It was a rough year for cybersecurity in the healthcare industry. Providers remain opportune targets because of relatively limited security budgets, a vulnerability to downtime, valuable patient data, and insufficient monitoring of fast-scaling Internet of Medical Things (IoMT) devices and other network-connected equipment.
Ideally, absorbing the lessons of these attacks enables healthcare delivery organizations to move faster: faster to implement sufficient protections that deter attacks with harder targets, and faster to respond when attacks do arrive. Time will tell if that’s the reality, but here are three specific incidents from the last year that every provider should understand.
Lesson #1: Ascension Healthcare and multi-layer access protections
In May 2024, Ascension Healthcare suffered a ransomware attack perpetrated by the Black Basta gang. Ascension is the largest nonprofit Catholic health system in the United States, with 2,600 healthcare facilities, 142 hospitals, and 90 skilled nursing facilities across 19 states.
The attack eliminated access to the organization’s electronic health record system and blocked patient access to the patient portal — causing major operational issues and forcing facilities to send patients to other locations for care. These issues persisted for weeks, and efforts to upload patient records from between those dates are still underway.
The incident was traced to a spearphishing attack on a single device that allowed attackers to escalate their access privileges over weeks before finally introducing ransomware encryption and capturing patient health data.
This attack is a cautionary tale that prescribes layered access security and anomalous behavioral tracking. With multi-layer protections in place limiting device permissions, attackers would not have gained the powerful foothold they did by bypassing a single security layer. Anomalous behavior monitoring could have flagged threat activity, allowing Ascension’s security team to stop the attack in its tracks.
Lesson #2: Change Healthcare and supply chain risk
In February 2024, Change Healthcare faced a ransomware attack from the BlackCat/ALPHV gang, resulting in major service interruptions, an unprecedented impact on healthcare providers, and one of the largest data breaches of all time (for any industry).
Change Healthcare is the payments processing supplier for about one-third of all healthcare insurance transactions in the U.S.; in 2023, it handled more than 15 billion transactions and $1.5 trillion in collected revenue. The attack rendered Change customers unable to be reimbursed or pay employees, suddenly making countless facilities unable to care for patients. At the same time, approximately a third of all patients in the U.S. likely had their data breached.
Frustratingly, this massive attack could have been prevented if Change had implemented multi-factor authentication on a critical remote access service. The takeaway for healthcare organizations is to have a plan ready in case a crucial link in their supply chain is compromised, and to make sure to keep even seemingly basic security in good working order. That includes ensuring that protections like multi-factor authentication, access controls guided by the principle of least privilege, and other simple safeguards are in place so that exposing a single set of credentials can’t cripple a business.
Lesson #3: Synnovis and zero-day vulnerabilities
In June 2024, the Qilin ransomware gang launched an attack on London-based pathology services provider Synnovis. The ransomware attack forced Synnovis, a partnership among two London-area hospitals and SYNLAB, to destroy 20,000 blood samples. The attack also interrupted the hospitals’ ability to perform blood transfusions, making it necessary to cancel cancer-related surgeries. All totaled, the attack has required rescheduling 1,130 operations and 2,190 outpatient appointments.
According to the Qilin gang that took responsibility for the attack, this significant harmful impact on patient care was caused by a zero-day vulnerability. While they didn’t disclose which device or vulnerability they exploited — and the gang may have sourced its own unknown zero-day vulnerability — healthcare organizations are by no means helpless against these threats. Even if a patch or workaround takes time to develop for a zero-day, the anomalous behavior that can be part of an exploit attempt can be detected. IT and security teams should deploy anomalous behavior detection capabilities. They need to be able to discover all devices on a healthcare organization’s network, accurately assess the risks of such vulnerabilities for each device, and apply available updates or virtual patches to mitigate those risks.
Healthcare security must improve
Healthcare organizations are under relentless threat, at a level unparalleled among critical infrastructure industries. In 2023, the FBI tracked 1,193 ransomware attacks: a plurality of 20.9% (249 attacks) hit healthcare organizations.
Attackers will remain eager to apply ransomware and breach data as long as healthcare providers give them the opportunity. By maintaining basic security hygiene, multi-layer access controls, anomalous behavior detection, and measures that address vulnerability risks, healthcare organizations can withstand threats and send attackers looking elsewhere.
