When a cyberattack hit Seattle’s Fred Hutchinson Cancer Center late final yr and uncovered the private information of almost one million sufferers, many have been caught off guard, shocked a breach might infiltrate such a big and extremely resourced well being care group.
But these working in pc safety weren’t stunned. In current years, they’ve watched different hospitals and well being care amenities throughout the nation get hit by related assaults, some which have crashed systemwide operations and prompted delays in affected person procedures or assessments, or rerouted ambulances to different emergency rooms.
Cyberattacks of all types have plagued massive firms, small companies and people for many years now, however prior to now a number of years, well being care has grow to be a prime goal, in keeping with federal and native cybersecurity specialists. These organizations maintain an enormous quantity of affected person information — together with medical data, monetary info, Social Security numbers, names and addresses. They’re additionally among the many few companies that keep open 24/7, that means they may be extra more likely to prioritize avoiding disruptions and, due to this fact, extra more likely to pay a hacker’s ransom.
“They’re basically a one-stop shop for an adversary,” stated Chris Callahan, chief of cybersecurity for the Northwest area of the federal Cybersecurity and Infrastructure Security Agency, or CISA. The company, housed within the U.S. Department of Homeland Security, additionally works to defend towards authorities and election hacking, however just lately well being care — together with Okay-12 training and the water provide — has emerged as one in all its most pressing priorities, Callahan stated.
In December, the U.S. Department of Health and Human Services reported that the medical information of greater than 88 million individuals was uncovered within the first 10 months of 2023. The division additionally noticed a 93% enhance in massive, well being care-related breaches reported to the company between 2018 and 2022.
While fewer information breaches in Washington state have been reported to the state Attorney General’s Office final yr in contrast with 2021 and 2022, which each noticed a file variety of instances, specialists say cyberattack numbers are nonetheless a lot increased than they have been earlier than the pandemic.
In the previous three months, 13 well being care-related companies have detailed massive breaches to state Attorney General Bob Ferguson, as is required by Washington legislation when greater than 500 residents have been impacted by a cyberattack.
Attacks towards pc methods at Proliance Surgeons and Western Washington Medical Group final February and July, respectively, allowed unauthorized entry to the information of a whole bunch of hundreds of sufferers, the medical teams wrote to Ferguson’s workplace. Dental insurer Delta Dental, Vancouver-based Hi-School Pharmacy, and California-based imaginative and prescient care supplier Medical Eye Services (often known as MESVision) have been additionally hit final yr, impacting hundreds extra.
Patients’ well being info is price some huge cash to hackers, stated Geetha Thamilarasu, an affiliate professor of computing and software program methods on the University of Washington, Bothell. Once somebody will get maintain of a stolen medical file, they will purchase faux prescriptions, file bogus insurance coverage claims, take part in identification theft and promote it on-line, amongst different issues, she stated.
“There is a huge underground market on the dark web,” stated Thamilarasu, who focuses on well being care safety. “Research shows that if a compromised credit card sells for about $1 to $5 each, a compromised medical record can sell anywhere from $400 to $500 — sometimes even $1,000.”
Once a hacker obtains somebody’s private info, they’ll usually attempt to use it as leverage to extort a company or sufferer for cash, Callahan stated. If that fails, they’ll attempt to promote it to different organized crime teams that typically have “one objective — to make as much money on your information as fast as possible,” he stated.
Risk of being doxxed — when somebody, often with ailing intent, posts a sufferer’s private info on-line — has grow to be extra frequent, too, he added. After the Fred Hutch breach, many sufferers whose information was leaked additionally obtained a barrage of e mail threats and spam messages.
Health care organizations, like many others, have spent the final decade shifting towards complete digitization, creating some new dangers.
“Health records are no longer paper,” Thamilarasu stated. “While having digital technologies is often great and provides more convenience, it also opens them up to these security vulnerabilities.”
This not solely contains affected person data, but in addition medical gadgets like X-ray and CT scanning machines, which are actually usually related to a community or the web, Thamilarasu stated.
“And if you are connected to the internet, you can be hacked,” she stated.
