The Aftereffects of Large-Scale Healthcare Ransomware Attacks

As healthcare becomes more interconnected and reliant on digital services, protecting patient data is critical. While immediate concerns following BlackCat’s Change Healthcare ransomware attack center on provider operations and financial interruptions, near-term fears and long-term vulnerabilities include potential nation-state attacks driven by the source code and data exfiltration that occurred.

Processing one in every three patient records, UnitedHealth Group subsidiary Change Healthcare’s February 21 cyberattack may lead to personal health information (PHI) leakage. Consequently, large-scale incidents like this open the door to exploitation by ransomware groups, fraudsters, and other bad actors, leading to subsequent cyberattacks, data loss and theft, patient privacy issues, investigations, extortion risks, and more.

That is why sustainable cybersecurity safeguards are critical in today’s healthcare environment—not just for IT teams but as a part of patient safety and risk management protocols.

Ransomware Attackers Don’t Stop

Ransomware attacks often do not end with a ransom payment. BlackCat is known as a “ransomware-as-service” collective, meaning they rely on freelancers or affiliates to infect new networks with their ransomware. Those affiliates earn commissions ranging from 60%-90% of any ransom amount paid. One problem with paying a ransom is it encourages affiliates to then target other potential healthcare cyber weak spots to harvest more data.

Follow-on cyberattacks from ransomware groups looking to find other targets could cause considerable damage to hospital infrastructures, resulting in delays in patient care, impacts to IT systems, and loss of data.

Additionally, the affiliates may still have data from the initial incident, while the ransom payment only goes to the original BlackCat group. So, taking down the group and its website isn't going to do much to stop PHI data leakage—the data is still out there (at least four terabytes worth) and it’s a problem.¹

Personal Health Information Leakage

A long-term impact that Guidehouse suspects will become problematic from the Change Healthcare cyberattack is PHI and personally identifiable information potentially being out in the wild to be shared across peer-to-peer (P2P) networks.

P2P is how to move healthcare data around, even if a threat actor’s infrastructure is partially disrupted, as ransomware-as-a-service operators can make PHI data accessible to a wide audience via decentralized torrent networks. Once downloaded, users in possession of these files can automatically begin seeding them, meaning they become peer nodes in sharing PHI data within a torrent network. Think Napster for healthcare data.

More ransomware groups will start incorporating torrent-based file shares into their campaigns, amplifying the longevity of devastating data leakage and breaches. This leaves healthcare payers, providers, downstream entities, intermediaries, government agencies, and patients at risk for additional ransomware attacks as well as various fraud schemes such as identity theft, spoofing, bank account takeover, false claims, and more. Already in Minnesota, Attorney General Keith Ellison has warned consumers of ongoing imposter scams as state hospital associations have received reports of scammers seeking to steal credit card information.²

Even as more than half of hospitals report an adverse impact to revenue of $1 million per day or greater and UnitedHealth Group has advanced more than $2.5 billion to affected providers, these incidents also typically result in additional financial impacts from regulatory fines, as well as investigations and litigation.^3,4  The US Department of Health and Human Services (HHS) Office for Civil Rights recently issued a letter announcing investigations into the incident and reminded all healthcare entities—not just Change Healthcare and UnitedHealth Group—to assess their obligations to issue breach notifications to HHS and to patients.⁵

Business Continuity and Disaster Planning

Cyberattacks feel uncontrollable when they begin to expand and infiltrate everything around them. While President Biden as well as federal and state oversight and regulatory agencies are beginning to introduce legislation and develop updated cybersecurity and fraud risk guidelines, standards, and regulatory requirements, as well as initiate audits, new controls will need to quickly be understood, addressed, and implemented.

In short, every healthcare entity is vulnerable and must reevaluate how they identify and address patient safety and risk across their organizations. The best way to control cyberattacks is through business continuity and disaster planning. Industry leaders should take steps to:

• Understand what processes are in place to safeguard against cyberattacks (file transfer protocols, etc.)
• Conduct enterprisewide risk assessments of compliance, privacy, fraud, and cybersecurity posture (including for vendors and partners that perform critical operational functions)
• Build the legal and operational steps needed to respond to and prevent cyberattacks (i.e., data breach notifications, possible lawsuits, or how to investigate)
• Evaluate how the industry manages PHI data leakage as a whole and establish protocols to mitigate eventualities from large-scale cyberattacks, including fraud

Cyberattacks are disaster scenarios that can be managed, with the right strategies. This means laying the groundwork for a strong cybersecurity posture and risk mitigation program. For example, testing incident response programs by implementing executive security simulations for revenue cycle management and clinical operations in the face of any level of cyber incident is critical.

Now is the time to gauge your organization’s cybersecurity posture and fraud prevention program and evaluate your strategy to prevent, detect, respond to, and effectively remediate these extraordinarily complex and interconnected issues and risks.