After years of ransomware attacks, healthcare defenses are still failing

Federal officials and industry executives have known for years that the U.S. health care system was one of the critical industries most vulnerable to hacking, but it failed to make the improvements that could have stopped attacks like the one that has crippled pharma and other medical providers for three years. weeks.

The danger was evident in 2021, when ransomware gangs hit hospitals already overwhelmed by the covid-19 pandemic, forcing some to divert incoming emergency patients to other facilities and potentially contributing to delays fatal in treatment.

But with private-sector lobbyists opposed to the new safety requirements, Congress and the regulatory wheels have moved slowly, mostly promoting best practices that hospitals can and choose to ignore.

So can relatively unknown electronic clearinghouses like UnitedHealth Groups Change Healthcare, which was the target of an attack launched last month by a hacker affiliated with the ALPHV ransomware gang that broke a key link between medical providers and the insurance companies of their patients in the worst healthcare hack. never reported Change Healthcare said Monday it had provided $2 billion in advances to pharmacies, hospitals and other providers that were unable to get insurance reimbursements during the failure of its network.

Critics say the Change Healthcare fiasco, which has hurt patient care in nearly three-quarters of American hospitals, shows that defensive efforts are woefully inadequate. They say a comprehensive response would include strict safety requirements for the most critical parts of the expanding system, followed by less stringent but still sufficient rules for large hospital systems. Smaller providers, who may not have security staff, should get help, as called for in the administrations budget proposal.

We need to make sure we know where those vulnerabilities are, Nitin Natarajan, deputy director of the Department of Homeland Security’s Cybersecurity and Infrastructure Agency, acknowledged in an interview. I was looking at what levers exist.

Some members of Congress say that should have happened by now.

The government must prevent this type of devastating hack from happening again and again, Sen. Ron Wyden (D-Ore.) told The Washington Post. I want to work with the Biden administration to ensure that specific and mandatory cybersecurity rules are in place as soon as possible and to ensure that CEOs are held accountable.

Deputy national security adviser Anne Neuberger said the White House is examining what laws it can use to impose such standards on a reluctant industry, while telling executives they are expected to comply with the voluntary guidelines immediately.

The Hill has not passed any legislation that would provide authorities to require minimum standards, so we have been using industry emergency authorities or regulations, Neuberger told The Post on Monday.

He said some requirements are coming soon for providers who accept Medicare and Medicaid.

The American Hospital Association said it supports voluntary cybersecurity goals aimed at defending against more common attacks, such as phishing emails. But the organization criticized mandatory measures like those proposed by the Biden administration, saying they would penalize hospitals that fail to meet certain standards, even when most of the risk comes from third-party technologies.

The AHA cannot support proposed mandatory cybersecurity requirements that impose on hospitals as if they were to blame for the success of hackers in perpetrating a crime, the association wrote in a letter to the Finance Committee of the Chamber last week.

Last year, more healthcare industry targets reported ransomware attacks to the FBI’s Internet Crime Complaint Center than any other of the 16 critical infrastructure sectors, according to the annual summary released this month.

Industry resistance to mandatory safety was only part of the problem, experts said.

Hospitals are prey because it’s easy money, said Greg Garcia, executive director of a healthcare industry cybersecurity group and former assistant secretary of homeland security. If the choice is to pay the ransom and save a life and not pay the ransom and risk losing a life or going out of business if it’s a small system, it’s a no-brainer for the hacker.

Asked why he hasn’t prepared better, Natarajan said the complexity of the industry is part of it.

A single medical service can have countless participating doctors and hospitals, insurance companies, drugs, pharmacies and platforms like Change Healthcare, which connect electronically. This makes each piece, with its own technology and priorities, a potential gateway to the entire medical universe.

So when hackers break into providers or others, encrypting health and billing records and demanding money to unlock them, they can also reach adjacent targets.

More than half of all healthcare attacks occur through third parties, according to Garcia, whose organization is called the Healthcare Sector Coordinating Council’s Cybersecurity Task Force.

The complexity is compounded by separate regulators for many parts of the health economy, some of which propose different safety guidelines, or none at all. The largest authority, the Department of Health and Human Services, enforces rules to protect sensitive health data and is investigating Change Healthcare’s breach.

