In recent years, the healthcare industry has become an increasingly attractive target for cybercriminals. The implications of these attacks extend far beyond ransom demands, posing severe threats to patient safety and the integrity of medical services. With their rich troves of sensitive patient data and complex networks of medical technology, healthcare systems offer attackers significant leverage. Holding medical data and equipment hostage can turn into a literal life-and-death situation, amplifying the urgency and gravity of these incidents.
The statistics are sobering. In 2023, the median ransom demand in the healthcare sector was a staggering $450,000. High-profile cases underscore the financial burden of these breaches; UnitedHealthcare recently disclosed that it paid $22 million to cybercriminals following an attack on Change Healthcare.
Phishing and unpatched external-facing vulnerabilities are the primary methods attackers use to breach healthcare systems. While it’s easy to advise organizations to “patch all external-facing vulnerabilities,” the reality is that this is a monumental task in the complex and ever-evolving healthcare environment. These entry points are numerous and varied, creating a vast landscape that needs to be meticulously secured.
Understanding the scale and impact of cyber attacks on healthcare is crucial for developing robust defense strategies.
Another Major Breach: Ascension Falls Victim to Ransomware Attack
In early May, Ascension was hit by a ransomware attack, just months after the massive breach at Change Healthcare. The Ascension attack poses a direct and ongoing threat to patients at the system’s 140 hospitals and 84 pharmacies. Multiple critical systems, including electronic health records, MyChart (a patient communication utility), and various medication and test ordering systems, are currently offline.
In response to the attack, Ascension initially paused non-emergency procedures and diverted EMS to other facilities across multiple states. The healthcare system is now collaborating with Mandiant and federal authorities to investigate the incident. Preliminary findings suggest that the Russian-speaking group Black Basta was behind the attack. It remains unclear whether patient data was compromised, but the repercussions are already being felt. Patients have started filing federal lawsuits against Ascension, alleging inadequate protection of their data.
The Human Cost
Studies show that hospital mortality rates rise after a cyberattack.
Anonymous doctors and nurses have reported that patients are bearing the brunt of the disruption caused by the ransomware attack on Ascension. For over two weeks, staff have resorted to using paper for medical orders, labs, imaging, and prescriptions. Communication between departments has reverted to fax machines, a tool reminiscent of workflows from the 1980s and 90s. Some providers have even turned to personal texts and Google Docs to share patient information and treatment orders—methods that are far from secure enough to handle such sensitive data.
Patients are facing significant delays, with hours-long wait times for testing and even longer waits for results. One patient, who needed an ultrasound to help rule out cancer, received her imaging on a CD and had to find her own radiologist to interpret the test. The health system also risks breaking USDA guidelines that require mailing mammogram results to patients within 30 days of testing.
In Michigan, hospital staff have reported that manually assigned patient IDs have been reused, causing confusion over who should receive medications and test results. The shutdown of Ascension pharmacies has led to patients rationing medications or going without, mirroring the effects seen in the Change Healthcare attack.
While investigation and remediation efforts continue, doctors and nurses painstakingly chart patients’ conditions and treatments by hand. This manual process significantly increases the workload for a workforce already teetering on the edge of burnout. Although Ascension has informed providers that they will soon be able to access historical digital records for patients, there is no clear timeline for the full restoration of digital systems.
The Need for Robust Measures in Healthcare
The recent cyberattacks on Change Healthcare and Ascension have exposed the limitations in our current regulatory system. Government regulators simply don’t have enough leverage to prevent massively disruptive incursions into the healthcare system.
In response, the U.S. government has committed $50 million to bolster cybersecurity in the healthcare sector through an initiative called UPGRADE. This plan aims to develop an autonomous cyber-threat solution, leveraging the expertise of equipment manufacturers, cybersecurity specialists, and hospital IT staff to create advanced tools for protecting internet-connected hospital equipment. Led by ARPA-H, UPGRADE represents a critical step toward safeguarding healthcare infrastructure against future attacks.
While some question whether $50 million is enough to shore up the system, the collaboration between these key stakeholders, supported by government funding, is an essential start to fortifying the defenses of our healthcare systems.
Lessons Learned
This latest breach underscores the urgent need for enhanced cybersecurity measures within healthcare systems. The disruption of essential services and the potential exposure of sensitive patient information highlight the critical vulnerabilities that cybercriminals continue to exploit. As the investigation continues, healthcare providers must prioritize securing their networks to safeguard both patient care and trust.
For custom information security and compliance solutions, reach out to Asylas at 615-622-4591 or email info@asylas.com. Or complete our contact form.
