Hackers Target Healthcare

Brought to you by CYRIN

As reported in The Washington Post and other major news outlets, on February 21, 2024, there was a catastrophic attack on the nation’s largest medical claims clearinghouse, Change Healthcare, which is owned by UnitedHealthcare Group. Change Healthcare was infiltrated and taken down by cybercriminals affiliated with hacker collective AlphV. Some of the same AlphV attackers are credited with the 2021 attack on the Colonial gas pipeline system.

Such a serious breach has dangerous implications for the healthcare industry and has reinvigorated conversations in the private sector and government on how to best protect sensitive medical information.

UnitedHealthcare Group is the nation’s largest private health insurer and largest employer of physicians. For decades, UnitedHealth’s staggering growth attracted relatively little Washington scrutiny, but the recent hack changed all that. According to The Washington Post, “Change Healthcare is a juggernaut in the health-care world, processing 15 billion claims totaling more than $1.5 trillion a year. It operates the largest electronic “clearinghouse” in the business, acting as a pipeline that connects health-care providers with insurance companies who pay for their services and determine what patients owe.

According to Jeff Goldsmith, an industry analyst, “It does not make sense to have a third of the health system’s payments going through one company’s pipes, as that becomes a national security problem.” Goldsmith estimates that more than 5 percent of U.S. gross domestic product flows through the company’s systems. In this case, hackers “used compromised credentials” to access Change Healthcare on Feb. 12 and reportedly spent the next nine days moving within Change Healthcare’s systems and stealing sensitive data linked to tens of millions of patients nationwide. Analysts estimated that doctors, hospitals and other providers were collectively losing as much as $1 billion a day.

Health care hacks are costly and potentially deadly. Studies have shown that hospital mortality rises in the aftermath of an attack. According to Steve Cagle, chief executive of Clearwater, a health care compliance firm, “Cybersecurity has become a patient safety issue.” As noted in the same NY Times article, attacks have cascading effects. For example, doctors are unable to look up past medical care, communicate notes to colleagues or check patient allergies and specific prescription protocols. Scheduled surgeries are canceled, and ambulances are sometimes rerouted to other hospitals even in emergencies because the cyberattack has disrupted electronic communications, medical records, and other systems. Research suggests that hacks have other cascading effects, lowering the quality of care at nearby hospitals forced to take on additional patients.

Why Is The Healthcare System So Vulnerable?

The cyberattack on Change Healthcare revealed the growing vulnerabilities that exist within the U.S. health care system. The massive ransom paid to retrieve the information, in addition to the leak of patient records, has alerted industry leaders and policymakers about the urgent need for better digital security. Hospitals, health insurers, physician clinics and others in the industry have increasingly been the targets of significant hacks, which is expensive and dangerous. Multiple media sources have reported that UnitedHealth paid $22 million in the form of bitcoin.

Cybercriminals target healthcare systems because it’s easy, valuable, and the data and information have real, long-standing value with the potential to disrupt and even destroy lives. For example, medical records can command multiple times the amount of money that a stolen credit card does. Unlike a credit card, which can be quickly canceled, a person’s medical information cannot be changed. Speaking to the NY Times, John Riggi, national advisor for cybersecurity and risk for the American Hospital Association, a trade group, said, “We can’t cancel your diagnosis and send you a new one.” But he also said the records had value “because it’s easy to commit health care fraud.” Health insurers, unlike banks, often don’t employ elaborate methods to detect fraud, making it easy to submit false claims.

According to Geetha Thamilarasu, an associate professor of computing and software systems at the University of Washington, Bothell, patients’ health information is worth a lot of money to hackers. Once someone gets hold of a stolen medical record, they can buy fake prescriptions, file bogus insurance claims, participate in identity theft and sell it online, among other things, she said. “There is a huge underground market on the dark web,” said Thamilarasu, who specializes in health care security. “Research shows that if a compromised credit card sells for about $1 to $5 each, a compromised medical record can sell anywhere from $400 to $500 — sometimes even $1,000.”

According to Thamilarasu and other industry analysts, health care organizations, like many others, have spent the last decade moving toward total digitization, creating some new risks. “Health records are no longer paper,” Thamilarasu said. “While having digital technologies is often great and provides more convenience, it also opens them up to these security vulnerabilities. I think this is becoming more of a problem in health care than any other institution.”

Last year (2023), HHS reported the highest number ever of major health data hacks: 725, and people impacted by those hacks: 133 million. Those numbers eclipsed the previous record in 2015 when hackers targeted the health insurance giant Anthem.

Response To The Threat

Cybersecurity consultants and government officials have consistently identified health care as the sector of the U.S. economy most susceptible to attacks, and as much a part of the nation’s critical infrastructure as energy and water.

Experts say applying minimum cybersecurity standards to the health care industry is possible, but complicated. The regulatory framework for healthcare is also old and fragmented. Even as attacks on health care facilities have exploded in recent years, it can be hard for small and medium-sized health care entities to spend significant sums on cybersecurity. Costs for personnel and equipment, along with day-to-day expenses, can limit investments in cybersecurity. Some have argued for a new regulatory entity to enforce standards for health technology stakeholders or financial support to invest in cybersecurity personnel and technology.

