'Cybersecurity is patient safety': What the ransomware attack on Change Healthcare should teach the industry

As the disruption caused by the cyberattack at Change Healthcare stretches beyond its tenth day, cybersecurity experts say the incident could spur greater emphasis on enhancing protocols—and greater oversight from the feds.

On Feb. 21, Change Healthcare's systems were taken offline and its parent company, Optum, disclosed the following day that a cybersecurity issue was behind the outage. UnitedHealth Group initially pinned the blame for the attack on a "nation-state" affiliated actor before acknowledging on Thursday that it was caused by BlackCat, a notorious cybercriminal gang also known as ALPHV or Noberus.

The hackers had taken credit for the breach in a quickly deleted post on its dark website.

Steve Cagle, CEO of Clearwater, which provides cybersecurity services to healthcare organizations, told Fierce Healthcare that ransomware hackers like BlackCat see the clear value in the wealth of data that the industry has stored in its systems.

"You have threat actors—over 114 threat actors—specifically targeting healthcare, and they recognize the value of the data, they recognize the value of the technology that they can hold up in a ransomware attack," Cagle said. "And they're criminals and criminals are motivated by money."

Ransomware attacks are growing, and healthcare is a frequent target

Addressing ransomware, or attacks where critical data or technology are extracted and then encrypted to be held for a ransom, needs to be a key focus for healthcare cybersecurity leaders, as they're frequent targets of these hackers given the data at stake.

A study published in January 2023 in JAMA Health Forum found that the number of ransomware attacks in healthcare has doubled over the past five years alone. The Department of Health and Human Services (HHS) issued a report (PDF) earlier this year on ransomware and its impacts on healthcare, saying that there were more than 630 ransomware incidents impacting healthcare globally in 2023, with 460 of them hitting organizations in the U.S.

BlackCat is one of the primary hacking groups targeting healthcare, according to the report. The group was also behind massive cyberattacks on MGM Resorts International and Caesars Entertainment last year.

"The long-time perceptions of domestic, rogue, individual hackers as primary perpetrators do not match the current reality in the healthcare and life sciences sector," HHS wrote. "Institutions are routinely targeted by full-time professional cyber actors that are well-trained, well-equipped, well-funded, and often supported and sheltered by adversarial nation-states."

Cagle said that BlackCat took the gloves off in its hacking efforts after the FBI briefly seized its websites late last year. Once it regained access to its sites, the organization's leaders encouraged affiliates to attack hospitals and other vulnerable targets, when previously they had avoided fully taking these organizations offline.

"So this is a very aggressive threat actor, again, targeting healthcare," he said, "now targeting with fewer restrictions."

Federal agencies issued a warning about BlackCat specifically to healthcare organizations in December that was updated this week after the breach at Change.

It's still not clear at present how the hackers accessed Change's systems. Cybersecurity experts posited that they were able to breach Change through a recently identified vulnerability in Connectwise's ScreenConnect platform, though the hackers themselves refuted that theory in a now-deleted statement on their website.

Troy Hawes, a health IT consultant and managing director at Moss Adams, told Fierce Healthcare that the BlackCat hackers are known to use "sophisticated social engineering techniques" to get into target systems, including research on company employees and leveraging that knowledge to gain access.

"They really target IT employees," he said. "They're known to do a lot of homework upfront."

Where healthcare organizations should focus

So what can healthcare companies do to put themselves in a better position to prevent or respond to a ransomware attack? Cagle said that while the number of attacks is growing, many prominent people in the industry are working hard to set the industry up to respond proactively to these breaches.

In February, the Health Sector Coordinating Council's Cybersecurity Working Group released its strategic plan, a five-year road map to addressing some of the most challenging cybersecurity trends facing healthcare. It established 10 goals that organizations can adopt to be better prepared.

For one, it recommends that cybersecurity requirements be made readily available, understandable and feasible for every segment of healthcare to implement. Emerging technologies should be "rapidly and routinely" screened for risks, and any platforms deployed either inside or outside of a healthcare organization must be "secure-by-design and secure-by-default," according to the plan.

The goal, the working group said, is to upgrade the diagnosis for cybersecurity in healthcare from "critical condition" to "stable condition" over the next several years.

It's critical to view cybersecurity on the same level as other key priorities within the organization, Cagle said.

"For smaller organizations, do I put more money in security, or do I buy that new MRI machine or hire the additional staff that I need?" he said. "But if cybersecurity is patient safety, that's table stakes. That should make the answer to that question easier for you because patients come first. Patients have to be at the center of everything that we do."

Hawes noted that HHS also released voluntary guidelines in January that aim to support healthcare companies in beefing up their cybersecurity practices as the first step in a broader strategy around this issue.

He said he believes broad change in healthcare around cybersecurity will likely hinge on what the next phases of that strategy look like. Down the line, these voluntary goals will have potential incentive payments tied to them, but Hawes said he expects to see at least some of the guidelines become mandatory in the future, especially as the breach at Change continues to grab headlines.

"It's a necessary piece that can't just be, 'Hey, here's some funds, go to it.' There needs to be oversight," he said. "There needs to be people actually evaluating that it's been done. There needs to be third-party assessments and things like that to help assess those entities."

Cagle said that the sheer size of Change Healthcare, and its parent company UnitedHealth Group, and the scale of the disruption will likely be a "wake-up call" for those in the industry who may not be putting cybersecurity front and center.

"What happens a lot of times is something will happen and then people kind of go back to what they're doing," he said. "And they forget, and I hope that doesn't happen here."

"Because if this can happen to such a large organization, and such an important organization, and one that probably has a good security program in place … it could happen to anybody," he said.