Ransomware gangs’ ruthless, relentless focus on healthcare

Taylor Armerding
Nerd For Tech
Published in
7 min readMar 11, 2024

--

Remember when the goal of most ransomware gangs was just to get you to fork over a few hundred thousand dollars to get your critical data decrypted? And when there seemed to be an unwritten honor-among-thieves code that they — at least most of them — wouldn’t attack organizations in a way that would endanger physical life, health, or safety?

That’s now sounding like the good old days.

Because ransomware gangs are increasingly ruthless and relentless, focusing not just on draining their victims’ wallets but on threatening their health and safety. Apparently whatever gives them more leverage is now considered legit.

The trend is documented in statistics collected by multiple government agencies and private analysts.

The U.S. Department of Health and Human Services (HHS), in its December 2023 “Healthcare Sector Cybersecurity”reported a “93% increase in large breaches from 2018 to 2022 (369 to 712), with a 278% increase in large breaches reported to the OCR [Office for Civil Rights] involving ransomware from 2018 to 2022.”

The technology site Healthcare reported at the end of January that according to global analyst firm Omdia, the healthcare sector was attacked more than any other between January and September 2023.

And just a couple of weeks ago, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and HHS issued a joint advisory warning of ALPHV/BlackCat ransomware attacks “primarily targeting the U.S. healthcare sector.”

It is also illustrated in numerous ominous examples.

  • Last Thanksgiving weekend a ransomware attack on Ardent Health Services resulted in ambulances being diverted from hospitals in Texas, New Jersey, New Mexico, and Oklahoma. Ardent later reported that the attackers had also gained access to “consumers’ sensitive information, which includes their names, addresses, phone numbers, email addresses, Social Security numbers, medical treatment information, health insurance and claims information, and Medicaid or Medicare numbers.” The attack compromised the personal information of 17,500 people in Texas alone.
  • Lurie Children’s Hospital in Chicago had to take its networks offline last month to deal with what it called a “cybersecurity matter.” According to later reports, the Rhysida ransomware-as-a-service gang was trying to sell data stolen in the attack on its dark web site for the equivalent of $3.4 million in bitcoins. As of late last month, the hospital was still working on recovering its systems and its electronics records system was still down.
  • Forbes reported in mid-February that Romanian authorities confirmed that a ransomware attack on the Hipocrate platform, which runs IT systems for many providers took at least 100 hospitals offline. While 25 hospitals were directly impacted by the attack, 79 others took systems offline as a precaution while investigations continued.
  • Last week, United Health Group said the ALPHV/BlackCat ransomware group had hacked its subsidiary Optum, which operates Change Healthcare, a nationwide network where healthcare providers can manage customer payments and insurance claims. As Ars Technica put it, “With no easy way for pharmacies to calculate what costs were covered by insurance companies, many had to turn to alternative services or offline methods,” a disruption that continued for nearly two weeks. And in an apparent example of the “no-honor-among-thieves” narrative, security blogger Brian Krebs reported last week that there were indications that Change Healthcare had paid $22 million to BlackCat. But “the cybercriminal who claims to have given BlackCat access to Change’s network says the crime gang cheated them out of their share of the ransom, and that they still have the sensitive data Change reportedly paid the group to destroy. Meanwhile, the affiliate’s disclosure appears to have prompted BlackCat to cease operations entirely,” which is widely being called an “exit scam.”
  • St. Margaret’s Health, a rural hospital in Spring Valley, Illinois closed in June 2023, in large part because it couldn’t recover financially from a cyberattack.
  • According to the HIPAA Journal, an analysis from cybersecurity firm Emsisoft showed that the average ransom payment in the healthcare industry in 2018 was just $5,000, but by 2023 it had spiked to $1.5 million. Beyond that, some ransomware gangs that attacked plastic surgery centers posted intimate images of patients and then demanded payment to have them removed.

The spike in successful attacks is not just because ransomware gangs have become more aggressive. They have some built-in advantages. From the start, hackers in hostile nation-states like Russia, North Korea, and Iran haven’t had to worry about U.S. law enforcement. They’re out of reach.

The ransomware industry has also evolved far beyond the cliché image of the solo hacker wearing a hoodie, staring at a screen in a basement. Gangs are more organized. It is a business — witness the rise of ransomware-as-a-service.

Making it even worse, healthcare organizations have become more vulnerable, for multiple reasons.

  • Lack of budget. The Healthcare Information and Management Systems Society (HIMSS) reports that average healthcare organization spent less than 6% of its overall IT budget on cybersecurity.
  • Lack of talent. It’s hard to find good people, and even if an organization can find them they’re more expensive. It’s simple supply and demand.
  • Aging technology. Organizations are using outdated, unsecure equipment including legacy operating systems.
  • More endpoints. The Covid pandemic prompted the healthcare industry to ramp up online technology to support telehealth, remote work, medical devices, and patient records. While that has brought benefits to both patients and providers, it also creates a much bigger attack surface.

