12 Days Without Revenue: Ransomware Fallout Continues in Healthcare Sector

The American Hospital Association (AHA) calls a recent ransomware attack that’s disrupting hospitals and pharmacies “unprecedented” in the healthcare industry. AHA President and CEO Richard Pollack explained why in a letter to U.S. Secretary of Health and Human Services Xavier Becerra: 
 
“According to Change Healthcare, the company processes 15 billion health care transactions annually and touches 1 in every 3 patient records. These transactions include a range of services that directly affect patient care, including clinical decision support, eligibility verifications and pharmacy operations. All of these have been disrupted over the past several days.”

He also expressed concern that with hospitals and clinics unable to process claims through the company, some “may be unable to pay salaries for clinicians and other members of the care team, acquire necessary medicines and supplies, and pay for mission critical contract work...”

And according to the American Medical Association (AMA), impacted medical practices have now gone twelve days without revenue.

Patients are also feeling the cyberattack fallout, especially when they need prescriptions. Reports say some are being denied their medicines while others must pay full price for expensive drugs instead of their discounted rate. 

This developing story is the latest example that ransomware groups increasingly target the healthcare sector as they follow the money. And according to the latest BlackBerry Global Threat Intelligence Report, threat actors are now targeting the healthcare sector with more unique or “novel” malware than any other industry vertical.

Healthcare Ransomware Attack: What We Know So Far

In addition to understanding that the attack is impacting clinics, hospitals, pharmacies and patients, there is also word on attribution. Company statements confirm that Russia-based threat actor ALPHV/BlackCat is likely behind this attack. Most recently, TechCrunch reports “ALPHV took down the post claiming responsibility, sometimes an indication that the victim is negotiating with the hackers,” and Wired claims that the ransomware group just received a $22 million payment, but it is unclear which victim organization that payment is from. 

In an interesting twist, the ransomware group's infrastructure is down. And while reports say the group "blamed the feds" for this, it's possible the group's leaders may have intentionally taken things offline. Some experts believe an internal feud or exit scam is at play, with the threat group's operators making off with profits and abandoning lower-level affiliates. Others theorize the group may be rebranding and will re-establish operations in an attempt to evade law enforcement.

The entry point for this most recent healthcare attack remains unclear. However, the BlackBerry Threat Research and Intelligence Team has written extensively on how BlackCat ransomware works — it is a tool that appears to be part of the final stage of ALPHV hacking campaigns. And it is designed to extract as much value as possible from victims. With the release of this tool, the hacking group joined the malware trend of both exfiltrating and encrypting files for ransom, conducting what has become known as a “double extortion” attack. The group also pivoted to allow other threat actors to subscribe to its Ransomware-as-a-Service (RaaS) offering. The threat actor group has victims around the world.

Ransomware Attack Investigation Launched

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) is now investigating this healthcare ransomware attack. The OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules for HIPAA-covered entities. In its March 13 announcement about the new investigation, it also revealed the latest data on how serious the threat landscape has become in healthcare:

"Ransomware and hacking are the primary cyber-threats in healthcare. Over the past five years, there has been a 256% increase in large breaches reported to OCR involving hacking and a 264% increase in ransomware. The large breaches reported in 2023 affected over 134 million individuals, a 141% increase from 2022."

This underscores the urgency for those in the healthcare sector to prioritize cybersecurity.

How AI Can Stop Ransomware Attacks, Including ALPHV/BlackCat

BlackBerry has demonstrated that Cylance® AI stops BlackCat before it can execute in your environment (video). And on a recent podcast episode, BlackBerry SVP, Product Engineering & Data Science Shil Sircar, explained how the company’s proprietary predictive modeling separates the good from the malicious, even if the attack is powered by a zero-day threat.

“Predictive modeling is one of the most important things because that is what stops malware. We model sequential behaviors that lead to a really bad outcome. If we change the order, if we change the sequences, how well does the model predict?” 
 
Continues Sircar, “Because the interesting thing about cybersecurity is that all of these malicious actions that malware does, these are allowed. Whether it's malicious or not, that’s dependent on whether it did something you didn't want it to do — that's what makes it malicious. Otherwise, all of these things are typical IT functions like locking your computer, changing your password, reading from memory. It’s the set of circumstances when these actions occur, that reveal if they are bad.” And this is where AI in cybersecurity really shines, but not all AI tools are created equal. It takes a mature AI model to stop advanced threats like ransomware before they can execute in your environment. 

The Tolly Group recently conducted an independent test of real-world novel malware attacks on Endpoint Protection Platforms (EPPs) and discovered drastically different outcomes when CylanceENDPOINT™ was judged against key competitors on endpoint efficacy, efficiency, and time to detect threats. The study found:

Read the Tolly Report to see the complete results or watch Real World Performance Is the Ultimate Test for Predictive AI (video).

At BlackBerry, we pioneered the use of artificial intelligence in cybersecurity more than a decade ago, and we believe CylanceAI is the necessary prescription to protect healthcare organizations from increasingly sophisticated cyberattacks that overwhelm traditional security approaches. 

Related Reading

• AI to Stop Cyberthreats: Why Organizations Can No Longer Wait
• Video Testimonial: “The Best Application of AI Is for Cybersecurity” 
• Customers Have Spoken: BlackBerry Named a 2023 Customers’ Choice for Endpoint Protection Platforms in Gartner® Peer Insights™