Ransomware attacks against healthcare organizations.
By Tim Nodar, CyberWire senior staff writer
Nov 28, 2023

Why criminals find healthcare organizations attractive targets.

Ransomware attacks against healthcare organizations.

Healthcare organizations are increasingly becoming preferred targets of ransomware gangs. BlackBerry’s Global Threat Intelligence Report for the third quarter of 2023, for example, says that the healthcare industry saw a 181% increase in unique malware attacks.

An attack against Ardent Health Services affects operations across at least five US states.

A ransomware attack against Tennessee-based healthcare provider Ardent Health Services on Thanksgiving disrupted services at hospitals across East Texas, New Jersey, Idaho, New Mexico, and Oklahoma, CNN reports. The attack forced hospitals to divert ambulances to different providers. Ardent owns thirty hospitals in the US, and the attack has impacted all of them, East Idaho News reports.

Ardent said in a statement yesterday, “The Ardent technology team immediately began working to understand the event, safeguard data, and regain functionality. As a result, Ardent proactively took its network offline, suspending all user access to its information technology applications, including corporate servers, Epic software, internet, and clinical programs. Ardent has reported this event to law enforcement and retained third-party forensic and threat intelligence advisors. In addition to electronic protection procedures already in place, Ardent has also implemented additional information technology security protocols and is working with specialist cybersecurity partners to restore its information technology operations and capabilities as quickly as possible. At this time, we cannot confirm the extent of any patient health or financial data that has been compromised.”

Vanderbilt University Medical Center investigates a cyber incident.

Separately, Vanderbilt University Medical Center in Nashville, Tennessee, is investigating a cybersecurity incident that led to a compromised database, the Record reports. A spokesperson for the center stated, “Preliminary results from the investigation indicate that the compromised database did not contain personal or protected information about patients or employees.”

Welltok discloses details of an attack by Cl0p.

And patient engagement company Welltok has disclosed that it was attacked by the Cl0p ransomware group earlier this year, leading to a breach of data belonging to at least 426,000 patients of Premier Health in Ohio and an unnamed Georgia-based company, 2 NEWS reports.

The human consequences of disruption render healthcare targets attractive to criminals.

 Nicole Sundin, CPO at Axio, wrote, in emailed comments, that the consequences of ransomware on healthcare targets extend beyond simple interruption of services. 

“When ransomware targets critical infrastructure, the human impact extends beyond disrupting services and businesses facing ransom demands. Diverting emergency services becomes an attractive attack vector for cybercriminals because businesses often find themselves in a bind—either pay the ransom to resume critical services or risk operating without them,” Sundin explained.

The human cost increases the pressure on the victim organizations. “Comparing a hospital ransomware attack to, let’s say, MGM, the human impact is catastrophic. While MGM suffered financial losses and guests were inconvenienced (unable to access hotel rooms, play slots, or check in), the human impact remained relatively low. Hospitals are another story altogether. Their systems are complex due to the distributed nature of sites and also the combination of IT, OT, and IoT infrastructure. This complexity makes them more vulnerable from an attack vector perspective.

Sundin offered some advice for healthcare providers. “To be prepared for such attacks, healthcare systems should:

  • “Standardize. Choose a simple risk assessment framework to start, such as NIST CSF. Legislative changes, such as HR 7898, have incentivized healthcare orgs to adopt a cybersecurity framework like NIST CSF, resulting in reduced audit cycles and abated fines.
  • “Prioritize. Quantify the priority of cyber threat scenarios. How much will a cyberattack cost us? Are we leaving risks on the table? Will the patient sue the hospital? Prioritization is dependent on understanding the financial impact of your critical cybersecurity threat scenarios.
  • “Act Collaboratively. Aim for continuous improvement, not once-a-year cyber risk assessments and quantification exercises. Health systems need to have a regular cadence to measure various risks and a process to prioritize improvement projects, make notes, set targets, document milestones, communicate with the board and other executives, and publish easy-to-understand reports.”

Scale matters when criminals choose a target.

Commenting specifically on the attack against Ardent, Jess Parnell, CISO at Centripetal, wrote: “The bad guys are probing and doing reconnaissance constantly to see what can or can’t get through the network. And they are quickly changing their tactics to increase their success rate. That’s why organizations run out of human runway quickly and why their infrastructure is quickly overloaded. And even with all the spending on cybersecurity that we see, the only thing that organizations know for sure is that their exposure to cyber risk is only going up and up and up. Companies must implement ongoing patch management and deploy proactive cybersecurity solutions to protect their valuable assets. Attackers can exploit vulnerabilities faster than IT can patch them, so active defenses can buy you time.”

According to Tim Helming, Security Evangelist at DomainTools, who also commented on the Ardent attack, “Health care networks, higher education, and local government have, unfortunately, been targeted more and more frequently by malicious actors, as despicable as these actions are.” 

The healthcare network’s response, Helming thinks, is probably proportionate to the risk. “Ardent taking its network offline is an extreme, albeit effective, move to reduce both the chance that the ransomware can spread to more internal systems, and the likelihood that sensitive data can be exfiltrated to malicious assets. While this move does come at the expense of the health, wellbeing, and security of all of Ardent’s patients; they cannot have taken this move lightly and it speaks to the likely seriousness of this attack. If there is any silver lining to this incident, it may be in the promptness and scope of Ardent’s response; it is to be hoped that they have headed off the most severe consequences.”

