Date: 28 June 2024
In February this year, Change Healthcare dominated headlines as it became victim of a crippling cyber attack. Services across US pharmacies and healthcare providers were disrupted. A few months later, UnitedHealth-owned Change made more news as confirmations emerged from its CEO that the organisation had indeed paid a huge, $22 million-ransom to the cyber criminals to secure data.
As we’ve always maintained - paying ransom or even negotiating with cyber criminals is a big NO! There’s no honour amongst cyber thieves and the Change Healthcare Ransomware Attack has just reiterated this advice many times over. Not only did the attackers threaten for a second ransom payments, new groups emerged asking for additional payouts.
The worst of all? The recent spike in ransomware attacks on healthcare organisations in the last three months indicates that the Change payout has inspired hackers everywhere to target healthcare institutions with a vengeance.
For complete details of how this massive and complicated ransomware incident unfolded and what exactly happened, don’t miss our detailed Change Healthcare Cyber Attack Timeline Document and Summary Image.
We’ve also compiled an exhaustive list of recent cyber attacks on Healthcare Institutions and how to leverage this information to create your own effective Cyber Crisis Tabletop Exercise. You’ll find all the information and expert guidance in our blog on Bolstering Cybersecurity in the Healthcare Industry with Cyber Tabletop Exercises.
Topics covered in this article:
1. Rise in Ransomware Attacks on Medical Service Providers
2. Is Change Healthcare's Ransom Payout to blame?
3. What should healthcare institutions do now?
Rise in Ransomware Attacks on Healthcare
Cybersecurity researchers have recorded an unprecedented increase in the number of ransomware attacks targeting medical institutions. Cybersecurity firm, Recorded Future, has suggested that the rise in these attacks can be attributed, to a vast degree, to the massive ransomware payment that Change Healthcare made.
Sample these statistics that bolster this suggestion:
- In April, 44 ransomware attacks against healthcare providers were recorded. This is the highest in at least the last four years.
- In March, 30 attacks against medical services providers were recorded, making the spike in April the single highest month-on-month jump in such attacks.
- The impact on these victims has been crippling to say the least. Ascension, which operates 140 hospitals and 40 facilities for senior living, had to divert ambulances. The attack on Synnovis that provides pathology services to NHS hospitals had a very similar impact. Blood samples couldn’t be matched in time, operations and surgeries had to be postponed, including those for cancer patients and patients requiring organ transplants.
- Recorded Future has found that every month of 2024 has seen more ransomware attacks on healthcare that the same month in 2023.
What does Change Healthcare have to do with this Rise?
Nobody can say with certainty that the recent spike in attacks on the medicare industry is linked to Change Healthcare. However, the timing of the attacks and the massive ransom payout is uncanny.
A Change Healthcare spokesperson, while speaking to Wired, said that the trend of attackers increasingly targetting healthcare institutions predates the Change Healthcare ransomware attack. While this is true, the CEO admittedly paying a $22 million ransom, has definitely incentivised criminals to attack the medical industry.
The healthcare industry has always been a preferred target for two simple reasons. One, there’s a vast repository of sensitive patient data to be stolen. Two, the disruption an attack on this sector causes is devastating, with the potential to directly impact human life. Consequently, the propensity for organisations to pay up, albeit not sensible, can be understood from an emotional perspective.
Change Healthcare’s $22 million extortion fees, the demand for a second ransom from RansomHub, suggestions that a second ransom might have also been paid - all send one clear message: attacks on the healthcare sector can be pretty lucrative for the criminal.
Jon DiMaggio, a security researcher with cybersecurity firm Analyst1 sums it up perfectly when he says, "It’s (Healthcare Industry) always looked like an easy target. Now it looks like an easy target that’s willing to pay.”
What should Healthcare Organisations do to Protect themselves?
The only thing to do if you’re in the healthcare industry right now is to ensure that your security and data protection is watertight. The attackers are coming and they’re coming for everyone, regardless of the sector you operate in. Yes, you’re more susceptible if you’re in healthcare right now and that’s why following the below recommendations can keep you better protected:
- Get your cybersecurity posture in order: Quite obviously, the first thing to do is to implement a cybersecurity framework. Identify your most critical assets, your biggest risks and threats and work towards protecting your assets against them.
Get your Cyber Incident Response documentation in order so that your team knows how to respond and control the damage in case you’re attacked. This includes your Cyber Incident Response Plans, Playbooks and Policies. Hire external help such as our Virtual Cyber Assistants to help you review and refresh your existing documentation or create new artefacts. They can also help you achieve compliance with relevant Standards and Regulations, in particular HIPAA for the healthcare industry. - Train your staff: Staff awareness is critical to containing the damage if you’re attacked. Ensure that key members of your Incident Response and IT teams are adequately prepared in Cyber Incident Response. Our NCSC Assured Training in Cyber Incident Planning and Response is well-known for elevating cyber resilience standards in organisations whose employees have undertaken the course.
- Enhance Cybersecurity Leadership: It is also critical to engage the business leadership in cybersecurity and the current threat context. Cybersecurity Awareness Training for Senior Management and Cyber Tabletop Exercises for Business Leadership can go a long way in improving cybersecurity decision-making. It encourages the business executive team to understand the risks that plague the organisation and prepare a pre-meditated response strategy that meets business goals.
-
Never Pay the Ransom: This cannot be said enough - quite clearly. When you’re under attack, it’s natural to wonder if paying the ransom can make your problems go away. But it never will as is now quite apparent with the Change Healthcare ransomware attack.
AlphV took Change's $22 million extortion fee and vanished, leaving their hacker partners unpaid. The affiliates then gave the data to RansomHub, which demanded another ransom from Change and threatened to leak the data on its dark web site.
Instead of negotiating with criminals, get your Ransomware Readiness together with our FREE Ransomware Readiness Checklist and Visual Ransomware Response Guide.
