Every server a target
Amassive cyberattack on UnitedHealth subsidiary Change Healthcare has left pharmacists around the country unable to fill electronic prescriptions for a week, including thousands in New York. It’s not clear yet when the systems will be back online, but in the meantime, millions of people are unable to get what might be crucial medications, all because of one hack.
This incident is a perfect storm of sorts. It illustrates some of the dangers of outsourcing and consolidation, where one large contractor handling a critical part of the broader chain of health care services can be targeted and take down something as crucial as prescriptions processing for pharmacists nationwide.
It includes the vulnerability inherent in information systems that are these days centralized and online, with entire databases and services that can be compromised or stolen as a result of a single purloined password or some software vulnerability.
The days of paper or floppy disks were more cumbersome and less efficient, certainly, but they had the upside of making it difficult to broach them. Now, a skilled hacker thousands of miles away can bring down a U.S. hospital system in an afternoon.
While Change Healthcare had initially told the Securities and Exchange Commission in a memo that it believed the attack was the work of a “nation-state associated cybersecurity threat actor,” it now seems like the ransomware hacking group Blackcat may have been behind it.
Perhaps the company’s assessment was based on the lingering presumption that this is the type of thing that falls under the umbrella of war, with governments using cyberattacks in lieu of tanks and bombs. That’s undoubtedly still a real issue, and something that we must be prepared for from our foes on the international stage; indeed, Vladimir Putin has paired his ground war in Ukraine with a campaign of cyberattack on Ukrainians. N onetheless, it’s a mistake to think that this is the preeminent source for concern. Cyberattacks on critical institutions are becoming practically commonplace, and often launched not from foreign barracks and intelligence agencies but small groups of hackers who have much more quotidian objectives in mind: money, and the ease of making it by targeting faraway, relatively soft targets.
Victims targeted often have little choice but to comply with anonymous attackers that could be anywhere, holding sensitive data hostage until they pony up. Ransomware gangs have gotten increasingly brazen over the last several years, now openly boasting on social media and attacking law enforcement agencies themselves.
We have to accept that this new reality means that no one should be lax on cybersecurity. It’s not just dams and power plants anymore, hospitals, police departments, universities, transit agencies and all manner of other institutions of public significance should view themselves as targets and act accordingly, ideally with government support. Just as the state provides some manner of traditional police protection for all these entities, it should be prepared to provide some level of cyber protection.
It’s a good start for agencies like the state Department of Health to mandate certain cybersecurity standards, but the next step is to pool resources to help with compliance. This is a problem for all of us now, and there’s no sign that things are going to get better.