Recent studies have estimated that as many as 90% of successful cyberattacks and 70% of data breaches originate at the endpoint. This growing issue is especially impactful within healthcare systems nationwide. In 2023, HHS OCR disclosed a record high, 725 data breaches, exposing 133 million hospital and patient records. This incredibly alarming report was not alone in its findings, after digging deeper, the 2024 Horizon Report found that 80% of healthcare breaches came from hacking, such as malware attacks, phishing, spyware, or ransomware. Of the various forms of hacking the HIMSS Healthcare Cybersecurity Survey found that 57% of respondents reported phishing as their most significant security incident. Despite hacking ranking as the most common reason for breaches, most hospitals do not use basic credential protection and endpoint security measures to protect themselves and their patients; Black Basta picked up on this as well.
About Black Basta
Black Basta is delivered as a ransomware-as-a-service (RaaS) offering, making the barrier to entry for a potential attacker very low. RaaS vendors generally provide their customers with full technical support and make it a turn-key operation for criminal enterprises. Black Basta was first seen in the wild in April 2022 and has targeted over 500 private industry and critical infrastructure organizations, including healthcare companies, in North America, Europe and Australia. In their first few months of operation, they attacked 19 prominent enterprises and were responsible for more than 100 confirmed victims. The group uses a double extortion tactic, encrypting the victim’s data and servers, as well as ransoming their sensitive data on their public leak site. While most recent hacks and attempts have targeted healthcare systems, such as Ascension Healthcare, Black Basta is also responsible for several significant hacks such as the attack on Dish Network, the American Dental Association, The Toronto Public Library system, Capita, ABB and many more.
Today, Black Basta remains at large. The group’s structure has shifted, splitting off into smaller groups that can be linked through their similar attack practices and vulnerabilities. That said, there are ways to protect yourself and your organization from these threat actors.
Prevention and Protection
In response to the increasing cyber threats identified as the Black Basta group by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the Department of Health and Human Services (HHS), healthcare facilities are actively searching for stronger system security. In their advisory they offered preventive options and response mitigation suggestions every organization should look into. These included:
- Backing up data regularly
- Storing data offline or off-network
- Continuously updating software and hardware as the latest security patches are released
- Using strong passwords and multi-factor authentication for all accounts and systems
- Requiring all employees to receive training on recognizing and avoiding phishing attempts
- Implementing network segmentation and access control policies to limit the exposure of sensitive data and systems
- Using antivirus software and firewalls to detect and block malicious traffic and activity
- Reporting any ransomware incidents to your local FBI field office or CISA
While all organizations are advised to utilize antivirus software, use caution with suspicious emails, educate staff about phishing and back up their data, organizations are now also advised to bulk up their protection through more proactive approaches, such as is provided by the IGEL Preventative Security Model.
This model prioritizes proactive prevention over merely reactive measures, ensuring that healthcare organizations are responsive and fortified ahead of sophisticated malware and ransomware attacks that exploit endpoint vulnerabilities. As threats like Black Basta continue to evolve, employing advanced tactics such as spear phishing and exploiting critical vulnerabilities within commonly used software, the emphasis on robust endpoint security and comprehensive threat prevention strategies has never been more important.
Security Begins at the System Level
To use preventative endpoint security, healthcare organizations require a proactive and secure operating system (OS) on all employee endpoints. A secure OS will significantly reduce the risk of an attack vector infiltrating through human error or stolen credentials.
When looking for a secure OS, ensure it will effectively minimize the attackable surface by removing the vulnerabilities at the endpoint targeted by cyber-criminals. To deliver the greatest protection, a secure OS should…
- Ensure that no local data is stored at the endpoint, which prevents the download of potentially malicious attachments or code to the endpoint.
- A read-only OS ensures malicious changes cannot be made to the OS itself.
- Deliver a secure boot process, cryptographically checking each operating system module and resetting the OS to a known secure state should tampering be detected.
- Integrate with MFA and SSO, including Microsoft EntraID, Imprivata, Okta, Ping and AuthX, to reduce the potential of stolen credential attacks while keeping clinical workflows optimal.
- Support a modular design to reduce the endpoint attack surface by only deploying the necessary software components and applications.
Utilizing a secure OS will remove a critical part of the attack chain by eliminating the endpoint as an attack vector and integrating it with MFA solutions to reduce the chances of stolen credential attacks. That said, user education will always be a critical aspect of any security planning and should not be ignored.
To truly protect our healthcare systems from threat actors like Black Basta, organizations must take a multifaceted approach, heeding the advice from CISA and investing in proactive approaches such as the IGEL Preventative Security Model.
About the Author
Jason Mafera is field CTO, North America forIGEL. He comes to IGEL with more than 20 years of experience in the delivery of cybersecurity-focused enterprise and SaaS solution offerings and has worked for a broad range of companies from start-ups and pre-IPO organizations to public and privately backed firms. Prior to joining IGEL in October 2022, Mafera served as Head of Product and then Vice President of Sales Engineering and Customer Success for Tausight, an early-stage startup and provider of healthcare software focused on delivering real-time intelligence for securing and reducing compromise of electronic Personal Health Information (ePHI) at the edge. Before that, he held a succession of leadership roles with digital identity provider Imprivata. Mafera spent 12 years at Imprivata, first defining and driving to market the OneSign Authentication Management and VDA solutions, then leading the Office of the CTO. Early on in his career, he was systems engineer and later product manager at RSA, The Security Division of EMC.
Jason Mafera can be reached at [email protected] (not for publication), LinkedIn: https://www.linkedin.com/in/mafera/ and at https://www.igel.com/