And ImmuniWeb’s Chief Architect Ilia Kolochenko commented on the resource constraints that contribute to the vulnerability of healthcare organizations. “Hospitals are one of the most vulnerable and under-protected organizations, making them a low-hanging fruit for ransomware gangs,” he wrote. “Some critical medical equipment still runs on legacy versions of Windows OS, for which support was discontinued years ago. Likewise, numerous computers and other devices that process protected health information (PHI) of patients commonly lack centralized security management and are vulnerable to easily exploitable vulnerabilities that were publicly disclosed many months ago.”

The healthcare sector, Kolochenko argues, is generally more impoverished than other sectors when it comes to security. “Worst, healthcare industry cybersecurity budgets are usually smaller compared to most other industries, especially when dealing with small medical clinics or governmental entities. Healthcare institutions also struggle to hire cybersecurity talent amid tough competition on the market. Eventually most hospitals remain under-protected and exposed even to simple variations of cyber attacks.”

Some regulatory assistance, he concluded, may be on the way. “In the EU, with the arrival of NIS 2 directive, the situation may get slightly better but it will unlikely make any fundamental change: healthcare institutions will not magically start printing money and investing it in their cyber resilience. Akin to GDPR, NIS 2 may slightly improve the overall situation but is far away from resolving cybersecurity issues in [the] healthcare industry. Thus, ransomware attacks will likely continue their steady growth making new victims in [the] healthcare sector.”

(Added, 11:45 AM ET, November 28th, 2023.) Dror Liwer, co-founder of cybersecurity company Coro, commented on the threat to life that attends attacks on healthcare systems. "While we normally think of the impact being economic or reputational, cyber attacks can risk lives, and have in the past. Attacks on hospitals, critical infrastructure, and vehicles to name a few can endanger people, which is why attackers should be prosecuted with that potential injury in mind.”

(Added, 4:45 PM ET, November 28th, 2023.) The attacks not only take advantage of scale in their target selection, but they're also notably indiscriminate. Carlos Morales, SVP of Solutions at Vercara, wrote in emailed comments, "This attack once again demonstrates the indiscriminate nature of ransomware actors who have little regard for what the effects of their attacks can be. It's an unfortunate reality that any business, even those that are focused on saving people's lives, can become a target. The goal of ransomware groups is just to make more money so the broader the potential victim pool, the better. They set extremely wide nets targeting many companies, across a variety of industry verticals, to find holes in defenses that can be exploited. This puts an impetus on companies to ensure that their protections reduce their attack surface sufficiently to avoid becoming victimized."

(Added, 1:15 PM ET, November 30th, 2023.) Javed Hasan, CEO and co-founder of Lineaje, suspects supply chain issues behind at least the Ardent incident. "The recent Ardent Health Services cyberattack is just the latest example of how data breaches can significantly disrupt day-to-day operations. Although more details need to surface, it wouldn’t surprise me to find out that the software supply chain is to blame. According to its staff, Ardent quickly had to shut down a significant number of programs, including Epic Systems, a software that tracks healthcare records," Hasan wrote. "Most companies are still unaware of the lineage of their software, and rarely know who in the organization has ever assessed, interacted with, or even heard of these vendors. That is why it's so critical to know ‘what’s in your software.’ As we enter into the New Year, it’s essential to have solutions in place that assist businesses in analyzing the software supply chain in order to prevent the deployment of unknown and malicious components that are concealed within authorized software.”

Staff reductions over holidays affect organizations that may already have stressed security staffs. Kayla Underkoffler, Lead Security Technologist at HackerOne, sees this a season of heightened risk for the healthcare sector.  “Ardent Health Services is a reminder of the heightened cybersecurity risk healthcare organizations face, especially during the holiday season. Hospitals often see reduced staff around this time, which can inadvertently open doors for cybercriminals; threat actors seek to be online when they know defenders are not. Healthcare systems are also particularly enticing targets for ransomware gangs year round. These organizations are not always the most security mature and sit on a mountain of valuable confidential data — they’re low-hanging fruit and a gold mine for exploitation< Underkoffer wrote in emailed comments.  

Underkoffer is sympathetic to the sector's plight. "To be fair, healthcare data is highly regulated and confidential making adopting seemingly cutting edge cybersecurity best practices intimidating. However, I’d encourage healthcare organizations to consider the downside they’re already facing as the frequency of breaches continues to mount in this industry. Healthcare organizations must find a way to develop more proactivity in their cybersecurity approach and can look to other industries that face similar obstacles in regulation, data sensitivity, and digital infrastructure complexity for inspiration."

They might benefit from lessons learned in other sectors. "For example, government and financial services are two sectors that have found great success in implementing Vulnerability Disclosure Programs (VDPs). These “see something say something” programs facilitate how organizations can empower security researchers to continuously identify and report vulnerabilities before cybercriminals can, and they have become a gold standard for every organization and security program, no matter the vertical. Healthcare organizations that do the work to take the lead now in embracing best practices are likely to see outsized benefits in reducing their own cybersecurity risk and driving the industry toward security maturity.”

In any case, cyber incidents in healthcare organizations have, as Steve Moore, Vice President & Chief Security Strategist at Exabeam, notes, an outsized potential for exacting a toll in human suffering. “This is a worst-case scenario; a security incident interferes with quality of care/quality of life. My sympathies go out to those who needed care and found it delayed. These well-funded criminal adversaries require ongoing offensive pressure to counteract their growing momentum. Godspeed to those in the offensive space who work daily on criminal group takedowns, protectors with offensive talents ranging from cybersecurity intelligence to traditional police work, specifically, those with arrest powers. From my days in breach response, I know the pain and the rush of what is happening. My heart is with the responders, and I hope for rapid response and recovery.” 

The criminals certainly don't care.