While the assassination of health insurance CEO Brian Thompson on the streets of central New York last week has been grabbing headlines this month, life-endangering cyber-attacks on the US healthcare industry are escalating at an alarming rate. Once again, the pressing need for both IT and physical security could not be more clear.
According to John Riggi, national advisor for healthcare security and risk at the American Hospital Association, healthcare security must now be seen as far more than just an IT issue. This year has seen what amounts to a sea change in the way healthcare executives must view not only their own personal security but also the impact of cyber-attacks not only on their bottom line but also on the lives and well-being of patients.
For example, until relatively recently the healthcare industry was seen as off-limits for ransomware attacks, with cybercriminal gangs wishing to appear to adhere to some kind of moral code. But, according to observers such as Riggi that brief period of respite can now be consigned to ancient history. Riggi expresses his growing concern regarding the rise of ransomware attacks targeting critical supply chains, especially those related to blood and plasma.
He highlights a ransomware attack on UK-based Synnovis, part of SynLab, which was hit by a ransomware attack in June 2024. This left some patients in London unable to get blood test results for more than three months. In the US, the Change Healthcare cyberattack disrupted healthcare systems nationwide earlier this year and is alleged to have started when hackers entered a server that lacked a basic multifactor authentication. Riggi also pointed out the international nature of the threat, linking the attack to the Russian-based BlackCat ransomware group.
“These ransomware groups have identified the wiring diagram for healthcare. They know where the weak points are,” he said. “Hospitals must reevaluate their third-party risk management programs and identify strategic providers, ensuring that their operations won’t come to a halt if one of these providers is attacked,” warns Riggi.
In 2023, the breach of MOVEit, a supposedly secure file transfer system, gave Russian ransomware group Clop access to sensitive healthcare information. The breach meant that the number of individuals impacted by data theft rose fivefold from 2020 to 2023. While 44 million individuals were affected in 2022, this figure jumped to 136 million in 2023. This steep growth has continued in 2024 with 156 million individuals’ healthcare records being compromised, largely due to the Change Healthcare attack.
Thompson shooting also highlights online security concerns
The shooting of UnitedHealthcare CEO Brian Thompson in midtown Manhattan in New York must also be seen in terms of online security. It now seems that the assassin, Luigi Mangione, was able to pinpoint Thomson’s exact location on the fateful morning of Wednesday, December 4, 2024, simply by viewing freely available online information regarding a conference Thompson had been due to attend. It also now appears that Mangione, a software engineer, may also have made the so-called “ghost gun” used to kill Thompson either from parts ordered online or by simply 3D printing the lethal weapon.
In a bizarre twist to the story, menacing posters have appeared on Canal Street, one of Manhattan’s busiest thoroughfares, featuring pictures of Thompson, OptumHealth CEO Heather Cianfrocco, and UnitedHealth Group CEO Andrew Witty, with the words: “Wanted. Denying medical care for corporate profit. Health care CEOs should not feel safe.” The posters are now sparking fears of copycat assassination attempts targeting prominent US healthcare executives. Some healthcare organizations are already believed to be removing pictures of top executives from their websites.
The healthcare industry must now step back and take a fresh view of not only its cyber-reliance regarding ransomware and other online attacks but also the degree of information being released regarding executives and their whereabouts at any given time. Riggi is also now urging the healthcare industry to take proactive steps to mitigate cyber risk. This includes the implementation of cybersecurity frameworks such as the Healthcare Cybersecurity Performance Goals, which he believes could become mandatory in 2025.