מתקפת תוכנת הכופר של United Healthcare מראה מדוע שרשראות אספקה ​​נמצאות במצור

Healthcare supply chains are grappling with a digital pandemic, with the latest innovations from UnitedHealth Group demonstrating the power of a targeted ransomware attack to disrupt supply chains. Attackers aim to create chaos quickly to coerce their victims into paying a particularly high ransom. With lives at stake, healthcare supply chains are a prime target. United Healthcare paid a $22 million ransom in Bitcoin, publicly visible on the blockchain of digital currencies. BlackCat, or ALPHV, led the cyberattack, taking credit on their website and then quickly deleting any mention of it. Disagreements on how the ransom will be divided led one of the attackers to accuse AlphV in their cybercriminal forum RAMP of romping off with their fair share.

The impact of the attacks continues to reverberate through regional and national healthcare supply chains, causing widespread financial chaos according to The New York Times. The ripple effects of the attacks on everyone, from patients to doctors trying to continue operating despite delays, refunds, or pending payments, are far-reaching.

Healthcare is facing a digital pandemic

This is the most severe cyberattack in the history of healthcare services, demonstrating how the industry is vulnerable to a sustained digital pandemic of breaches and ransomware attacks. Healthcare services and human HHS Breach Portal detail how the healthcare digital pandemic continues to grow as attackers sharpen their expertise in the industry. Eighteen percent of healthcare employees are willing to sell confidential data to unauthorized parties for as little as $500 to $1,000, according to an Accenture study.

Change Healthcare, the unit affected by the attack, reports that over 113 systems are still impacted by the early morning attack in their automatic notifications. UnitedHealth Group filed an 8K with the Securities and Exchange Commission on February 21, explaining the attack and providing updates.

Health and Human Services (HHS) saw it coming. Their information security office has produced reports and presentations detailing the cybersecurity threats. Earlier this year, they published a comprehensive 50-page presentation on ransomware and healthcare services.

Merritt Barr, the consultant of expanso.io and balkanID, and a former CISO, told VentureBeat that "ransomware groups love supply chain attacks – we see that in their high-value targets, from Kaseya to SolarWinds. And it makes sense: they target entities with a role in the supply chain to have a big impact. In other words, those embedded in the supply chain have upstream clients, and those clients have their own upstream clients." Barr emphasized to VentureBeat that "ransomware groups seek victims who will pay. In an organized space like healthcare services, we're talking about both business and regulatory costs that would make them want to pay."

Where healthcare providers need to start

Ransomware attack strategies are becoming more challenging to identify and stop, driven by Ransomware-as-a-Service (RaaS) groups actively recruiting experts with common Windows expertise and system management tools to launch attacks that traditional security solutions struggle to identify. Attacker's favorite trade tricks include Living-off-the-Land (LotL) attacks, which are identity shortcuts across endpoints by finding vulnerabilities in endpoint protections. LotLs are attacks powered by commonly used tools that are difficult to track easily.

Barr notes that "from a technical standpoint, remember that with Ransomware as a Service (RaaS), people can 'rent' the mechanism to deploy ransomware in the black market – so you don't even need to be very skilled to be able to do so. The goal is to spoil an entity's prosperity."

"Threat actors are increasingly focusing on cyber hygiene gaps, including pre-deployment incident response processes," Srinivas Mukkamala, product manager at Ivanti, told VentureBeat. CISOs say they are least prepared to defend against supply chain breaches, ransomware, and malware. Only 42% of CISOs and senior cybersecurity leaders say they are very prepared to defend against supply chain threats, while 46% see it as a high-level threat.

Healthcare CISOs and their teams need to consider the following strategies to start:

Conduct a thorough compromise assessment and consider incident response guard for an incident. Healthcare IT strategic advisor and former CIO Drex DeFord says healthcare CISOs need to first establish a baseline and ensure a clean environment. "When you have a compromise assessment, you get a comprehensive view of the entire environment and ensure you're not compromised, and you're just not aware of it yet," DeFord told VentureBeat. DeFord also advises healthcare CISOs to adopt an incident response guard if they don't already have one. "It ensures that if something happens, and you do have a security incident, you can call someone, and they will come immediately," he advises.

Remove any inactive unused identities in IAM and PAM systems. To eliminate dormant authorizations, perform a hard reset on each IAM and PAM system in the tech stack to the identity level. They lead cyber attackers to serve IAM and PAM systems. First, remove access permissions to an account that had its privileges revoked. Second, restrict user data and system access by role by resetting authorized access policies.

Ensure that BYOD asset configurations are up to date and compliant. Most of the time the management of endpoint assets by security teams goes to updating and configuring device settings owned by the company. Teams do not always reach the BYOD endpoints, and the IT policy sharing devices owned by employees can be too broad. CISOs and their teams are starting to rely more on endpoint defense platforms to protect endpoints to automate the configuration and deployment of organizational endpoint and BYOD devices settings. CrowdStrike Falcon, Ivanti Neurons, and Microsoft Defender for Endpoint, assimilating threat data from emails, endpoints, identities, and applications, are leading endpoint platforms that can do this at scale.

Enable multifactor authentication (MFA) for every authenticated account. Attackers are increasingly targeting businesses that healthcare service providers do business with in an attempt to gain approvals for preferred access and identity theft, allowing them access to internal systems. The greater the rights on an account, the higher the chance it will become a target for an authorization-based attack. Implementing MFA for all external business partners, contractors, suppliers, and employees is a first step. Ensure to deactivate authorizations for third parties not needed.

Reduce the risk of ransomware with automated patch management. Automation relieves IT and security teams from the heavy workloads they already have supporting remote and virtual workers and high-priority digital transformation projects. 62% of IT and security personnel delay patch management as 71% think patching is complex and takes too much time. Beyond an inventory-based patch management to AI, machine learning, and bot-based technology can identify threats efficiently. Ivanti Neurons for Patch Intelligence, BlackBerry, CrowdStrike Falcon Spotlight for vulnerability management, and others can automate threat data ingestion from emails, endpoints, identities, and applications.

It's time to view cybersecurity spending as a business decision. Healthcare service providers need to view cybersecurity spending as a business investment in reducing risk. When attackers see their industry as one of the softest and most profitable targets, there is an urgent need to define the business value of cybersecurity beyond spending – it's an investment.

Barr told VentureBeat, "remember that ransomware is usually about money (though sometimes extorted by nation-states). The fact that UnitedHealth paid the ransom shows that the attackers chose their target well."