Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label cybersecurity in healthcare. Show all posts

Proposed US Bill Mandates MFA and Cybersecurity Standards for Healthcare

 

A bipartisan group of US senators has introduced new legislation aimed at strengthening cybersecurity in American hospitals and healthcare organizations. The Health Care Cybersecurity and Resiliency Act of 2024 seeks to mandate the adoption of multi-factor authentication (MFA) and establish minimum cybersecurity standards to protect sensitive health information and ensure system resilience against cyberattacks. 

The proposed law, unveiled by Senators Bill Cassidy (R-Louisiana), Mark Warner (D-Virginia), John Cornyn (R-Texas), and Maggie Hassan (D-New Hampshire), aims to improve coordination between the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA). Under this legislation, HHS would have a year to develop a comprehensive cybersecurity incident response plan and update the breach reporting portal with additional transparency requirements. 

Currently, healthcare entities classified as “covered entities” under HIPAA are obligated to report breaches to HHS. The new legislation expands these requirements, compelling organizations to disclose the number of individuals affected by a breach, corrective actions taken, and recognized security practices considered during investigations. The HHS secretary would have discretion to add further information to the portal as needed. In addition to enforcing MFA and encrypting protected health information, the bill outlines broader cybersecurity mandates. Covered entities and their business associates would need to adopt minimum standards defined by HHS, conduct regular audits, and perform penetration testing to validate their security measures. 

Senator Cassidy, a medical doctor and ranking member of the Senate Health, Education, Labor, and Pensions (HELP) Committee, underscored the urgency of this legislation. “Cyberattacks on our healthcare sector not only put patients’ sensitive health data at risk but can delay life-saving care,” Cassidy emphasized. The devastating impact of cyberattacks on healthcare was exemplified earlier this year when a ransomware gang targeted Change Healthcare, compromising sensitive health data from approximately 100 million individuals. 

The attack disrupted healthcare services nationwide and cost the UnitedHealth-owned company over $2 billion in remediation efforts, taking nine months to restore its operations. This high-profile incident spurred additional legislative action. Senators Warner and Ron Wyden (D-Oregon) proposed another bill earlier this year to establish mandatory minimum cybersecurity standards for healthcare providers and related organizations. 

 If enacted, the Health Care Cybersecurity and Resiliency Act would mark a significant step in fortifying the healthcare sector’s defenses against cyber threats, ensuring the security of patient data and the continuity of critical healthcare services.

Change Healthcare Restores Clearinghouse Services After Nine-Month Recovery From Ransomware Attack

 

Change Healthcare has announced the restoration of its clearinghouse services, marking a significant milestone in its recovery from a debilitating ransomware attack by the ALPHV/Blackcat group in February. 

The attack caused unprecedented disruption to one of the U.S.’s most critical healthcare transaction systems, which processes over 15 billion transactions annually and supports payments and communications for hospitals, healthcare providers, and patients. The breach led to widespread financial and operational issues, with the American Hospital Association (AHA) reporting that 94% of U.S. hospitals relying on Change Healthcare were affected. Many hospitals experienced severe cash flow challenges, with nearly 60% reporting daily revenue losses of $1 million or more. These difficulties persisted for months as Change Healthcare scrambled to restore its services and mitigate the attack’s impact. 

In response to the financial strain on healthcare providers, UnitedHealth-owned Optum launched a Temporary Funding Assistance Program in March. This initiative provided over $6 billion in interest-free loans to healthcare providers to address cash flow shortages. As of October, $3.2 billion of the funds had been repaid, reflecting progress in stabilizing the industry. However, some services, such as Clinical Exchange, MedRX, and the Payer Print Communication System, are still undergoing restoration, leaving providers to navigate ongoing challenges. 

The breach also exposed sensitive information of approximately 100 million individuals, making it one of the most significant healthcare data breaches in history. Victims’ full names, email addresses, banking details, and medical claims records were among the data compromised. Change Healthcare’s parent company, UnitedHealth, confirmed that the attackers gained access through stolen credentials used to log into a Citrix portal that lacked multi-factor authentication (MFA). UnitedHealth CEO Andrew Witty testified before Congress, admitting to authorizing a $22 million ransom payment to the attackers. He described the decision as one of the hardest he had ever made, emphasizing the urgent need to minimize further harm to the healthcare system. 