While an X-ray machine itself may not carry any affected person information, it could possibly act as an entry level for attackers attempting to interrupt into a company’s broader community. In a well being care facility, there may very well be a whole bunch of Internet-connected gadgets, which require several types of safety measures not all the time prioritized, she stated.
One cyberattack on well being care big Ardent Health Services final yr pressured hospitals in New Jersey, Oklahoma, Texas, New Mexico and different states to divert ambulances to different emergency rooms and reschedule some nonemergency procedures whereas methods have been offline.
“I think this is becoming more of a problem in health care than any other institution,” Thamilarasu stated. “And with health care, you’re no longer just talking about money and loss of data. … This could potentially endanger human lives.”
Anatomy of a cyberattack
It usually begins with a easy e mail.
Maybe an worker will get a message from a well-recognized title. They don’t discover the title is barely misspelled, or acknowledge it may very well be a phishing try. They open it and click on the hyperlink.
And similar to that, a hacker can achieve entry to the worker’s credentials and the group’s whole community system.
“The biggest risk sector is employees,” stated Callahan of CISA. “If you don’t have the defenses or the user education and awareness, then it’s a super easy way to get into a system.”
Ransomware threats — when a particular malicious software program blocks a sufferer’s private information till a ransom is paid — are additionally on the rise, Callahan stated.
In 2022, the Federal Bureau of Investigation recorded about 870 ransomware incidents that hit “critical infrastructure” companies, like transportation, well being care, power, authorities and meals and agriculture. Of these, nearly 25% have been assaults towards well being care and public well being organizations, in contrast with about 22% in 2021.
AI know-how has performed a “huge role” in additional refined hacking makes an attempt, Thamilarasu stated.
“Attackers are able to generate all these emails, which no longer appear as (obvious) phishing emails,” she stated. “Nowadays, they look so genuine and authentic.”
Cybersecurity may be an afterthought for a lot of well being care methods as a result of they’re primarily centered on affected person care, Callahan stated.
Those who manufacture medical gadgets also needs to make certain their merchandise are safe, Thamilarasu added.
“We all get that health care systems are one of the most overworked organizations,” she stated. “And security is not the priority. Patients are the priority. So I think a lot of these staff and health care providers do not understand the level of damage somebody can cause.”
Push towards cyber security
Recent cyberattacks have sparked a renewed push amongst many well being care organizations to bolster protections.
Washington state’s Moses Lake Community Health Center, which was focused final yr, is in the midst of a number of cybersecurity enhancements.
“We believe (cybersecurity) is not a destination, but a continuous improvement process,” stated Mark Lauteren, the well being heart’s chief info officer, who joined after the breach. “The bad actors are always changing their environment and their attack methods, so if we put something up and say ‘Done,’ guaranteed, they’ll find a way around it within a few weeks.”
Lauteren declined to debate the breach, which leaked information of about 1,200 individuals, however famous that cybersecurity is “not a new priority.” The Moses Lake heart has since teamed up with CISA, which provides free, weekly cybersecurity scans to organizations that search for potential vulnerabilities of their system and supply suggestions. CISA officers additionally run by way of “tabletop” workout routines that mimic actual cyberattacks, hoping to organize organizations in case one happens.
During these workout routines, specialists stroll group management and IT groups by way of a dry run of a breach, prompting them with questions. How would possibly they reply? Are they going to pay the ransom? How are they going to start out rebuilding their methods afterward?
“We (all) need to be better at protecting ourselves,” Lauteren stated.
Since the Fred Hutch breach final fall, a company spokesperson stated it has applied “additional defensive tools and increased monitoring,” however declined to elaborate on what these entail.
At UW Medicine, whose information was additionally impacted in the course of the Fred Hutch cyberattack, “we continuously strengthen our cybersecurity measures and actively adapt our strategies to address evolving cyber threats,” hospital spokesperson Susan Gregg stated in a press release.
The Washington State Hospital Association has began to carry common cybersafety classes for its members, although group spokesperson Beth Zborowski stated she was hesitant to explain specifics to keep away from sharing methods with hackers and stop any particular person hospitals from changing into a goal.
“We are paying attention to this. We take people’s health information seriously,” Zborowski stated. “If you ask hospital CEOs what keeps them up at night, this would be one of the things.”
