AHA, H-ISAC warn hospitals about Black Basta following Ascension cyberattack
Photo: Ascension St. Vincent Anderson Hospital licensed under the PDM 1.0 DEED
The Health Information Sharing and Analysis Center issued a threat alert Friday about the Russia-backed ransomware group Black Basta, warning of its accelerated attempted attacks against the healthcare sector.
Prompted by H-ISAC, the American Hospital Association also sent a cybersecurity advisory with technical mitigation recommendations to its members.
The alerts come in the wake of a major cyberattack impacting St. Louis-based Ascension health system that started this past Wednesday and continues to hamstring clinical operations.
Staff at Ascension's hospitals reported flying blind with some clinical and IT services, including imaging, after widespread disruption that has the health system working to recover its systems.
WHY IT MATTERS
At least two healthcare organizations "in Europe and in the United States" saw serious operational disruptions in the past month after being hit with Black Basta ransomware, according to H-ISAC in the new bulletin.
The AHA has warned its member hospitals that it is urgent to heed H-ISAC's recommendations on defending against the emerging threat.
"Recent actionable threat intelligence provided by our partners in the Health-ISAC and government agencies indicate that this known Russian-speaking group is actively targeting the U.S. and global healthcare sector with high-impact ransomware attacks designed to disrupt operations," John Riggi, AHA’s national advisor for cybersecurity and risk, said in a statement Friday.
"It is recommended that this alert be reviewed with high urgency and the recommended technical mitigations be put in place. We anticipate additional threat intelligence in the near term, which will be further disseminated to the field."
According to H-ISAC, Black Basta cyber actors have breached vulnerabilities related to ConnectWise ScrenConnect authentication bypass, Microsoft Windows elevation of privilege, VMware OpenSLP and Fortra GoAnywhere MFT in previous attacks.
In addition to advanced techniques to evade detection, Black Basta cyberattacks have been executed with legitimate system tools.
This past Wednesday, Ascension first announced that it had detected unusual activity on select technology-network systems.
The cybersecurity incident has greatly affected the non-profit health system – one of the largest systems in the United States with 140 hospitals in 19 states and the District of Columbia – resulting in patients being turned away or rescheduled and hospital staff unsure of orders as patients arrive for tests and appointments.
While the health system reports that all hospitals and care centers are open, they are on downtime procedures, having lost access to their electronic health records, certain lab systems, and surgical and medication systems.
Also, staff at local Ascension hospitals cannot page doctors.
"We're back to the documentation methods that we moved away from 20 years ago," said Gavin Rice, an imaging professional at Saint Francis Hospital in Milwaukee and a member of the Wisconsin Federation of Nurses and Health Professionals, ABC's WISN reported Friday.
Over the weekend, Ascension stated that it notified law enforcement. Doing so presumably leads to information exchange on the attack, intel that could help prevent future attacks on healthcare organizations and which could reveal any culpability for the attack.
"The incident emphasizes the importance of information sharing within the healthcare sector and with government agencies to improve defense mechanisms," Callie Guenther, cyber threat research manager at Critical Start, a real-time risk monitoring firm, told Healthcare IT News by email Thursday.
Guenther noted that Ascension's HIPAA compliance will be scrutinized, initiating legal repercussions over potentially compromised protected information and catalyzing future regulatory actions.
THE LARGER TREND
Black Basta has allegedly extorted more than $100 million since its emergence, making it a highly prolific ransomware, the H-ISAC noted in its May 10 announcement warning that the group is a major threat to the healthcare industry.
According to four sources briefed on the investigation, CNN reported Friday that the cyber attack – which causes ambulance diversions at some Ascension hospitals – was caused by an attack using Black Basta ransomware.
Information security experts from many different companies have weighed in on the Ascension attack – the most recent major breach in recent weeks, following other incidents involving Kaiser Permanente, Change Healthcare and others.
"Mandiant/Google is engaged and that is an indicator of a serious situation," Satyam Tyagi, vice president of ColorTokens, a microsegmentation platform vendor, said by email.
The fact that they have requested that their partners disconnect from their network is "another indicator that the extent of the damage has not yet been identified."
Stephen Kowski, field CTO at SlashNext, a developer of artificial intelligence technology that defends against spear phishing and social engineering attacks, agreed that disconnection is a containment measure to stop the spread.
It "underscores the sophistication of the attack, likely involving social engineering tactics," he said by email.
"Healthcare organizations should adopt AI-powered security tools capable of detecting anomalous behavior indicative of social engineering, enhancing their resilience against such coordinated attacks," he said.
With the progress of large language models and generative artificial intelligence tools, cybercriminals can create more sophisticated phishing attacks, a commonly exploited method for gaining an initial foothold in an organization.
While more than 85% of health systems significantly increased their IT spending for 2024, it is difficult for resource-limited hospitals to allocate budget increases on ever-increasing security protections.
For that reason, many industry observers continue to suggest that now is the time for the government to fund the critical sector.
Protecting the large electronic attack surfaces created with meaningful use requirements is challenging for small hospitals in particular, Wes Wright, chief healthcare officer of Ordr, said in November.
Ascension has sold off hospitals over the last few years, and most recently signed an agreement with MyMichigan Health to divest three more ambulatory surgery and acute care facilities in northern Michigan.
ON THE RECORD
"We have notified law enforcement, as well as government partners including the FBI, the Cybersecurity and Infrastructure Security Agency, the Department of Health and Human Services and the AHA," said an Ascension spokesperson in an update Saturday.
"We remain in close contact with the FBI and CISA, and we are sharing relevant threat intelligence with the H-ISAC so that our industry partners and peers can take steps to protect themselves from similar incidents."
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.