Cybersecurity experts have criticized Change Healthcare for failing to implement basic security protocols, including MFA and robust network segmentation, prior to the attack. The attack’s aftermath has been costly, with remediation expenses exceeding $2 billion as of the most recent UnitedHealth earnings report. Critics have described the company’s lack of preventive measures as “egregious negligence.” Tom Kellermann, SVP of cyber strategy at Contrast Security, highlighted that the company failed to conduct adequate threat hunting or prepare for potential vulnerabilities, despite its critical role in the healthcare ecosystem. 

Beyond the immediate financial impact, the incident has raised broader concerns about the resilience of U.S. healthcare infrastructure to cyberattacks. Experts warn that the sector must adopt stronger cybersecurity measures, including advanced threat detection and incident response planning, to prevent similar disruptions in the future. The restoration of Change Healthcare’s clearinghouse services represents a major step forward, but it also serves as a reminder of the severe consequences of insufficient cybersecurity measures in an increasingly digital healthcare landscape. 

The attack has underscored the urgent need for organizations to prioritize data security, invest in robust safeguards, and build resilience against evolving cyber threats.

WHO and Global Leaders Warn Against Rise of Ransomware Attacks Targeting Hospitals

 

On November 8, the World Health Organization (WHO) joined over 50 countries in issuing an urgent warning at the United Nations about the increase in ransomware attacks on healthcare systems worldwide. WHO Director-General Tedros Adhanom Ghebreyesus addressed the UN Security Council, emphasizing the critical risks these cyberattacks pose to public health and safety. He highlighted the growing frequency of attacks on hospitals, which could delay urgent care, disrupt essential services, and lead to life-threatening consequences. Calling for global cooperation, he described ransomware as an international security threat that demands a coordinated response. 

Ransomware is a form of cyberattack where hackers lock or encrypt a victim’s data and demand payment in exchange for releasing it. This form of digital extortion has escalated globally, affecting healthcare providers, institutions, and governments alike. In the healthcare sector, such attacks can be particularly devastating, compromising the safety of patients and healthcare workers. The joint statement, endorsed by nations such as Japan, South Korea, Argentina, France, Germany, and the United Kingdom, outlined the immediate dangers these attacks pose to public health and international security, calling on all governments to take stronger cybersecurity measures. The U.S., represented by Deputy National Security Adviser Anne Neuberger, directly blamed Russia for allowing ransomware groups to operate freely within its borders. 

According to Neuberger, some countries knowingly permit these actors to execute attacks that impact critical infrastructure globally. She called out Moscow for not addressing cybercriminals targeting foreign healthcare systems, implying that Russia’s inaction may indirectly support these malicious groups. Additional accusations were made against North Korea by delegates from France and South Korea, who highlighted the country’s alleged complicity in facilitating ransomware attacks. Russia’s UN representative, Ambassador Vassily Nebenzia, defended against these claims, arguing that the Security Council was not the right forum to address such issues. He asserted that Western nations were wasting valuable council time and resources by focusing on ransomware, suggesting instead that they address other pressing matters, including alleged attacks on hospitals in Gaza.  

WHO and the supporting nations warn that cybercrime, particularly ransomware, requires a global response to strengthen defenses in vulnerable sectors like healthcare. Dr. Ghebreyesus underscored that without collaboration, cybercriminals will continue to exploit critical systems, putting lives at risk. The joint statement also condemned nations that knowingly enable cybercriminals by allowing them to operate within their jurisdictions. This complicity, they argue, not only endangers healthcare systems but also threatens peace and security globally. 

As ransomware attacks continue to rise, healthcare systems worldwide face increasing pressure to strengthen cybersecurity defenses. The WHO’s call to action emphasizes that nations need to take ransomware threats as seriously as traditional security issues, working together to protect both patient safety and public health infrastructure.

Timeline of the Ransomware Attack on Change Healthcare: How It Unfolded

 

Earlier this year, a ransomware attack targeted Change Healthcare, a health tech company owned by UnitedHealth, marking one of the most significant breaches of U.S. health and medical data in history.

Months after the breach occurred in February, a large number of Americans are receiving notification letters stating that their personal and health information was compromised during the cyberattack on Change Healthcare.

Change Healthcare plays a critical role in processing billing and insurance for hundreds of thousands of hospitals, pharmacies, and medical practices across the U.S. healthcare sector. Consequently, the company stores an extensive amount of sensitive medical data on patients in the United States. Through a series of mergers and acquisitions, Change Healthcare has grown into one of the largest processors of U.S. health data, handling between one-third and one-half of all U.S. health transactions.

