An update from Clearwater CEO Steve Cagle
Last week, Clearwater posted a notice on LinkedIn informing our network that Ascension, a 140-hospital health system, is suffering from a ransomware attack. As of today Ascension is still working to investigate and restore its systems and has urged its business partners to temporarily disconnect from all of Ascension’s systems. They have said they are “making progress” but that it “will take time to complete” across each of its care sites. This has been a highly disruptive attack, impacting access to electronic health records, some phone systems, and “various systems utilized to order certain tests, procedures, and medications,” and they expect to be on “downtime procedure for some time.”
What We Know
The ransomware threat actor is BlackBasta, which began its attacks in April 2022 and is thought to be an offshoot of the Russian-speaking RaaS threat group, Conti, or has some Conti members. Conti used RaaS to deploy destructive ransomware attacks that target critical infrastructure, especially in the health and public health sector, bringing in over $100m in profits. Other researchers observed links to the Russian-speaking RaaS threat group FIN7 (which is also thought to have links to Blackcat/ALPV, who was behind the Change Healthcare attack). The Health Sector Cybersecurity Coordination Center (HC3) published this Threat Profile in March 2023. Black Basta affiliates have targeted over 500 private industry and critical infrastructure entities, including healthcare organizations, in North America, Europe, and Australia.
Since the attack, new indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) were made available through a joint Cybersecurity Advisory (CSA) from the Cybersecurity and Infrastructure Security Agency (CISA): #StopRansomware: Black Basta | CISA. Additional threat intelligence is now available from H-ISAC: Black Basta Threat Actor Emerges as a Major Threat to the Healthcare Industry – Health-ISAC – Health Information Sharing and Analysis Center.
Implications for Healthcare
On the heels of the Change Healthcare attack, the Ascension attack is yet another reminder that threat actors are highly sophisticated and capable of successfully attacking even very large health organizations, causing severe disruptive effects that impact patient safety and cause extensive financial damage. This is why healthcare organizations must conduct ongoing risk analysis at the asset level and respond to, track, and manage risk remediation. They must conduct continuous/ongoing risk analysis because the attack surface and threats are constantly changing. Yesterday’s risks are not necessarily those of today—in other words, even if you’re “secure” today, that does not mean you’ll be secure tomorrow.
In an interview last week, OCR Director Melanie Fontes Rainer said that OCR’s top enforcement focus overall is the HIPAA Security Rule’s risk analysis requirement, calling it OCR’s “risk analysis initiative.” She stated that many organizations don’t do it or don’t do it correctly. She also said this is “a significant weakness among many regulated organizations of all sizes.” OCR has been very clear; they have repeatedly stated that poor risk analysis practices are the major contributing factor to ransomware and the many significant breaches reported to the agency. It could not have been more clearly stated by the Director:
“This is a big issue that affects our entire healthcare system. It’s one in which we’re really trying to drive compliance across the system working through with our HHS partners…We’re thinking about it both in the enforcement end and also as we think about policy and updating the HIPAA Security Rule.”
What Healthcare Leaders Should Do Now
If you’re behind on your risk analysis, have never completed one, or suspect it wasn’t done adequately or correctly, now is the time to fix it.
Clearwater continues to advocate for asset-based risk analysis as it’s the very best strategy for healthcare organizations to identify and reduce cybersecurity risks. Clearwater’s OCR-Quality® Risk Analysis methodology is proven against the highest standards with a 100% OCR success rate. The nation’s top healthcare security and privacy attorneys often choose it as a trusted response to addressing OCR Corrective Action Plans. This approach to risk analysis goes deeper and is more rigorous, enabling organizations to identify unknown risks so they can mitigate them and prevent avoidable breaches.
No organization can be risk-free, but it can stay ahead of cyber criminals and avoid catastrophes like the ones we’ve seen already this year by knowing where its largest risks are and focusing control investments on the highest priority risks first, driving resilience to an attack.
What’s Next
Clearwater will continue to monitor the situation at Ascension and work to keep clients and the larger healthcare community informed as we learn new information. Much like we did during the early days of the Change Healthcare attack, we will share resources, best practices, and guidance from trusted industry resources.
If you need help strengthening your risk analysis, developing a cybersecurity strategy, or driving cyber resilience in your organization, Clearwater has a full portfolio of programs and services to help you improve and execute your security and compliance programs and prepare to detect, respond to, and recover from an attack should one occur. We’d love to help, let’s schedule a call.