Catching a cybercriminal
Falling for a cyber rip-off can occur in seconds. But it generally takes years for an investigation to unfold.
Fred Hutch, for instance, continues to be engaged on confirming particulars round its current breach, although the group believes hackers abroad “exploited a vulnerability” in a workspace software program referred to as Citrix that allowed them to realize entry to its scientific community.
The weak point, often known as the “Citrix Bleed,” has gained consideration from federal cybersecurity groups, who say it permits attackers to bypass password necessities and multifactor authentication measures.
In a number of different cyberattacks in Washington and all through the nation, investigators discovered hackers focused a file-transfer software referred to as MOVEit, a software program utility used to alternate information. According to TechCrunch, a bunch of hackers discovered a weak point within the software program that allowed them to put in a backdoor and steal information.
Cybercrime investigations may be difficult, particularly if hackers are working from a distinct nation that will not wish to work with the U.S., stated Kevin Brennan, a supervisory particular agent with FBI Seattle’s cyber activity pressure.
“Some of it is going to be through more traditional investigative techniques,” Brennan stated. “You know, follow the money — or in this case, cryptocurrency.”
The FBI encourages towards paying ransoms as a result of it doesn’t assure hackers will delete or cease sharing individuals’s information, but when firms select to, the company additionally tracks on-line communications between victims and hackers, looking for small particulars that may illuminate the place a suspect is. It’s changing into a lot much less frequent for victims to pay ransoms, Brennan stated, however the apply nonetheless occurs; the FBI doesn’t accumulate information on how ceaselessly ransoms are paid.
Once officers establish a suspect abroad, they’ve a few choices, Brennan stated. If the FBI is working with a rustic whose legal guidelines don’t require them to arrest somebody primarily based on an alleged crime they dedicated within the U.S., brokers would possibly search for potential crimes the suspect dedicated in that nation, he stated.
In different instances, brokers may need to attend for the suspect to journey someplace that can extradite them to the U.S.
FBI Seattle doesn’t typically monitor “success” charges for closing cybercrime instances, however Brennan famous numerous challenges concerned when working with worldwide legislation enforcement. It will also be laborious to report an correct variety of closed instances as a result of generally cybercriminals are solely charged with one breach when legislation enforcement officers would possibly know or suspect they’re concerned with many extra, he added.
“It can be a waiting game at times,” Brennan stated. “It can be frustrating, both for us and the victims. But it’s not something we’re going to give up on just because they’re hiding in a country that might not cooperate with the U.S.”
Staying safer on-line
As our collective reliance on know-how grows, it may be simple to panic about additional opening ourselves as much as hacking and information leaks, specialists stated. But they famous there’s additionally rather a lot we are able to do to restrict danger.
Cybersecurity specialists have a listing of recommendations on easy methods to keep protected on-line, which may be discovered at CISA web site CeaseRansomware.gov. HHS has additionally created a well being care-specific software equipment, which incorporates details about how well being care methods can mitigate identified vulnerabilities, bolster e mail safety, allow multifactor authentication, deploy sturdy encryption and roll out primary cybersecurity coaching.
“You don’t want to call us in your darkest hour,” Callahan stated. Institutions “want to make sure you know who your local FBI or CISA contact is. There’s all kinds of things we can do to help protect yourselves before an attack.”
According to CISA, a few of the simplest modifications to spice up particular person cybersecurity embrace:
—Recognizing and reporting phishing
—Using sturdy passwords
—Turning on multifactor authentication
—Updating software program
If you assume you’ve been focused by a hacker, you too can report the incident to the FBI web site ic3.gov, which is open to the general public.
“I take some comfort in knowing that, as sad as it sounds, so much personally identifiable information has been stolen, the odds of any individual person being a victim is not very high,” stated Brennan of FBI Seattle. “We all drive down the highway at 70 miles an hour and think, ‘I’m not going to be the one that gets into an accident.’ And odds are we’re not.”
___
(c)2024 The Seattle Times. Visit The Seattle Times at www.seattletimes.com. Distributed by Tribune Content Agency, LLC.
Source: www.bostonherald.com”