this is the 3rd or 4th data breach for them in the last 4-5 years. i know several people that have and continue to work for them in IT. shitshow is an understatement.

healthcare at best is 10-20 years behind the industry when it comes to security. i deal with facilities everyday that don't even have security.

We dealt with a hospital a couple of years ago that got hit. they had a firewall because their cyber insurance mandated it. it was racked plugged in and looked pretty. Had never been configured. traffic rules were any/any and the default install password never changed. they were "complaint" for insurance.

This is the general state of IT security in the majority of healthcare today. if you want a good laugh read the congressional testimony on the change healthcare breach. 70% of the market share of pharmacy billing and the level of just outright negligence is astounding. Executives need to be in jail for that one.

you would have thought that at the last 3 breeches they had but no.

a lot of folks don't realize this is bigger than 1 healthcare group getting hit and going offline.

Their facilities have data connections to other facilities in the areas as well. those facilities now have to sever connections and begin threat hunting  internally to ensure nothing crossed to them as well. we are going to likely find blackbasta was in their network for months before encrypting them.  That's the norm for that group. no telling what 3rd party fallout may come from this as well.

here's the dirty little secret. many times audits have been done at the base level as they can be required for compliance and insurance requirements. these findings are almost never unknowns for them. employees and auditors knew full well these were problems, managers simply ignored them and either hid them from execs that legit do not want to know so they don't have to spend money to fix them.

it becomes secondary risk acceptance through complacency as they have a culture bad communication and leadership.

https://therecord.media/black-basta-ransomware-alert-healthcare-fbi-cisa-hhs

After Ascension ransomware attack, feds issue alert on Black Basta group

Several U.S. government agencies warned that the Black Basta ransomware gang is targeting the healthcare industry and 12 of the 16 critical infrastructure sectors.

In a Friday afternoon advisory, the FBI, Cybersecurity and Infrastructure Security Agency (CISA) and Department of Health and Human Services (HHS) said Black Basta has attacked at least 500 organizations globally between April 2022 and May 2024.

According to the agencies, the ransomware-as-a-service gang typically breaches organizations through phishing attacks and known vulnerabilities but does not provide ransom demands or payment information immediately.

Victims are given a unique code and link to communicate with the ransomware gang. Many victims are given between 10 and 12 days to pay a ransom before stolen data is published.

The advisory comes after CNN reported on Thursday night that four sources said the Black Basta ransomware was behind the attack on nonprofit healthcare system Ascension.

The Catholic organization runs hundreds of hospitals across the U.S. and has been forced to turn away ambulances, revert to paper records and cancel non-emergency appointments this week due to the technology outages caused by the incident.

Several federal agencies, including HHS and the FBI are involved in the recovery effort. An HHS spokesperson told Recorded Future News that the department is in communication with Ascension Leadership “to understand their efforts to minimize any disruptions to patient care.”

“This incident serves as an important reminder of the urgency of strengthening cybersecurity resiliency in healthcare. HHS encourages all providers, technology vendors, payers, and members of the healthcare ecosystem to double down on cybersecurity,” they said.

The departments said that in February, Black Basta affiliates began exploiting CVE-2024-1709, a vulnerability affecting ConnectWise’s ScreenConnect which allows for secure remote desktop access and mobile device support.

The bug was immediately used by several ransomware gangs when it emerged and caused panic because of its widespread usage among managed service providers (MSPs).

Friday’s advisory warned that affiliates also use tools like the SoftPerfect network scanner to search networks for vulnerable tools. Other vulnerabilities exploited by the group include ZeroLogon, NoPac and PrintNightmare, according to the agencies.

The agencies specifically warned that healthcare organizations “are attractive targets for cybercrime actors due to their size, technological dependence, access to personal health information, and unique impacts from patient care disruptions.”

HHS said last year that the group “may even be a rebrand of the Russian-speaking RaaS threat group Conti, or also linked to other Russian-speaking cyber threat groups.”

Industry group Health-ISAC released its own advisory on Friday about Black Basta and said data shows it has extorted at least $100 million dollars since its emergence.

“In the past month, at least two healthcare organizations, in Europe and in the United States, have fallen victim to Black Basta ransomware and have suffered severe operational disruptions,” Health-ISAC said. “Taking these latest developments into consideration, Health-ISAC has assessed that Black Basta represents a significant threat to the healthcare sector.”

Black Basta has taken credit for brazen attacks on the Dish Network, the American Dental Association, British outsourcing company Capita, Swiss tech giant ABB and German arms company Rheinmetall.

Since emerging, it has become the fourth-most active strain of ransomware based on the number of victims tracked over the last year, according to one report.

https://therecord.media/cybersecurity-regulations-healthcare-industry-anne-neuberger-rsa

As White House preps new cyber rules for healthcare, Neuberger says backlash is unwarranted
SAN FRANCISCO — White House official Anne Neuberger said cybersecurity regulations for the healthcare industry are coming, and she questioned the emerging industry backlash to them, citing several recent high-profile incidents where basic measures would have prevented extraordinary harm.

Speaking at the RSA Conference on Thursday, Neuberger said government officials have been asking hospitals and healthcare organizations to take basic steps to protect themselves and patient data for more than a decade.  

Efforts to get the healthcare industry to adopt multi-factor authentication, offline backups and encrypted data have fallen on deaf ears, she explained, prompting the U.S. government to take further action.

“People now often say, ‘Well, they're revictimizing the victim,’” by lining up additional regulatory requirements for the industry, said Neuberger, who is the deputy national security adviser for cyber. “And I think we need to look at it as, by the time a Change Healthcare attack happens, when for a decade, we've been calling and saying ‘companies, encrypt your data, use MFA.’ Are they still a victim? Or is there a question of, is this negligence?”

It’s fair to say “that there’s an expectation of good housekeeping if you're operating a hospital, if you're operating a pipeline.” she said.

She went on to criticize UnitedHealth Group for not having patient data encrypted in Change Healthcare unit, a subsidiary, before it was hacked earlier this year. Neuberger argued that if the data had been properly protected, the ransomware gang that breached company networks would not have been able to do much with it.

UnitedHealth CEO Andrew Witty told Congress last week that likely a third of all Americans may have had their information stolen during the ransomware attack on its subsidiary Change Healthcare.

Neuberger told the audience that the federal government is currently working with the hospital sector to put in place minimum requirements “to help hospitals ensure that they are doing what they need to to keep patients safe.”

“We'll be rolling out a free cybersecurity program to the country’s 1,400 rural [healthcare] networks in the next couple of months. We'll also be rolling out these new cybersecurity rules for hospitals,” she told Recorded Future News after the onstage conversation.

Just so we’re clear:  this was a ransomware attack?  The kind that requires a user on the network to click a suspect link in an email, which initiates the attack?

this is what is currently reported. early reports have mentioned the screenconnect cve as part of the attack path but these almost all start with a phishing link that gets a machine compromised.

paper records get stolen all the time. former job we routinely had bankers boxes of medical records come up "missing" from clinic offices.

you would honest to god be amazed at the push back security teams get for simply making sys admins patch systems. especially in healthcare.