthcare sector and may have breached the personal information for a third of Americans. Because the Ascension breach is still being investigated, very little information has been released, but we know that ambulances are being diverted, putting lives at risk, and medical procedures are being delayed.

Both breaches are just symptoms of a weak regulatory system that has let healthcare providers and health plans get away with failing to adequately protect the personal data of millions of people.

Many think it is unfair to blame the victims but it is often justified. The US Senate heard the weak excuses of the United Healthcare CEO who admitted Change Healthcare had not secured its Citrix systems with multifactor authentication (MFA) even though they had a written policy to do so, and that they failed to notify data breach victims by the HIPAA and state data breach law deadlines.

The answer to this epidemic is to increase enforcement and make the penalties harsh enough to get executives, boards, and investors to care enough to adequately fund cybersecurity and be independently audited to ensure its policies are being followed.

The federal government paid healthcare providers to move from paper records to electronic health record systems. Now Congress needs to act by requiring the implementation of encryption, MFA, and vulnerability management (without exemptions) to protect all health and personal information with stiff enforcement and financial penalties. Executives should be required to attest to their organization’s cybersecurity implementation and be held responsible, as we are seeing in recent financial service and defense contractor regulations.

Legislation should be enacted that gives victims the right to sue even in the absence of demonstrated harm, since there is no way to tell if our personal data exfiltrated from a ransomware attack today will sit on the shelf for years before being weaponized. Cyber insurance should be prohibited from paying fines and lawsuit settlements or awards.

The U.S. Department of Health and Human Services (HHS) should follow what the U.S. Department of Defense is doing with its CMMC program that will require independent cybersecurity assessments of large and small defense contractors that work with sensitive information. The penalty will be disqualification from bidding on defense contracts without a certification. Health data should be protected by a similar assessment requirement for health plans and providers to receive federal funds.

The U.S. Department of Justice should step up enforcement of the False Claims Act against medical providers who accept Medicare and Medicaid payments but fail to implement a reasonable level of cybersecurity. The HHS Office for Civil Rights is no longer feared because of its inability or unwillingness to issue painful penalties against providers who know they can get away with saving money on cybersecurity – patients be damned.

Obviously, the weak regulations and lack of enforcement has enabled the success of hackers.

Ryan Witt, Vice President, Industry Solutions at Proofpoint, Inc.

Healthcare firms have long been targets for cyber criminals. They handle data like protected health information (PHI), intellectual property (IP), clinical trial data and payment card data, giving attackers many options to cash in, and healthcare is a critical infrastructure industry that can be hardest hit by ransomware attacks. The healthcare industry is more vulnerable because of the high-value nature of its data compared to data from other industries (PHI is thought to be worth 50x a credit card). Healthcare also stores a disproportionally large amount of data and often must keep that data often for long periods of time, increasing the size of the attack surface. The industry also has many third-party workers and a significant number of remote workers (both of whom often use employee-owned devices) which complicates the attack vector. Lastly, most healthcare IT expenditure over the last ten years has been focused on digitizing patient records, and investment in cybersecurity capability has lagged other industries. Threat actors know healthcare is a prime target for extortion and target them accordingly.

All organizations, including those in critical infrastructure industries such as healthcare, need to consider a three-pronged approach to protecting sensitive data: monitoring user behavior, looking at content accessed by users, and applying additional controls to the most highly targeted users—for example, those with privileged access. Healthcare has made significant strides in better protecting the industry, in part because hospital executives increasingly see cybersecurity as a core component of patient care. According to our 2023 Cyber Insecurity in Healthcare report, 54% of surveyed healthcare IT security practitioners said their organization suffered a ransomware attack, up from 41% in 2022.

It is encouraging to see investments being made to secure medical systems and equipment needed for patient care. But this approach is not enough in today’s digital world. Organizations must work together with their industry peers and embrace governmental support to build a stronger cybersecurity posture—and consequently, deliver the best patient care possible.

Nick Brigmon, Security Operations and Support Manager at Blumira

The recent cyberattack affecting hospitals across the US is a critical reminder for healthcare organizations to prioritize cybersecurity measures to safeguard their systems and patient data. But the road to implementing comprehensive cybersecurity measures can feel daunting, given cost and time investments and lack of cybersecurity expertise.

