Healthcare sector cyber attacks are increasing at an alarming rate, security researchers have warned, as threat actors continue to ratchet up pressure and force organizations to shore up their defenses.
On 21 February 2024, US-based technology company Change Healthcare, whose systems are used by hospitals and pharmacies across the country, fell victim to a major cyber incident that affected a number of its services.
The breach is reported to have impacted over 100 applications produced by the UnitedHealth Group subsidiary, including those that underpin medical records, patient engagement, and payment services.
Matt Aldridge, principal solutions consultant at security company Opentext Cybersecurity, told ITPro the incident is the latest in a string of attacks on healthcare organizations, noting it is imperative the sector improves its cyber posture moving forward.
"This latest cyber attack on Change Healthcare in the US is sadly unsurprising, given healthcare is a common target for cyber criminals,” he said.
“As medical facilities' services are essential and often cannot be disrupted without severe risk to patients, the industry is very much in the spotlight and therefore must put in place strong cyber resilience strategies to limit outages and keep continuity of patients care at the forefront is key."
Healthcare sector cyber attacks have prompted industry warnings
The frequency of the attacks targeting the healthcare sector forced the FBI, CISA, and the Department of Health and Human Services to update their #StopRansomware joint advisory.
The advisory, urging healthcare companies to get serious about the elevated threat level they face, now includes further information on the specific tactics, techniques, and procedures of the ALPHV/BlackCat ransomware gang.
The ALPHV/BlackCat collective is known for specifically targeting institutions in the healthcare industry, and is thought to be the group behind the latest Change Healthcare attack affecting hospitals and pharmacies across the US.
How the Change Healthcare attack unfolded
Change Healthcare disclosed it had suffered a major breach on 21 February 2024, causing major delays to prescription services.
The company’s technology facilitates the communication between the medical organization and the patient’s insurance provider, and the disruption has meant pharmacists have been unable to process insurance claims.
In an update to its initial disclosure, released on 21 February, Change Healthcare stated that once it became aware of the external threat, it disconnected its systems in order to prevent further damage.
The update also stated the company was confident the incident had not impacted Optum, which acquired Change Healthcare in 2022, or UnitedHealth Group systems.
UnitedHealth Group’s filing with the US Securities and Exchange Commission (SEC) on February 27 stated it had “identified a suspected nation-state associated cyber security threat actor had gained access” to the information systems of Change Healthcare.
Yelisey Bohuslavskiy, co-founder and chief research officer at RedSense Cyber Threat Intelligence, posted on LinkedIn that their findings indicated the initial access was achieved via a vulnerability in ConnectWise’s ScreenConnect remote desktop access software.
Bohuslavskiy speculated the use of this initial access would limit the number of likely perpetrators, commenting this could be the work of a former BlackCat admin regrouping after the group was targeted by law enforcement operations.
Regardless of the attacker’s identity, this attack demonstrates ransomware’s significant and potentially grave consequences when used to target healthcare institutions.
Repeated healthcare sector cyber attacks should be a wake up call
As Aldridge noted, attacks on critical national infrastructure, particularly healthcare organizations, can incur severe costs, with many patients in the US being unable to retrieve their prescriptions for the last six days.
Previous attacks on healthcare services in Ireland and the UK have caused similar disarray amongst patients trying to attend appointments or collect their, sometimes vital, medicine.
Pharmaceutical firm Cencora disclosed a data breach on Tuesday 27 February, with investigations still ongoing and further details of the incident yet to be confirmed.
On the same day, medical supplies firm Henry Schein reported a more than $120 million drop in annual net income as a result of a cyber attack affecting the organization in September 2023.
Improve data quality, patient safety, and staff satisfaction
Ireland’s national health and social services provider was forced to shut down its entire IT system after it was hit by a ‘sophisticated’ ransomware attack in 2021, leading to outpatient medical appointments being canceled and postponed.
Four years earlier, in 2017, the UK’s National Health Service (NHS) was one of a number of public sector organizations ‘brought to its knees’ by the WannaCry ransomware, thought to be propagated by North Korean threat actors.
The attack disrupted one-third of the UK’s hospital trusts and around 8% of GP clinics, with estimates of almost 19,000 hospital appointments canceled as a result of the attack.
Aldridge said that, despite repeated instances, the broader healthcare sector - including service providers - remains highly vulnerable to cyber criminals.
Statistics from Check Point’s annual threat report found the healthcare industry was one of the top-three most targeted sectors in 2023. With an average of 1,500 weekly attacks on healthcare organizations, the sector ranked third behind education/research (2,046) and government/military (1598).
Of the top three most targeted sectors, however, healthcare was the only industry which saw the frequency of attacks increase since 2022, growing by 3%.
With this in mind, Aldridge argued the industry needs to ensure it is continually reevaluating cyber hygiene practices and improving its resilience to cyber threats.
"A nationwide disruption of prescription services by attackers raises serious concerns about the resilience of healthcare IT systems. Disconnecting systems, though necessary, demonstrates the challenges associated with balancing operational continuity and cyber security," he said. "To combat evolving threats, it is crucial that the healthcare industry continually evolves its cyber security strategies."
