2024 will go down in history as another watershed year in healthcare cybersecurity. With 386 reported healthcare cyber attacks by the beginning of October, this year is on target to surpass even 2023, which was in itself a terrible year for healthcare cybers attacks and breaches.
The 2024 Ponemon Healthcare Cybersecurity Report supports these projections. It found that 92% of organizations experienced a cyber attack in the past 12 months – up from 88% in 2023. The report also shared that the cost of a healthcare data breach topped $4.7 million in 2024, making healthcare the single most expensive industry for ransomware and other cyber attack cleanup costs.
The FBI, via its Internet Crime Complaint Center (IC3), states that healthcare is now the primary industry target for ransomware gangs. The U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR) also acknowledges that ransomware attacks against the industry are up a staggering 278% since 2020.
Two Landmark Healthcare Cyber Attacks
2024 will also go down in history as the year of the single biggest, most disruptive, and most expensive healthcare cyber attack to date.
Change Healthcare Cyber Attack and Breach
In February 2024, the Russian ransomware group ALPHV/BlackCat attacked and breached United Health Group’s (UHG) Change Healthcare. The attack impacted nearly every American, exposing the protected health information (PHI) of at least 150 million individuals.
When the Change Healthcare attack became the new record holder, it effectively doubled breach numbers from the prior holder of the title – Anthem Health – which in 2014 exposed the PHI of 78.8 million individuals in a landmark case.
Despite paying the criminals a staggering $22 million ransom, UHG was unable to retrieve its data. Then, according to UHG CEO Andrew Witty during his Congressional testimony on May 1, 2024, the company was hit with a second ransomware demand to not publish stolen PHI. At the hearings, U.S. lawmakers described the UHG Change Healthcare attack as “the most significant and consequential cyberattack on the U.S. health care system in American history.”
The Change Healthcare attack severely disrupted healthcare billing and payment operations for months. It created a huge backlog of unpaid claims. It caused problems with insurance approvals and Medicare reimbursements. It also generated unprecedented financial and operational chaos for hundreds of medical facilities, physicians, and pharmacies. Patients were unable to gain approval for scheduled procedures or pick up their medications. It placed hundreds of small and rural healthcare providers at risk of closure, potentially depriving entire communities of tertiary health services.
Synnovis Cyber Attack and Breach
Another highly disruptive cyber attack took place earlier this year in the United Kingdom. In July, Synnovis, a joint venture pathology partnership between SYNLAB, Guy’s and St Thomas’ NHS Foundation Trust, and King’s College Hospitals NHS Trust, was hit by ransomware attack. The attack impacted most NHS providers across South London, with 800 life-saving operations canceled and over a thousand other appointments forcibly rescheduled. It also led to hospitals being placed on divert and emergency ambulances redirected to the other side of London or to the home counties.
The Synnovis cyber attack has been attributed to Qilin, a Russian ransomware-as-a-service (RaaS) crime gang. Qilin demanded $50 million in extortion, which Synnovic did not pay due to UK government policy that prohibits extortion payments to terrorists. This attack paralyzed services at London hospitals for many weeks.
According to a recent report by Bloomberg, while responding to questions about the breach through a messaging account long associated with the gang, a hacker representative said that they were very sorry for the people who suffered but refused to accept responsibility for the human cost. They suggested that “the attack was justified because it was in retaliation for the British government’s involvement in unspecified wars.”
In the first half of 2024, ransomware victims have paid an astonishing $459.8 million to cybercriminals, setting the stage for a potentially record-breaking year. These extortion payments are also fueling the growth of the ransomware industry. Attacks are only likely to get worse in the future as long as healthcare organizations continue to make ransom payments.
A Common Thread: Third-Party Cyber Risk
The Change Healthcare and Synnovis cyber attacks indicate a broader trend in healthcare, where attacks target third-party healthcare providers or business associates. According to John Riggi, National Advisor for Cybersecurity and Risk for the American Hospital Association (AHA), 58% of the 77.3 million individuals affected by data breaches in 2023 were due to an attack on a healthcare business associate – a 287% increase compared to 2022. Based on the sheer size and impact of both Change Healthcare and Synnovis, it is highly likely that this percentage will be even higher once the final data is in for 2024. In other words, it’s not just healthcare payers and providers being attacked. Their business associates are now also being actively targeted.
Over recent years, hospitals and other providers have greatly improved their security posture through better risk analysis, risk remediation, and the implementation of security controls. However, overall, healthcare cyber attacks continue to increase. This is largely because cyber criminals and pariah nation-states are focusing on the weakest link – the huge number of third parties now involved in modern healthcare delivery.
According to Riggi, “simply put, the ‘bad guys’ – foreign ransomware groups, primarily Russian speaking – have mapped the health care sector and identified key strategic nodes to attack that would provide the most disruptive impact and access across the health care sector. These ‘strategic nodes’ translate to ubiquitous third-party technology and service providers. The more widespread and critical the impact, the higher the ransom payment demand and the higher the likelihood that the victim will succumb to making the payment.”
Why hack or attack 1,000 hospitals when a cyber threat actor can target one common business associate and get all the data or disrupt all the hospitals that depend on that single mission-critical third-party provider?