Alarmed by the scope and depth of the recent UnitedHealthcare attack, lawmakers and regulators are beginning to frame UnitedHealth’s sweeping operations as an economic and national security concern. The incident has reinvigorated conversations among policymakers in Washington about how to improve the health care sector’s security posture.

A bill proposed by Sen. Mark Warner, D-VA, co-chair of the Senate Cybersecurity Caucus, would allow health care providers who suffer cyberattacks to qualify for advanced and accelerated payments through government programs so long as they and their vendors met minimum cybersecurity standards. Under Warner’s bill, health care providers could be eligible for advanced payments through the Centers for Medicare & Medicaid Services (CMS) if they met so-far undetermined minimum cybersecurity standards established by the secretary of the Department of Health and Human Services. If a provider’s intermediary was the target of the incident, that intermediary would also have to have met those standards, according to the legislation.

Push Toward Cyber Safety

The safety of medical information is top of mind for everyone in the cybersecurity industry, but the industry has been slow to adopt strict cybersecurity standards. However, recent cyberattacks have sparked a renewed push among many health care organizations to bolster protections.


How Can CYRIN Help

It’s clear that minimum requirements and best practices will become more and more incorporated into the healthcare environment. However, all solutions will need training as a central element to recovery. Training or lack of it will have consequences. Government, education, industry, basically all parties to the situation can become part of the solution.

At CYRIN we continue to work with our industry partners to address major challenges including incident response, ransomware, and phishing and set up realistic scenarios that allow them to train their teams and prepare new hires for the threats they will face. Government agencies have been using CYRIN for years, training their front-line specialists on the real threats faced on their ever-expanding risk surface. For educators, we consistently work with colleges and universities both large and small to create realistic training to meet the environment students will encounter when they graduate and enter the workforce.

In an increasingly digitized world, training, and experiential training is critical. Unless you get the “hands-on” feel for the tools and attacks and train on incident response in real world scenarios, you just won’t be prepared for when the inevitable happens. A full-blown cyberattack is not something you can prepare for after it hits. The best time to plan and prepare is before the attack.

Our training platform teaches fundamental solutions that integrate actual cyber tools from CYRIN’s labs that allow you to practice 24/7, in the cloud, no special software required. Cyber is a team effort; to see what our team can do for you take a look at our course catalog, or better yet, contact us for further information and your personalized demonstration of CYRIN. Take a test drive and see for yourself!



You Might Also Read: 

Focus On Education With CYRIN Cyber Range:                                                          _______________________________________________________________________________________

If you like this website and use the comprehensive7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« London Hospitals Held To Ransom
The Cybersecurity Risks Of Generative AI »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Malware.lu

Malware.lu

Malware.lu is a repository of malware and technical analysis. The goal of the project is to provide samples and technical analysis to security researchers.

APWG

APWG

APWG is the international coalition unifying the global response to cybercrime across industry, government, law-enforcement and NGO communities.

App-Ray

App-Ray

App-Ray provides fully automated security analysis of mobile applications to find security issues, privacy breaches and data leaking potentials.

Picus Security

Picus Security

Huge gaps often exists between the "perceived"​ and "actual"​ IT security level of an organization. Picus Security continuously assesses security controls and reveals deficient ones before hackers do.

Nozomi Networks

Nozomi Networks

Nozomi Networks is a leader in Industrial Control System (ICS) cybersecurity, with a comprehensive platform to deliver real-time cybersecurity and operational visibility.

GreyCampus

GreyCampus

GreyCampus is a leading provider of training for working professionals in the areas of Project Management, Big Data, Data Science, Service Management, Quality Management and Information Security.

Cybint Solutions

Cybint Solutions

Cybint provides customized cyber education and training solutions for Higher Education, Companies and Government.

Netrix

Netrix

Netrix is a Mexican company specialized in IT Security, with more than 18 years of experience in Managed Services, Professional Services and Turnkey Solutions related to Security.

Aiuken Cybersecurity

Aiuken Cybersecurity

Aiuken is an international IT Security company, focused on communications and IT technologies, specialised in Security and Cloud Services solutions with high added value.

ArmorText

ArmorText

ArmorText offers a seamless channel for communication and collaboration for organizations concerned with keeping communication data private and secure.

BLOCKO

BLOCKO

BLOCKO is a blockchain specialized technology company that has experienced and achieved the largest amount of business in South Korea.

DDOS-Guard

DDOS-Guard

DDoS-GUARD is one of the leading service providers on the global DDoS protection and content delivery markets.

Tesserent

Tesserent

Tesserent (formerly Pure Security) is a full-service cybersecurity solutions provider. We partner with clients across Australia and New Zealand in the protection of their digital assets.

WhizHack Technologies

WhizHack Technologies

WhizHack's mission is to not only create a pipeline of cyber security products but also to empower people to sustainable innovation in securing digital assets of tomorrow.

Telit Cinterion

Telit Cinterion

Telit Cinterion is a global enabler of the intelligent edge providing highly secure IoT solutions, modules and services.

Turngate

Turngate

Turngate simplify security investigations so you can see employee activities and entitlements in your enterprise in seconds.