An HHS spokeswoman, Samira Burns, said the department could not discuss the investigation. But he pointed to a December concept paper in which HHS said that beyond voluntary security goals for providers, it was working with Congress to develop supports and incentives for the nation’s hospitals to improve cybersecurity, increasing accountability within the health care sector. and improving coordination through a single window.

CISA named healthcare last year as one of its top priorities for technology security, along with water, public schools and election systems. The agency offers free vulnerability assessments and training and was able to warn about 100 healthcare providers over the past year that their systems were under attack before it was too late.

A key question is whether a ransom must be paid to unlock systems after hackers have taken control of them.

In a statement, the White House said it strongly discourages the payment of ransoms, to stop the flow of funds to these criminals and discourage their attacks.

But many cyber insurance companies suggest paying if no data backups are available.

When healthcare providers don’t pay, the results can be catastrophic. Change Healthcare’s parent company, United Health Group, has not denied reports that it waited two weeks before sending $22 million to Russian-speaking ransomware gang ALPHV.

In this case, most of the damage involved other organizations that relied on Change Healthcare, as well as patients who found they couldn’t get life-saving drugs without paying the same price as someone without insurance.

UnitedHealth Group said Monday it had restored Change Healthcares platform for electronic payments and what it said was 99 percent of its pharmacy network services, as it began rolling out software for healthcare providers to submit medical claims for reimbursement.

Consumers and pharmacies still reported ongoing impacts, such as not being able to apply coupons that many use to pay for medications. The timeline for restoring the ability to file medical claims is unclear, some doctors said.

There was also serious collateral damage after a major attack on the Scripps hospital network in San Diego in 2021, according to a May article in the American Medical Association’s JAMA Network Open. Scripps did not pay the ransom, according to reports at the time. The study found that the amount of time patients lost being diverted to other emergency rooms doubled in the first days after the attack.

Inside Scripps Hospitals, critical equipment was not working, a doctor told The Washington Post, including electronic patient records. Some younger doctors who had never used paper charts before simply went home.

He had to count on the patient to tell him what medications he was taking, what surgeries had been done, if he remembered, the doctor said. Surely we were wrong.

Some security industry veterans who had seen a series of medical industry data breaches before covid-19 foresaw the rise in ransomware that would follow and formed a group of volunteers to help them in March of 2020. Called the Cyber ​​​​Threat Intelligence League, they scanned hospital networks. from afar, looking for vulnerabilities and alerting installations that were in danger.

Members also advised hospitals that were already under attack and in poor condition.

Personally, I have no doubt that lives were lost, said Marc Rogers, co-founder of the CTI League. When you talk to a hospital first thing in the morning and they have no way to access the patient’s medical records and use more advanced systems, you know it’s going to cost lives.

In many cases, hospitals were wary of taking tips from strangers, even when CISA or the FBI endorsed them, Rogers recalled. Smaller hospitals often lacked ties to the industry’s nonprofit safety information exchange group. Through trial and error, the league found that the best way to relay tips and solutions was often through equipment and software vendors who already had a technical contact at the establishment.

The league’s biggest successes were the few times it found a critical software flaw in a hospital, confirmed that ransomware hackers were exploiting the same flaw elsewhere, and explained the situation at the hospital to time to catch hackers on their systems before they encrypted them. CISA now uses the same approach.

Rogers, a former security executive at Internet security firm Cloudflare, said more collaboration and better guidelines from federal agencies are only part of the answer. What hasn’t changed is the fact that many hospitals are small, not-for-profit entities with no one to set up even minimal controls over online access, such as multi-factor authentication, rather than passwords alone.

None of this takes into account the lack of funding to do these things, Rogers said. These hospitals are still under-resourced. If you go to a rural hospital, you’d be lucky to find any experience in cybersecurity.

The government’s approach so far, he added, means you’re giving them a list of things to do, but you’re not giving them the means to do it.

Daniel Gilbert contributed to this report.

#years #ransomware #attacks #healthcare #defenses #failing
Image Source :

Leave a Comment