The Goal: Maximize Disruption
Healthcare cyber attacks are all about maximizing disruption, not only to maximize payment pressure, but also to cause damage and mayhem to critical national infrastructure in countries opposed to Russia’s expansive foreign policy stance or, in the case of China or Iran, to gain political advantage. Together, these three adversaries of Western liberal democracies are either behind or support and protect the criminal actors involved in the majority of healthcare cyber attacks worldwide.
The Weak Link: Complex Ecosystem with Limited Visibility and Fragmented Management
So how is it that third parties are now the weak link in healthcare security? The fact is that modern healthcare relies upon literally thousands of different vendors, suppliers, service providers, and IT and business processing outsourcers. Everything from core electronic medical record (EMR) and enterprise resource planning (EPR) systems like Epic and Cerner-Oracle to hundreds of different medical device manufacturers and third-party management companies are now players in the modern digital healthcare care ecosystem.
The list of vendors – insurers, billing and collections, medical equipment suppliers – who have remote access to hospital networks is almost endless. Most healthcare delivery organizations don’t have a good understanding or an accurate inventory of who or what has access to their hospital networks, let alone the risks each group, system, or device may introduce. IoT is a particular problem, where many unpatched and insecure healthcare IoT devices can be easily compromised by criminals.
Change Healthcare Attack Vector
The Change Healthcare attack was the result of the vendor, Optum (part of UHG), failing to use multi-factor authentication (MFA) or privileged access management (PAM) on a legacy jump server used by system administrators to administer the Change environment. It is thought that Optum did not own software licensing for the jump server running an out-of-date operating system it inherited as part of the Change Healthcare acquisition. And since the whole Change Healthcare environment was in the process of being replaced with new applications built to Optum standards, the short-term risks were considered acceptable, rather than spending the time and money to build a new temporary jump server accessible only to a small number of trusted internal staff. In addition, one of the authorized users of this system had reused a password on another account that had previously been compromised. With a bit of research, hackers could put two and two together and gain access to the complete Change Healthcare environment.
Synnovis Attack Vector
Conversely, the Synnovis attack appears to have leveraged credentials from one of two prior attacks by a different Russian group, Black Basta, against its parent company, Synlab. Credentials – including VPN and MFA passwords – were evidentially not reset. The Synlab environment was also not really secure against common malware and other attacks.
Even more alarming was that Synlab-Synnovis had very poor business continuity, disaster recovery, and security incident response plans (BCP/DR/SIR). This resulted in weeks lost restoring systems. This is totally unacceptable in an “operations-critical” industry like healthcare, where even short outages can lead to dramatic increases in patient morbidity and mortality.
Lessons Learned and Tougher Regulations
Plainly the lesson here is that providers of healthcare services must do more.
NIS2, CAF, and the CAF-aligned DSPT in the UK
In Europe, compliance with the NIS2 Directive is critical. In the UK, this translates to adoption of the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF), which the NHS England Data Security and Protection Toolkit (DSPT) now aligns to. (The Cylera platform also supports CAF and DSPT UK compliance reporting standards and is heavily used with UK NHS Trusts.)
HIPAA and HISAA in the U.S.
In the U.S., Health Insurance Portability and Accountability Act (HIPAA) covered entities (CEs) need to mandate that all of their hundreds of third parties adhere to the same cybersecurity practices and controls as the hospitals themselves are required to meet. This means more regular and thorough security audits of all third parties, especially for smaller vendors who may not have ISO 27001 certification or a SOC2 attestation that can be used to demonstrate that they can meet the key control objectives of the CE in question.
New U.S. healthcare regulations, such as the Health Infrastructure Security and Accountability Act (HISAA), will also likely be introduced in 2025. This legislation is focused on transforming healthcare cybersecurity by setting minimum standards and providing much-needed financial support to providers who need help enhancing and improving their cybersecurity capabilities.
HISSA is still in the drafting stage at present but will likely impose stricter cybersecurity standards, require audits and stress tests, and result in serious consequences for non-compliance while also providing financial support to healthcare organizations.
HISSA will undoubtedly help to continue moving the needle in the U.S., just as NIS2 and CAF are already beginning to do in the UK. However, threats from criminal and pariah state actors are unlikely to diminish, at least in the immediate term.
The Ever-Expanding Healthcare IoT Threat Landscape
The healthcare cyber threat landscape continues to expand rapidly. As new healthcare technologies, including artificial intelligence (AI), mobile health (mHealth), consumer wearables, and an ever-increasing number of connected medical devices are adopted and deployed, securing healthcare from fast-moving cyber threats feels like a continuous game of cat-and-mouse or whack-a-mole.
Healthcare IT, information security, and biomedical teams struggle with managing seemingly never-ending Identify, Protect, Detect, Respond, and Recover cycles as new risks and vulnerabilities are discovered. These vulnerabilities and risks must then be addressed either through remediation or the implementation of compensating security controls. While compliance helps focus attention and the required resources for security, the principal driver will always be risk and the need for improved visibility.
Are you looking for new ideas or help improving your healthcare IoT and connected medical device cybersecurity in 2025? If so, Cylera experts are here to help.
Contact Cylera today to discover how the Cylera platform can measurably improve your cybersecurity maturity, reduce risk, and help ensure secure, reliable care delivery. Let's work together in 2025 to create a safer, more secure future for healthcare.