Healthcare organizations looking for guidance on where to start can consider taking the following four steps:

1. Update systems with the latest security patches and software versions to mitigate vulnerabilities. Implementing multi-factor authentication (MFA) and robust password policies can add an extra layer of security against unauthorized access.
2. Review the organization’s IT infrastructure to identify risks and vulnerabilities. This assessment should cover networks, systems, applications and data repositories. Consider partnering with a cybersecurity consultant to support this process, as they will be able to compare current security measures against industry standards and best practices.
3. Conduct cybersecurity training for employees. Doing so raises awareness about phishing scams and other common attack vectors.
4. Research and invest in advanced threat detection and response software. Prioritize a solution designed for your industry and ones that don’t require extensive cybersecurity expertise to manage. Look for a solution that provides real-time detection and automated response to contain threats faster, reducing the risk of ransomware infection across your network.

Dan Lohrmann, CISO at Presidio

The scale of the Ascension cyberattack is staggering, with 140 hospitals across 19 U.S. states impacted by the ransomware attack, including disruptions to services as well as access to electronic health records being cut off. Many stories about hospitals being unable to provide rapid care to patients experiencing medical emergencies and longs delays for others are simply heart-wrenching to hear.

Doctors and nurses needing to go back to pen and paper to have data to conduct medical procedures demonstrates that the operational resiliency strategies and /or business continuity plans (BCP) that were in place by Ascension were not satisfactory.

The American Hospital Association (AHA), The Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, Department of Health and Human Services, and Multi-State Information Sharing and Analysis Center released a joint cybersecurity advisory on May 10 to provide information on Black Basta, a ransomware variant whose actors have encrypted and stolen data from at least 12 out of 16 critical infrastructure sectors, including the health care and public health sector.

Some of the steps that healthcare organizations should be following to protect their data include:

1. Stay informed by monitoring updates from reliable sources like Health Information Sharing & Analysis Center (HISAC) at https://h-isac.org/ .
2. Maintain personal health records for accessibility during system downtime.
3. Prepare for emergencies by knowing alternative care facilities and routes.
4. Practice strong cybersecurity with unique passwords and two-factor authentication.
5. Be vigilant against phishing attempts and install antivirus protection and monitoring on all devices.
6. Have a tested, robust incident response plan that includes scenarios that have been recently used against health organizations.

Following the Ascension security incident, affected individuals should monitor any related medical accounts and change passwords – especially if directed by the health organization. To prepare for wide cyberattacks, everyone should consider enabling two-factor authentication, updating security software, beware of phishing, educate themselves on cybersecurity, back up data, report suspicious activity, and stay informed about developments and recommendations from authorities or affected organizations.

Al Yang, CEO and Co-founder at SafeBase

With the increase in data breaches and cybersecurity threats, businesses today are more security-focused and risk-averse than ever before. In the aftermath of the attack, it was confirmed that Ascension’s incident response plan included proper vendor notification processes. But the goal is to never have to get to that point.

It’s critical that we instill a more transparent ecosystem where organizations can seamlessly communicate their security and trust posture for more collectively secure partnerships. The attack on Ascension is the latest example that highlights the need for companies to have proper security protocols and systems in place as compromising the information of one company often means that many other companies were or are at risk, as well.

Bill Murphy, Director of Security & Compliance at LeanTaaS

One of the key vulnerabilities in healthcare systems is the human factor. Healthcare workers, from doctors and nurses to administrative staff, are often overwhelmed with critical patient care responsibilities and day-to-day operations. When they finally have a chance to check their emails, they are frequently multitasking or rushing between meetings and discussions with colleagues. This lack of focused attention makes healthcare workers susceptible to phishing attacks, which are a common entry point for cybercriminals to gain access to credentials and systems.  In cybersecurity, speed kills.  Cybercriminals also exploit our human desire to be helpful.  They target help desks through social engineering tactics. Help desk staff can inadvertently fall victim to carefully crafted pretexts and impersonation attempts, leading to the disclosure of sensitive information or the granting of unauthorized access.

One of hospital IT’s traditional concerns – hospital data stored in a vendor’s data center – can be a source of relief in a ransomware attack.  When a hospital’s Electronic Health Record (EHR) system is compromised or inaccessible, the vendor’s systems may contain the sole accessible records of upcoming patient appointments, procedures, and other critical healthcare activities. Vendors should be ready to assist with data extracts when a hospital comes calling and hospital IT should leverage these relationships.

