AHA and H-ISAC warn hospitals about Black Basta after the Ascension cyber attack

The Center for Health Information Sharing and Analysis has a threat warning Friday on Russian-backed ransomware group Black Basta, warning of its accelerated attack efforts on the healthcare sector.

At the request of H-ISAC, the American Hospital Association also sent a message advice in the field of cyber security with technical mitigation recommendations to its members.

The warnings come in the wake of a major cyberattack impacting the St. Louis-based Ascension health system, which began last Wednesday and continues to hamper clinical operations.

Staff at Ascension hospitals reported being blinded with certain clinical and IT services, including imaging, following a widespread disruption that left the healthcare system scrambling to restore its systems.

WHY IT MATTERS

At least two healthcare organizations “in Europe and the United States” have suffered severe operational disruptions in the past month after being hit by the Black Basta ransomware, H-ISAC said in the new report bulletin.

The AHA has warned its member hospitals of the urgency to heed H-ISAC’s recommendations on defending against the emerging threat.

“Recent, actionable threat intelligence provided by our partners in the Health-ISAC and government agencies indicates that this well-known Russian-speaking group is actively targeting the US and global healthcare industries with powerful ransomware attacks designed to disrupt operations” , John Riggi, AHA’s national advisor on cybersecurity and risk, said in a statement Friday.

“It is recommended to review this alert with high urgency and implement the recommended technical measures. We expect additional threat information in the short term, which will be further disseminated to the field.”

According to H-ISAC, Black Basta cyber actors have breached vulnerabilities related to ConnectWise ScrenConnect authentication bypass, Microsoft Windows privilege elevation, VMware OpenSLP, and Fortra GoAnywhere MFT in previous attacks.

In addition to advanced techniques to evade detection, Black Basta cyber attacks are carried out using legitimate system tools.

Last Wednesday, Ascension announced for the first time that it had discovered something unusual activity on selected technology network systems.

The cybersecurity incident has had a major impact on the nonprofit health care system – one of the largest systems in the United States with 140 hospitals in 19 states and the District of Columbia – resulting in patients being turned away or rescheduled and hospital staff unsure is of the orders as a patient. come for tests and appointments.

While the health care system reports that all hospitals and care centers are openthey are in downtime procedures because they have lost access to their electronic medical records, certain laboratory systems, and surgical and medication systems.

Also staff from local Ascension hospitals cannot call doctors.

“We’re back to the documentation methods we moved away from 20 years ago,” said Gavin Rice, an imaging professional at Saint Francis Hospital in Milwaukee and a member of the Wisconsin Federation of Nurses and Health Professionals, ABC’s WISN reported on Friday.

Over the weekend, Ascension said it had notified police. This is likely to lead to information sharing about the attack, information that could help prevent future attacks on healthcare organizations and reveal any culpability for the attack.

“The incident highlights the importance of sharing information within the healthcare industry and with government agencies to improve defenses,” said Callie Guenther, cyber threat research manager at Critical Start, a real-time risk monitoring company. Healthcare IT news Thursday by email.

Guenther noted that Ascension’s HIPAA compliance will come under scrutiny, which will have legal implications for potentially compromised protected information and catalyze future regulatory actions.

THE BIG TREND

Black Basta has reportedly extorted more than $100 million since its emergence, making it a highly prolific ransomware. The H-ISAC noted in its May 10 announcement that the group poses a major threat to health care.

According to four sources aware of the investigation, CNN reported on Friday that the cyber attack was the cause ambulance diversions in some Ascension hospitals – was caused by a Black Basta ransomware attack.

Information security experts from many different companies have weighed in on the Ascension attack – the latest major breach in recent weeks, following other incidents involving Emperor PermanenteChange healthcare and others.

“Mandiant/Google are involved and that is an indicator of a serious situation,” Satyam Tyagi, vice president of ColorTokens, a provider of micro-segmentation platforms, said by email.

The fact that they have asked their partners to disconnect from their network is “another indicator that the extent of the damage has not yet been determined.”

Stephen Kowski, field CTO at SlashNext, a developer of artificial intelligence technology that defends against spear phishing and social engineering attacks, agreed that disconnecting is a mitigation measure to stop the spread.

It “underlines the sophistication of the attack, which likely involves social engineering tactics,” he said by email.

“Healthcare organizations should adopt AI-powered security tools that can detect anomalous behavior indicative of social engineering, thereby increasing their resilience against such coordinated attacks,” he said.

With the advancement of large language models and generative artificial intelligence tools, cybercriminals can create increasingly sophisticated phishing attacks, an often exploited method of gaining a foothold in an organization.

While more than 85% of healthcare systems have significantly increased their IT spending by 2024, it is difficult for resource-constrained hospitals to allocate budget increases to ever-increasing security measures.

For that reason, many industry observers continue to suggest that now is the time for the government to fund the crucial sector.

Protecting the large electronic attack surfaces created with meaningful use requirements is especially challenging for small hospitals, Wes Wright, Ordr’s chief medical officer, said in November.

Ascension has been selling hospitals in recent years and recently signed a contract agreement with MyMichigan Health to divest three more ambulatory surgery and acute care facilities in northern Michigan.

ON THE RECORD

“We have notified law enforcement, as well as government partners, including the FBI, the Cybersecurity and Infrastructure Security Agency, the Department of Health and Human Services and the AHA,” an Ascension spokesperson said in an update Saturday.

“We remain in close contact with the FBI and CISA, and we share relevant threat information with the H-ISAC so that our industry partners and colleagues can take steps to protect themselves from similar incidents.”

Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.