Irresistible target

Not surprisingly, those factors have made healthcare a vast, irresistible target. Tim Mackey, head of software supply chain risk with the Synopsys Software Integrity Group, told Forbes that “healthcare providers represent a high-value target for cybercriminals. Any breach of data that includes PHI [personal health information] represents information that an attacker can use to gain the trust of their victims.”

“If attackers are able to gain write access to any healthcare database, then they can modify patient information in ways that could impact the life of a patient while also being difficult to undo,” he said.

Clearly this is a problem that goes beyond financial and even personal privacy. It can jeopardize the health and physical safety of patients. So the obvious question is: Are there ways the industry, along with government agencies that oversee healthcare, can prevent or at least mitigate the damage from those attacks?

The short answer is yes. But the caveat is that they will take time, talent, money, and negotiation.

Government is responding — somewhat slowly — with a combination of carrots and sticks. HHS has said it will rewrite rules for the federal Health Insurance Portability and Accountability Act (HIPAA) — the law that requires the protection of patient information — later this year to include new cybersecurity requirements. The agency is also considering withholding hospitals’ Medicaid and Medicare funding if they fail to comply with those new requirements.

“The more prepared we are the better,” HHS Deputy Secretary Andrea Palm told the AP.

But a number of experts think governments should get even more aggressive and ban ransomware payments worldwide. Emsisoft, in a recent report, declared that “the only solution to the ransomware crisis — which is as bad as it has ever been — is to completely ban the payment of ransoms… Ransomware is a profit-driven enterprise. If it is made unprofitable, most attacks will quickly stop.”

And Ciaran Martin, inaugural chief executive of the UK’s National Cyber Security Centre, recently wrote that “Ransomware is by far the most damaging cyber threat to most businesses right now. We have to find a way of making a ransom payments ban work.”

He and others dismiss arguments often made against such bans — that they simply penalize victims that are already being punished by the attack — some have compared it to punishing a rape victim — and will simply incentivize those victims to avoid reporting an attack or seeking assistance.

Debrup Ghosh, senior security solutions manager with the Synopsys Software Integrity Group, doesn’t dismiss those arguments — he said those incentives are real. “Ransomware payments are a sensitive topic,” he said, “and while some organizations may not want to negotiate with threat actors, others may do so to protect the business.”

“In my opinion, even if ransomware payments are made illegal, there are several mechanisms to circumvent this, including using bespoke crypto currencies for payment or other low-tech methods such as hawala payments [an informal method of transferring value without moving physical money, which is illegal in some U.S. states] in Southeast Asia.”

An ongoing debate

This isn’t a new debate. The FBI has recommended against paying ransoms for more than a decade, while acknowledging that for many victims it’s not really an option.

But it shouldn’t take a federal mandate, or even a recommendation, to motivate organizations to take measures to make themselves more difficult targets. And there are multiple recommendations on how to do that from both the public and private sectors.

The most obvious is low-tech — ramp up employee training in security awareness. According to the joint HHS/CISA/FBI advisory regarding ALPHV BlackCat, “[ransomware] affiliates use advanced social engineering techniques and open source research on a company to gain initial access. Actors pose as company IT and/or helpdesk staff and use phone calls or SMS messages to obtain credentials from employees to access the target network.”

Beyond that, CISA has a series of recommendations.

  • Routinely take inventory of assets and data to identify authorized and unauthorized devices and software.
  • Prioritize remediation of known exploited vulnerabilities — in other words, keep your software up-to-date.
  • Enable and enforce multifactor authentication with strong passwords.
  • Close unused ports and remove applications not deemed necessary for day-to-day operations.

Of course the dilemma for healthcare providers is that money spent on cybersecurity isn’t available for providing care. As Mackey put it, “To protect against the impact of a cyberattack would require IT resourcing that arguably might be better spent on patient care.”

But it doesn’t entirely have to be one or the other. “Principles like zero-trust networking can limit the scope of damage in the face of an attack, while detailed cybersecurity reviews of potential vendors and medical device manufacturers can identify weak cybersecurity practices within complex supply chains,” he said.

And that kind of spending is an investment that benefits both providers and patients. “Health data is among the most sensitive data available to a cybercriminal. That data is highly personal, difficult to correct if tampered with, and complications resulting from inaccurate data are quite severe,” Mackey said.

--

--

Taylor Armerding
Nerd For Tech

I’m a security advocate at the Synopsys Software Integrity Group. I write mainly about software security, data security and privacy.