Ransomware gangs are rarely known for their ethics, but there have been times in which a sliver of humanity has shown through the cracks.
At the beginning of the pandemic, when hospitals were overrun with patients and the healthcare system was strained to its operating limits, two ransomware groups said targeting hospitals and healthcare was a bridge too far.
DoppelPaymer and Maze said they didn’t target health care companies, local governments, or 911 services. If those organizations accidentally became infected, the operators of the ransomware groups said they would supply a free decryptor.
That truce didn't last long. The lure of easy money and the unwillingness of other competing gangs to shut off a lucrative revenue stream brought everything back to business as usual.
But the cracks in the armor have started to appear again.
Right before Christmas in 2023, LockBit made a rare public apology. One of their affiliates attacked a hospital in Canada. A free decryptor allowed the hospital to begin recovery operations.
Why this unexpected change of heart?
Because the victim was SickKids, a hospital affiliated with the University of Toronto that treats sick children. Apparently, there’s a line some ransomware gangs won't cross, and it took the worst kind of press to make it happen.
On the recent Change Healthcare case, the Department of Health and Human Services (HHS) has been working very closely with the Biden administration in the aftermath of the massive breach. The Office of Civil Rights at HHS has opened an investigation into how the attack happened with one of the lines of inquiry being to address whether or not Change Healthcare, a subsidiary of UnitedHealth Group, followed HIPAA rules.
HIPAA rules are not the issue. Looking back at every major or minor healthcare breach, HIPAA compliance was mainly a non-factor. Whether it was a Chinese national breaching Anthem Healthcare, as confirmed by a Department of Justice indictment, or one of a dozen breaches by various ransomware gangs, no one cared about HIPAA compliance.
In November of 2013, I was one of four expert witnesses testifying before the U.S. House of Representatives Science, Space and Technology Committee about the safety of data on Healthcare.gov. Little did we know then how much ransomware would dominate the healthcare industry and become the most insidious and pervasive threat.
I watched in fascination as my fellow expert, friend, and hacker Dave Kennedy walked members of Congress through a live demonstration of exploiting a website vulnerability and exposing personally identifiable information. That was as shocking as finding out Healthcare.gov still wasn't using HTTPS — a clear violation of HIPAA.
How to proceed following the Change Healthcare breach
Today, we are faced with the dilemma of Change Healthcare, and I think the industry has missed two golden opportunities to create lasting change and significant improvement.
First, it's a technology play. It's time to modernize vulnerable systems. Applying band-aids no longer works. The importance of healthcare as critical infrastructure looms as self-evident. What’s not evident is the urgency of addressing the systemic problems, not just an issue with one provider.
After the Solar Winds supply chain attack, President Biden issued Executive Order 14028 on May 12, 2021, in response. It was time for the federal government to modernize and push agencies kicking and screaming into modern approaches to decades-long problems.
It's time for a similar approach to health care. Yes, it will be unpopular. Yes, it will cost money. What doesn't? But it's time to stop addressing problems as individual events instead of the industrywide scourge it’s become.
The other approach is to start marketing the problem. When problems get marketed, solutions tend to fall into place. Right now, we're not marketing the impact on the victims in Change Healthcare. We're discussing the organization and not the people the incident harmed.
Here’s the list: Seniors. Sick kids. People suffering from cancer. Parents who want babies but can't get pregnant. Healthy adults losing their eyesight. Grandparents suffering from heart disease. Dementia. Real people, facing real diseases.
When ALPHV/BlackCat compromised Lehigh Valley Health Network and leaked nude photos of breast cancer patients, there was more coverage about the process of notification and the investigation than there was outrage over the leak itself.
ALPHV/BlackCat and their affiliates haven't attacked Change Healthcare. This time, they've attacked our families. Do we want to stop, or at least slow down, future ransomware attacks on healthcare?
Adding to the drama is the apparent stiffing of the affiliate that initiated the attack against Change Healthcare: a Chinese-linked criminal group. The group was reportedly denied their commission on the $22 million payout, signaling a round of internecine warfare between criminals.
It appears there’s truly no honor among thieves. This time, it may signal one of two scenarios. The first: ALPHV/BlackCat punishing their affiliate for attacking healthcare. The second: ALPHV/BlackCat realizing their ticket was going to get punched again by the FBI. Either way, it’s a messy exit.
If we want to solve the problem, we have to make it real and personal. If we change our focus, we can change the impact.
We now have a chance to focus public outrage on the real victims: patients. Granted, health organizations are not getting paid as fast, but who do they serve? I don't believe we'll succeed in shaming ransomware gangs into proper behavior.
But we can out-market them by controlling the narrative and then modernizing our healthcare infrastructure at the same time.
Morgan Wright, chief security advisor, SentinelOne