While ransomware groups have not spared any industry, attackers have put the healthcare sector at the top of their preferred targets. The surge in hospitals falling victim to breaches has raised concerns among regulators and government officials who have moved to push through new policies and legislation.
CommonSpirit, one of the largest nonprofit healthcare systems in the US, posted a privacy breach notice on Dec. 1, warning that 623,774 patient records were exposed after a breach on Sept. 16. The nationwide network of 140 hospitals and over 1,000 care facilities in 21 states confirmed that ransomware attackers accessed the patient records, but said there is currently no evidence that personal information was misused. The potentially affected patients were those treated at CommonSpirit’s Franciscan Medical Group and Franciscan Health in Washington. The four hospitals are now known as Virginia Mason Franciscan Health, a CommonSpirit affiliate.
The current spike builds on last year's 35% increase in overall attacks on healthcare providers compared with 2020, according to Critical Insight, a managed detection and response (MDR) service provider. According to Critical Insight, cyberattacks on healthcare providers affected 45 million individuals last year, compared with 34 million in 2020 and 14 million in 2018.
In October, the FBI Internet Crime Complaint Center (ICA) reported that among 16 critical infrastructures, the healthcare and public health sector accounts for 25% of ransomware complaints. The US Department of Health and Human Services (HHS) in April issued a warning about Hive, an aggressive ransomware group that has targeted healthcare organizations.
The HHS Health Sector Cybersecurity Coordination Center (HC3) noted that Hive is known to have been in operation since June 2021, and "in that time has been very aggressive in targeting the US health sector."
Another recent hacker group to emerge that is targeting healthcare providers with ransomware is Daixin Team. In October, HHS joined the Cybersecurity and Infrastructure Agency (CISA) and the FBI with an advisory warning that Daixin Team is actively pursuing healthcare providers with ransomware that uses Babuk Locker, source code that encrypts files in VMware EXSi servers.
Daixin Team's ransomware encrypts healthcare providers' electronic health records, diagnostics, imaging, and intranet services, according to the advisory. The group has also exfiltrated personally identifiable information (PII) and patient health information (PHI) and has extorted ransoms by threatening to release that data.
Impact of Ransomware on Healthcare
During the Disruptive Innovators CIO Forum in New York earlier this month, a conference focused on emerging technology for the healthcare industry, a panel discussion addressed the surge in ransomware. "Ransomware is now probably the No. 1 security issue for most healthcare organizations today," said Christopher Kunney, SVP of digital innovation at Divurgent, an IT advisory firm for healthcare organizations.
Kunney, one of the panelists, warned ransomware will remain a growing threat in healthcare "as we expand the footprint outside the four walls of the hospital and we look at things like virtual care, and other technologies that can now sit on top of our network infrastructure."
Saket Modi, who moderated the panel and is co-founder and CEO of Safe Security, noted that one of the first known deaths attributed to ransomware, a newborn in Alabama, occurred last year. "A ransomware attack is no longer just financial and reputational; it can have an actual impact to the life of people," Modi said. Besides the risk of data exfiltration, ransomware attacks are a risk to the delivery of patient care, especially when attackers access systems responsible for keeping patients alive.
"We have to realize that cybersecurity isn't just about data security; it's also a matter of life and death," added Michael Archuleta, CIO of Mt. San Rafael Hospital and Clinics in Trinidad, Colo.
Noting that COVID forced healthcare providers to accelerate their digital transformation efforts in recent years, many organizations haven't adequately addressed the security risks associated with the implementation technology and systems that are now accessible.
"We're living in the digital age of healthcare, and we need to start incorporating initiatives technology outcomes that better enhance our overall experience and better enhancing patient outcomes, but also keep secure the entire organization moving forward," Archuleta said.
Healthcare Cybersecurity Act of 2022
Looking to stem the mounting attacks, Rep. Jason Crow (D-CO) sponsored the Healthcare Cybersecurity Act. The bill, introduced in September, would require CISA to collaborate with HHS to improve cybersecurity in the healthcare industry.
According to the bill's summary, CISA and HHS would provide resources "including cyber-threat indicators and appropriate defense measures, available to federal and nonfederal entities that receive information through HHS programs."
The bill also calls for CISA to provide cybersecurity training and remediation strategies to those who own or provide health care services. Archuleta, the CIO of Mt. San Rafael Hospital and Clinics, said that 91% of targeted ransomware attacks came from phishing emails directed at employees, many of whom haven't received adequate training. "We are not focusing on developing a human firewall within our organization," he said.
Meanwhile, Senator Mark Warner (D-VA) published a policy options white paper that details existing cybersecurity threats and potential responses from the federal government. The paper draws on Warner's staff and cybersecurity experts' research and a broad set of options for the federal government to collaborate with healthcare providers to improve their cyber protection capabilities and a blueprint for recovering from attacks.
"The healthcare sector is uniquely vulnerable to cyberattacks, and the transition to better cybersecurity has been painfully slow and inadequate," Warner said in a statement. "The federal government and the health sector must find a balanced approach to meet the dire threats, as partners with shared responsibilities."