Repeat Offenders: Black Basta’s Latest Healthcare Cyberattack

The healthcare industry is still reeling from the ransomware attack on payment and claims system Change Healthcare in February, but the onslaught of attacks continues. Ascension, a 140-hosptial health system with locations in 19 states, is the latest high-profile cyberattack victim in the healthcare space.

The attacks on Change Healthcare and the Ascension resulted in disruptions to patient care and scrutiny on cybersecurity in this critical infrastructure sector is ramping up. Why is healthcare so vulnerable, and what’s to be done about it?

The Cyberattack on Ascension

On May 8, Ascension “detected unusual activity on select technology network systems, which we now believe is due to a cybersecurity event,” according to Ascension’s cybersecurity event update page. As of May 15, the health system is continuing its investigation and working to get its systems back up and running.  

This cybersecurity event turned out to be another disruptive ransomware attack. Several of Ascension’s services are impacted, including electronic health records systems, patient portals, phones, and systems used for procedure and medication ordering, according to the health system’s updates page. As a result of the attack, ambulances were diverted and patients are having issues accessing records and filling their prescriptions, according to AP News.

Related:5 Contactless Health Monitoring Platforms That Collect Data Noninvasively

Ascension is working with several third-party cybersecurity providers, including Mandiant, Palo Alto Networks Unit 42, and CYPFER. It does not yet have a timeline for restoring its operations and returning to normal operations.

The ransomware attack is being attributed to Black Basta, CNN reports. The group has set off alarm bells in the cybersecurity and healthcare communities as it ramps up its targeting of healthcare organizations. Several federal agencies and industry organizations -- the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) -- teamed up to release a cybersecurity advisory on Black Basta.

Black Basta has hit more than 500 organizations in at least 12 of 16 critical infrastructure sectors around the world, according to the advisory.

Healthcare as a Target

Black Basta is far from the only group targeting the healthcare industry. ALPHV/Blackcat was behind the attack on Change Healthcare, owned by UnitedHealth Group (UHG). The healthcare industry is vulnerable, and threat actors across many groups are ready to take advantage.

Related:10 Cyber Incident Response Tips From Those Who've Had a Breach and Lived to Tell About It

Whether the goal of threat actors is purely financial or not, the toll of these continuing cyberattacks is going to be human. “It's inevitable that's going to happen one day, that somebody will not be able to receive lifesaving care because of one of these ransomware events,” says Errol Weiss, the CSO of the Health Information Sharing and Analysis Center (Health-ISAC).

Ransomware and ransomware-as-a-service groups will continue to be a considerable threat. “The ransomware-as-a-service users … have recognized that it may be an easier to get a ransom from [a] healthcare organization than it might be from a manufacturing organization because the issues of the downtime that you would suffer from ransomware would be so much more catastrophic on the healthcare side,” Wes Wright, chief health care officer at Ordr, a connected device security company, tells InformationWeek.

Supply chain risk is also a critical threat, as illustrated by the attack on Change Healthcare. With a highly interconnected healthcare system, a single point of vulnerability exploited by a threat actor can have catastrophic consequences.

“How are you going to be impacted by your interconnected systems and dependencies if somebody else were to be breached?” says Anthony Cammarano, global vice president of security, privacy, and strategy at data protection platform Protegrity. Healthcare organizations need to be able to answer this question.

Related:DNA is an Ancient Form of Data Storage. Is it Also a Radical New Alternative?

Mounting Pressure

As healthcare cyberattacks pile up, the industry faces mounting pressure to answer questions about how these attacks happen and what is being done to stop them. Following the Change Healthcare attack, UHG CEO Andrew Witty had to testify at two Congressional hearings, and legislators were not impressed with his responses, according to Healthcare Dive. Threat actors used compromised credentials to gain access to a portal that did not have multifactor authentication in place.

It is unclear what kind of scrutiny Ascension will face from legislators and regulators, but its recent ransomware attack is one small part in a broader pattern in the healthcare industry.

“It’s getting more attention in the boardroom, more attention [from] senior leadership with the organizations,” says Weiss. “Now, the pressure is really on to see what they can do in terms of trying to identify additional resources … coming down to more money, more spend on technology to help protect … organizations.”

That pressure could come in the form of more regulatory requirements. “Unfortunately, you're going to have [to] force the healthcare industry to start doing things they should be doing like running internal intrusion detection, running scans, focusing on network security,” says Kurt Osburn, director, risk management and governance at NCC Group, a cybersecurity and managed services company.

A failure to adopt minimum cybersecurity standards could increasingly lead to regulatory consequences. “I think you're going to see a lot more fines. You're going to see a lot more investigations,” says Osburn.

Cybersecurity and Resource Constraints

While healthcare organizations are facing more pressure to improve cybersecurity, are they equipped to do so? “We just seem to be fighting that forever battle of trying to identify resources,” says Weiss.

Hospitals and health systems often operate on thin margins, and it isn’t unusual for security to fall to the bottom of the priority list. “Unless they turn loose the faucet and they start putting the money in compliance and security like they need to do, [we’ve] got nowhere to go but up from a breach standpoint. This is just the tip of the iceberg,” says Osburn.

But where will that money come from? There is an argument to be made that the government will need to provide resources, such as grants or financial incentives, to help the healthcare industry achieve more mature cybersecurity.

The federal government played a pivotal role in fueling the digitization of healthcare through Meaningful Use, a program that incentivizes the use of electronic health records.

“[We] didn't get a lot of money to build the security around those systems,” says Wright. “I think it's incumbent upon the government that … forced people to build these big attack surfaces and gave them money for it [to say], ‘Let's take a step back, establish some minimum standards of what good looks like, and let’s fund people to get to that.’”

Whether or not more government resources to fund cybersecurity in healthcare will become available remains to be seen, but attacks will undoubtedly continue in the meantime. What can resource-strapped healthcare organizations do?

Healthcare organizations can start by selecting one of many available cybersecurity frameworks, such as the NIST Cybersecurity Framework. HHS also has voluntary Cybersecurity Performance Goals (CPGs) that can help healthcare organizations as they implement cybersecurity best practices.

“Pick a framework that you believe you can execute against,” says Cammarano. “That's going to set a baseline for you. It's going to do discovery for you. It's going to allow you to start measuring how you move from where you are today to where you're going.”

Understanding the attack surface and implementing basic cyber hygiene can help protect healthcare entities, but that is not enough. The mantra of “if not when” in cybersecurity demands organizations know-how to respond when an attack inevitably happens.

Wright emphasizes the importance of reducing the potential blast radius of a cyberattack with network segmentation. “All the CTs in the hospital, are they on the same work network as all the PCs are? If so, your blast radius is that much bigger,” he says. “Let's put them on different virtual networks and contain that blast area.”

As healthcare organizations consider that potential blast radius, they need to think about cyber resilience. How will they respond if they are directly attacked or caught up in the ripple effect of a third-party supply chain attack?

“I'm encouraging organizations to use their imagination and factor those kinds of events into tabletop exercises and other contingency planning that they do going forward,” Weiss urges.

Part of the challenge is reframing how healthcare teams think about cybersecurity, not as a technical afterthought but an essential priority. “You have got to be in front of your employees, your staff, and they have to have it in their head that cyber safety is patient safety,” says Wright.