Electronic Health Reporter

In the throes of an ever-intensifying cybersecurity crisis, the healthcare sector is under siege, grappling with the fallout from a wave of ransomware attacks. Among the prominent victims are Ardent Health Services and Norton Healthcare, two pillars of the industry facing sophisticated cyber threats. These incidents, and many others, coupled with a new study led by MIT professor Stuart Madnick, paint a bleak picture of the industry’s vulnerability to cyber adversaries.

Ardent Health Services, a health system overseeing 30 hospitals and more than 200 care sites across six states, was the victim of a significant ransomware attack in late November, necessitating the diversion of emergency room patients and rescheduling non-urgent procedures. The fallout has prompted Ardent to take its network offline, suspend user access to critical IT applications, and launch an effort with cybersecurity partners to restore normal operations rapidly.

Usman Choudhary, chief product and technology officer at VIPRE Security Group, said the pervasive greed among ransomware groups and calls for unity within the security community underscores the critical need for accessible and affordable cybersecurity solutions. Even advanced technical protections are futile if hindered by prohibitive costs or complexity, Choudhary said.

Norton Healthcare, another healthcare provider managing eight hospitals across Kentucky and Indiana, suffered a significant data breach impacting up to 2.5 million individuals throughout 2023. The breach took place between May 7 and 9, 2023, exposing personal and protected health information of patients and employees.

This incident at Norton Healthcare amplifies the broader concerns outlined in Stuart Madnick’s report, funded by Apple, showing that ransomware attacks during the first nine months of 2023 surpassed the total from all of 2022. Ransomware attacks impacted more than 360 million people through August of this year.

Madnick attributes this surge to the evolving organization of ransomware groups, now operating as sophisticated gangs that strategically target organizations with critical user data, particularly in government and healthcare facilities. Additionally concerning is the increasing reliance of cyber criminals on secondary vendors as gateways to their primary targets.

According to Madnick, 98% of business and government groups are connected to companies that have fallen victim to cybercriminals in the past year.

The Norton Healthcare breach, reported to the HHS’ Office for Civil Rights in July, underscores the pressing need for robust cybersecurity measures, especially within the healthcare sector. Ransomware attacks on hospitals are hazardous, limiting access to patient records and compelling healthcare providers to redirect patients to alternative facilities.

Steve Moore, vice president and chief security strategist at Exabeam, says these incidents are worst-case scenarios, emphasizing the profound impact on the quality of care and life.

Kayla Underkoffler, lead security technologist at HackerOne, adds that the heightened risk healthcare organizations face, especially during the holiday season, is unprecedented. Underkoffer encourages health system leaders to learn from other sectors, such as government and financial services, which have successfully implemented Vulnerability Disclosure Programs to enhance security maturity.

As the healthcare industry navigates this crisis, Madnick’s report recommends companies collect less data from consumers, particularly when not encrypting user data. The study advocates increased reliance on end-to-end encryption tools to fortify data security.

Tech giants, including Microsoft, Apple, Meta, and Google, already offer varying forms of end-to-end encryption, ensuring that only the data sender and recipient can access sensitive information. However, the broader industry, encompassing healthcare providers and technology innovators, must collaborate to fortify defenses against evolving cyber threats.

Choudhary says the urgent need for comprehensive cybersecurity measures, collaboration, and proactive strategies becomes increasingly apparent. The affected organizations, Ardent Health Services and Norton Healthcare, and the broader healthcare and technology sectors must address these concerns to safeguard patient data and ensure uninterrupted medical services in the face of evolving and sophisticated cyber threats.