The Health Information Sharing and Analysis Center on Friday issued a threat alert about the Russian-backed Black Basta ransomware group, warning of the group’s rapid attack efforts targeting the sector. health care.
Spurred by H-ISAC, the American Hospital Association also sent a cybersecurity advisory with technical mitigation recommendations to its members.
The warning comes after a major cyberattack affecting St. Louis began last Wednesday and continues to hinder clinical operations.
Staff at Ascension hospitals said they were out of some clinical and IT services, including IT services, after widespread disruptions left the health system working to restore its systems. his system.
WHY IS IT IMPORTANT?
According to H-ISAC in its news release, at least two healthcare organizations “in Europe and the United States” have seen severe operational disruption over the past month after being attacked by Black Basta ransomware. .
The AHA has warned its member hospitals that it is urgent to implement H-ISAC recommendations on protecting against the emerging threat.
John Riggi, AHA’s national advisor on cybersecurity and risk, said in a statement Friday.
“We recommend that this alert be treated with a high level of urgency and that recommended technical mitigation measures be applied. We anticipate more information about the threat will be available in due course.” , this information will be further disseminated to the scene.”
According to H-ISAC, Black Basta hacker breached vulnerabilities related to ConnectWise ScrenConnect authentication bypass, Microsoft Windows elevation of privilege, VMware OpenSLP and Fortra GoAnywhere MFT in previous attacks.
In addition to advanced techniques to avoid detection, Black Basta cyber attacks are also carried out using legitimate system tools.
Last Wednesday, Ascension announced for the first time that it had detected unusual activity on select technology networks.
The cybersecurity incident greatly impacted the nonprofit health system – one of the largest in the US with 140 hospitals in 19 states and the District of Columbia – resulting in patients being turned away or rescheduled and hospital staff were uncertain about the patient’s orders. Come check out and make an appointment.
Although the health system reports that all hospitals and care centers are open, they are implementing shutdown procedures, losing access to electronic health records, some systems laboratories as well as surgical and drug systems.
In addition, staff at local Thang Thien hospitals were unable to contact doctors.
“We are returning to the methods of documentation that We got rid of it 20 years ago.” WISN Friday report.
Over the weekend, Ascension announced that it had notified law enforcement. Doing so would presumably result in the exchange of information about the attack, information that could help prevent future attacks on healthcare organizations and possibly reveal any perpetrators. any of the attacks.
“The incident highlights the importance of information sharing in the healthcare sector,” said Callie Guenther, director of cyber threat research at Critical Start, a real-time risk monitoring company. and with government agencies to improve defense mechanisms.” Healthcare IT news via email Thursday.
Guenther noted that Ascension’s HIPAA compliance will be scrutinized, initiating legal consequences for potentially compromised protected information and prompting future legal actions.
THE TREND IS GREATER
Black Basta has allegedly extorted more than $100 million since its emergence, making it a very popular ransomware, H-ISAC noted in a May 10 announcement warning that the group is a threat big for the healthcare industry.
According to four sources briefed on the investigation, CNN reported Friday that the cyberattack — which caused ambulances to be diverted at several Ascension hospitals — was caused by an attack using Black Basta ransomware.
Information security experts from various companies weighed in on the Ascension attack – the most recent major breach in recent weeks, following other incidents involving Kaiser Permanente, Change Healthcare and others. another company.
“Mandiant/Google is involved and that is a sign of a serious situation,” Satyam Tyagi, vice president at ColorTokens, a micro-segmentation platform provider, said via email.
Their request for partners to disconnect from their networks is “another indication that the extent of the damage is yet to be determined.”
Stephen Kowski, field CTO at SlashNext, a developer of artificial intelligence technology that protects against phishing and social engineering attacks, agreed that disconnection is a deterrent to prevent the spread.
It “underscores the sophistication of the attack, which may have involved social engineering tactics,” he said via email.
“Healthcare organizations should adopt AI-powered security tools capable of detecting anomalous behavior indicative of social engineering, enhancing their resilience against such coordinated attacks”.
With the advancement of large language models and general artificial intelligence tools, cybercriminals are able to create more sophisticated phishing attacks, a method often exploited to gain ground. initial standing in an organization.
While more than 85% of health systems have significantly increased IT spending by 2024, hospitals with limited resources find it difficult to allocate increased budgets to increased security protections.
For that reason, many industry observers continue to say that now is the time for government funding of the critical sector.
Wes Wright, Ordr’s chief healthcare officer, said in November that protecting large electronic attack surfaces created with meaningful use requirements is challenging for hospitals. small in particular.
Ascension has been selling off hospitals over the past several years and most recently signed an agreement with MyMichigan Health to divest three additional acute care and ambulatory surgery facilities in northern Michigan.
ON PROFILE
“We have notified law enforcement as well as government partners including the FBI, the Security and Infrastructure Security Agency,” an Ascension spokesperson said in an update Saturday. network, Department of Health and Human Services and AHA”.
“We remain in close contact with the FBI and CISA, and we are sharing relevant threat intelligence with H-ISAC so that our industry partners and colleagues can Take steps to protect yourself from similar incidents.”
Andrea Fox is a senior editor at Healthcare IT News.
Email: [email protected]
Healthcare IT News is a publication of HIMSS Media.