Key Events Following the Ransomware Attack:

  • February 21, 2024: The first signs of trouble emerged when outages began affecting doctors' offices and healthcare practices, disrupting billing systems and insurance claims processing. Change Healthcare’s status page was inundated with outage notifications impacting all aspects of its business. The company later confirmed a "network interruption related to a cybersecurity issue," indicating a serious problem. In response, Change Healthcare activated its security protocols, shutting down its entire network to contain the intruders. This led to widespread disruptions across the U.S. healthcare sector. It was later revealed that the hackers had initially infiltrated the company’s systems on or around February 12.
  • February 29, 2024: UnitedHealth disclosed that the cyberattack was carried out by a ransomware gang, rather than state-sponsored hackers as initially suspected. The ransomware group, identified as ALPHV/BlackCat, claimed responsibility for the attack, boasting that they had stolen sensitive health information from millions of Americans. ALPHV/BlackCat is a Russian-speaking ransomware-as-a-service gang, whose affiliates break into victim networks and deploy malware developed by the gang's leaders. These affiliates then share the profits from the ransoms paid by victims to regain access to their data
  • March 3-5, 2024: In early March, the ALPHV ransomware gang disappeared after collecting a $22 million ransom from UnitedHealth. The gang’s dark web site, which had claimed responsibility for the attack, was replaced with a notice suggesting that U.K. and U.S. law enforcement had taken it down, although both the FBI and U.K. authorities denied this. Signs pointed to ALPHV fleeing with the ransom in what appeared to be an "exit scam." The affiliate who executed the hack claimed that the ALPHV leadership had stolen the ransom and provided proof of a bitcoin transaction as evidence. Despite the ransom payment, the stolen data remained in the possession of the hackers.
  • March 13, 2024: Weeks into the cyberattack, the healthcare sector continued to experience outages, causing significant disruption. Military health insurance provider TriCare reported that all military pharmacies worldwide were affected. The American Medical Association expressed concern over the lack of information from UnitedHealth and Change Healthcare regarding the ongoing issues. By March 13, Change Healthcare had secured a "safe" copy of the stolen data, enabling the company to begin identifying the individuals affected by the breach.
  • March 28, 2024:The U.S. government increased its reward to $10 million for information leading to the capture of ALPHV/BlackCat leaders. The move was seen as an attempt to encourage insiders within the gang to turn on their leaders, as well as a response to the threat of having a significant portion of Americans' health information potentially published online.
  • April 15, 2024: In mid-April, the affiliate responsible for the hack formed a new extortion group called RansomHub and demanded a second ransom from UnitedHealth. The group published a portion of the stolen health data to prove their threat. Ransomware gangs often use "double extortion," where they both encrypt and steal data, threatening to publish the data if the ransom is not paid. The situation raised concerns that UnitedHealth could face further extortion attempts.
  • April 22, 2024: UnitedHealth confirmed that the data breach affected a "substantial proportion of people in America," though the company did not specify the exact number of individuals impacted. UnitedHealth also acknowledged paying a ransom for the data but did not disclose the total number of ransoms paid. The stolen data included highly sensitive information such as medical records, health information, diagnoses, medications, test results, imaging, care plans, and other personal details. Given that Change Healthcare processes data for about one-third of Americans, the breach is likely to have affected over 100 million people.
  • May 1, 2024:UnitedHealth Group CEO Andrew Witty testified before lawmakers, revealing that the hackers gained access to Change Healthcare’s systems through a single user account that was not protected by multi-factor authentication, a basic security measure. The breach, which may have impacted one-third of Americans, was described as entirely preventable.
  • June 20, 2024: On June 20, Change Healthcare began notifying affected hospitals and medical providers about the data that was stolen, as required by HIPAA. The sheer size of the stolen dataset likely contributed to the delay in notifications. Change Healthcare also disclosed the breach on its website, noting that it may not have sufficient contact information for all affected individuals. The U.S. Department of Health and Human Services intervened, allowing affected healthcare providers to request UnitedHealth to notify affected patients on their behalf.
  • July 29, 2024: By late July, Change Healthcare had started sending letters to individuals whose healthcare data was compromised in the ransomware attack. These letters, sent by Change Healthcare or the specific healthcare provider affected by the breach, detailed the types of data that were stolen, including medical and health insurance information, as well as claims and payment details, which may include financial and banking information.