David Stapleton, VP, Chief Information Security Officer (CISO) at ProcessUnity

The impact of the attack resulted in Ascension’s electronic health record (EHR) and MyChart systems being taken offline. This has caused cancellations and delays for some patients and emergency medical care has had to be redirected to other facilities. This underscores the direct and significant impact cyber attacks can have on human health and livelihoods. So often we think of corporations as the victims of cyber attacks, but this incident reminds us that there are tangible repercussions for real people.

Ascension’s proactive approach to cybersecurity is evident in their identification of “unusual activity” within their network, highlighting the importance of behavioral or heuristic-based anomaly monitoring. I appreciate the thoughtful, detailed, but user friendly update page that Ascension put in place. This is a good way to control messaging and provide information to potential victims and interested parties. It is also admirable that during the ongoing incident, Ascension has prioritized sharing threat information with organizations like CISA and H-ISAC, demonstrating their commitment to aiding other potential victims. While Ascension has not confirmed any compromised patient data, if Black Basta accessed their EHR, then we may be hearing about a massive breach of highly sensitive personal health data as the investigation progresses.

The threat actor behind the Ascension breach, Black Basta, is a Russia-backed ransomware-as-a-service group known for exploiting known vulnerabilities and executing spear phishing attacks to gain initial access into target systems. To combat such threats, organizations must prioritize patching systems, implementing strong multi-factor authentication (MFA) or passwordless authentication, and train their employees to identify and report phishing messages. Additionally, healthcare providers should receive regular disaster recovery training to revert to paper processes when electronic systems are unavailable, and it appears that Ascension was well prepared in this regard.

Sid Singh, CEO at Rectangle Health

It has been deeply distressing to witness the disruption of care operations and delivery, as these incidents harm patient trust, tarnish the practice’s reputation, result in significant financial losses, and burden staff with additional manual administrative tasks as they manage the fallout.

Recent incidents highlight how cyberattacks often stem from fundamental lapses in compliance protocols. It is imperative for healthcare organizations to remain vigilant in maintaining the latest cybersecurity measures and compliance policies. Equally crucial is the clear and comprehensive education of staff regarding these protocols to mitigate any confusion. Taking proactive steps will provide practices of all sizes with the strongest defense against malicious disruptions, safeguarding patients, data, and staff.

Christopher Budd, Director, Threat Research at Sophos

These continued cyber attacks against healthcare organizations have devastating implications for patients across the United States – but we can’t be surprised that it keeps happening. Healthcare organizations are major targets for cybercriminals precisely because adversaries know how important their operations are and how valuable their data is. According to Sophos’ recent State of Ransomware report, 67% of healthcare organizations surveyed globally were hit by ransomware in 2023.

Just two months ago, Change Healthcare was the victim, leaving its patients severely at risk and the company owing nearly $900 million. These attacks will keep annihilating businesses until we take steps as an industry to combat the problem, which is what many of us are discussing here at RSA Conference this week.

Gerasim Hovannisyan, CEO at EasyDMARC

The recent cyberattack on Ascension adds to a concerning pattern of breaches impacting significant US healthcare providers. It highlights the critical need for organizations to prioritize having a robust cyber incident response plan in place, especially those classified as critical infrastructure, like hospitals.

While the healthcare provider has taken swift action by alerting authorities, seeking expert cybersecurity assistance, and shutting down systems, the fallout will likely be substantial. Losses may range from operational disruptions to potential ransom payments and an irreversible erosion of customer trust, depending on the nature of any sensitive data that may have been accessed.

Sadly, this scenario is all too familiar, necessitating a proactive shift towards prevention. Healthcare institutions must invest in comprehensive cybersecurity solutions and staff training to proactively detect and thwart potential threats, safeguarding infrastructure resilience against future disruptive and potentially life-threatening attacks.

Given the healthcare sector’s attractiveness to cybercriminals due to its valuable data, the frequency of such attacks is likely to rise. As a result, it’s imperative to elevate cybersecurity as a priority and take concerted action to reverse this troubling trend.

Thanks to all the experts that shared their insights and perspectives with the community.  What do you think?  What are the lessons learned?  What actions should healthcare organizations be taking?  Let us know in the comments or on social media.