There have been recent instances of cyberattacks on healthcare organizations, leading to significant impacts on business operations and patient care:
OneBlood.org is a not-for-profit community asset responsible for providing safe, available, and affordable blood products to over 250 hospitals in Florida, Georgia, and the Carolinas. On July 28, 2024, an “outage” of OneBlood’s software system impacted the nonprofit’s ability to ship blood products to hospitals in Florida. OneBlood began operating at a significantly reduced capacity by manually labeling blood products as it recovered from the incident, CNN reported. The attack affected OneBlood’s critical software systems, including those used for blood labeling. This meant that OneBlood couldn’t tell which blood was O -ve and which was B +ve. OneBlood notified the impacted hospitals that had to use blood conservation protocols, which affected patient care.
BleepingComputer reported that the attack occurred over the weekend, and the ransomware gang, RansomHub, encrypted multiple VMware hypervisor infrastructure (ESXi servers). Without a capability for breach readiness, OneBlood was forced to shut down all IT systems and revert to manual processes, leading to cascading effects.
Ascension Healthcare is one of the leading non-profit and Catholic health systems, with about 136 hospitals through approximately 131,000 associates and 37,000 affiliated providers serving impoverished communities and those most vulnerable in about 18 states.
On May 8, 2024, a ransomware attack targeted Ascension’s facilities in at least ten states leading to the theft of data and unavailability of Electronic Health Record (EHR) systems, forcing Ascension to divert ambulances, close pharmacies, take critical IT systems offline and resort to pen and paper to record patient information.
The attack stole data and locked providers out of systems that track and coordinate patient care, including electronic health records (EHR), which took six weeks to recover. Some doctors and nurses almost prescribed or injected patients with the wrong medications. The attack resulted in a considerable financial loss for the company.
CNN reported that the attack involved Black Basta ransomware, infamous for using common initial access techniques and then employing a double-extortion model, both encrypting systems and exfiltrating data. Ascension shut down its EHR systems, but by then it was too late.
Change Healthcare, acquired by United Health, is a healthcare technology company that connects payers, providers, and patients in the United States, helping payers, providers, and consumers improve clinical and financial outcomes
On Feb. 21, 2024, the company, which processes 15 billion healthcare transactions every year and impacts one in every three patient records in the U.S., publicly disclosed a ransomware attack and took its services offline, preventing physician practices, hospitals, and pharmacies from submitting claims or receiving payments.
Change Healthcare’s clinical decision support, eligibility verifications, pharmacy operations, claims processing, and eligibility checks stopped. Many facilities were unable to deliver care and faced financial collapse, leading to the U.S. federal government via HHS stepping in to support entities affected by the unavailability of Change Healthcare systems.
On Feb. 28, 2024, BlackCat/ALPHV claimed responsibility for gaining access to Change’s remote access server on Feb. 12 with stolen credentials. The lack of MFA and segmentation allowed the attacker to move laterally within Change’s systems, steal and encrypt data, and deploy ransomware
These and other recent attacks have led government and oversight entities to recommend that hospitals and healthcare organizations institute granular microsegmentation strategies for their network assets and resources. The idea is to stop the lateral movement of an initial breach so that ransomware or malware can’t spread to the point of affecting critical digital operations. In their Cybersecurity Practices for Medium and Large Healthcare Organizations, HHS recommended Micro-Segmentation/Virtualization Strategies, referencing the NIST Framework PR.AC-5. On page 33, they describe this methodology:
“Technologies called micro-virtualization or micro-segmentation assume that the endpoint will function in a hostile environment. These technologies work by preventing malicious code from operating outside of its own operating environment. The concept is that every task executed on an endpoint (e.g., click on a URL, open a file) can run in its own sandboxed environment, thus prohibiting the task from interoperating between multiple sandboxed environments. Since most malware is installed by launching incremental processes after gaining an initial foothold, this strategy can be effective at eliminating that second launch…Key Mitigated Threats: 1. Ransomware attacks 2. Loss or theft of equipment or data.”
—HHS Healthcare and Public Health Sector Coordinating Council, Technical Volume 2: Cybersecurity Practices for Medium and Large Healthcare Organizations 2023 Edition
The key aspect of microsegmentation, which is a foundational capability of zero trust architecture, is that rather than trying to prevent a breach from occurring, it assumes a breach will occur (as has been shown to be likely according to recent events) and provides a capability which prevents the inevitable breach from becoming a crisis.
Microsegmentation’s purpose is to prevent the lateral movement of ransomware or malware within the network landscape and to stop unauthorized communications that could be an effort to exfiltrate data. It enforces granular micro-perimeters (HHS uses the term “sandboxes”) around all network assets and resources. It asserts policies to stop unauthorized traffic between network resources and communications with risky ports or paths to the public internet.
ColorTokens offers the premier solution for securing the diverse digital operations of hospitals and healthcare organizations, which may include data center servers, cloud workloads, containerized applications, legacy OS devices, shared Nursing and Provider workstations, Epic or other EHR systems, and networked medical devices. Hospitals’ digital landscape is often further complicated due to shared access with third-party partner organizations such as pharmacies, diagnostic labs, and consulting specialist organizations. ColorTokens Xshield Enterprise Microsegmentation Platform™ was evaluated with the highest possible score for Operational Technology, Healthcare, and IoT in the recent Forrester Wave for Microsegmentation Solutions™, Q3 2024. (The report can be accessed free of charge here.)
The challenge of securing this complex landscape is handled by the Xshield platform by first providing a visualization of all network resources and assets and a view of the traffic occurring between them, as seen in the figure below:
The platform uses automated policy recommendations to prevent unauthorized traffic and stop the propagation of ransomware and malware. It provides hospitals with cyber resiliency to continue digital operations even during cyberattacks, hardens the computing landscape to protect crown jewels such as EMR applications, manages how third parties access digital operations and ensures compliance with all regulatory expectations as cyberattacks happen.
For more information on how microsegmentation can secure your hospital’s critical digital operations, please check: Breach Readiness for Hospitals & Healthcare Providers.