LAUREN FRAYER, HOST:
By some estimates, the U.S. health care industry is worth trillions of dollar a year, and that's the kind of cash that makes it a plumb target for hackers. The effects of just two major ransomware attacks this year - one against the hospital system Ascension and the other against a payment processor, Change Healthcare - are hard to quantify. But tens of millions have been paid in ransom alone. And according to a new report from cybersecurity firm Recorded Future, these kinds of attacks are only becoming more frequent.
Andy Greenberg is a senior cybersecurity writer for WIRED and the author of "Tracers In The Dark: The Global Hunt For The Crime Lords Of Cryptocurrency." Andy, welcome to the show.
ANDY GREENBERG: Glad to be here.
FRAYER: It's been a little while since we've talked about these hacks on the show, so I wonder if you could just start off by reminding us what exactly happened with Change Healthcare.
GREENBERG: Well, in February of this year, Change Healthcare was attacked essentially by a ransomware group. And ransomware, of course, is a type of crime where hackers break into a network. They steal as much data as they can. They then encrypt the network to essentially cripple it in a reversible way and then extort the company for a ransom payment in cryptocurrency, threatening to, you know, both keep the network encrypted and thus, you know, unable to be accessed and also to leak the data that they've stolen.
FRAYER: And so that was in February, and then since then, we've also seen this hack at Ascension.
GREENBERG: Right. I mean, since then, we've seen this attack on Ascension, a network of 140 hospitals in the U.S., as well as other attacks like a - one that affected a hospital in France, where 61 gigabytes of data were stolen and leaked by another hacker group, and a third one that affected this pathology company in the U.K. which actually prevented surgeries from happening at U.K. hospitals and led to them actually not even being able to use blood donations that they had because they weren't sure if it was the right type of blood for certain patients.
FRAYER: So who's behind these attacks?
GREENBERG: Well, the attack on Change Healthcare was carried out by this group called BlackCat. And really, this is, I think the beginning of this latest wave because Change Healthcare paid a $22 million ransom to that hacker group, and that is one of the biggest ransoms I've ever heard of paid to these kind of extortion gangs.
And when it happened, you know, I was told by cybersecurity analysts, like, yes, this is bad because it's incentivizing more attacks on these incredibly sensitive targets and that this would start a new wave of this vicious cycle by essentially rewarding an extremely ruthless kind of attack that goes after these health care targets.
And then, sure enough, we have seen in the month of April, the month following that ransom payment, more health care targeting by ransomware actors than ever before - 44 different incidents, according to the cybersecurity firm Recorded Future. That's more than they've ever seen in a single month.
FRAYER: What's a company's calculus? Like, they fear data will be leaked. It will cost them millions in legal fees. It will be embarrassing for their brand. So they just say, well, let's pay?
GREENBERG: Change Healthcare is probably going to lose, according to their financial filings, $1.5 billion from the results of this incredibly really catastrophic cyber attack that's hit them and really then, you know, as follow-on effects hit hundreds of hospitals and health care providers and pharmacies around the country that they serve as a kind of almost, like, a payment processor for insurance.
So in that larger scheme, $22 million is, you know, just a drop in the bucket. If that can help them to save, you know, half a billion dollars by recovering a little bit faster or limiting the PR damage from leaking all of this data, you know, of course, that's worth it for the company.
Unfortunately, there is this external effect of that, that it then gives the hackers exactly what they want, and it rewards them, incentivizes them, to do the next attack on another health care target, another hospital.
FRAYER: So Change Healthcare paid this $22 million ransom. Then we see this spike in new attacks, which we're sort of in the midst of now. Where does the cycle break?
GREENBERG: I think breaking the ransomware cycle is, you know, the billion-dollar question. Like, it is very difficult to stop this, as we've seen now over years and years. But I think part of it is that we do have to try to disincentivize companies from paying the ransom. I do think it has to be a less easy solution for the company to continue to fuel this cycle.
Of course, on the other side of this, we also need to find ways to disrupt these ransomware groups that are more effective and more permanent. They're mostly based in Russia, where law enforcement cannot, in the West, actually reach them. But we can see law enforcement trying to disrupt them in other ways - to identify them, embarrass them, sanction them, actually take down their infrastructure, to impose costs on them - and maybe that's part of the solution as well.
And I think, you know, I'm someone who focuses a lot on cryptocurrency and the ability to trace it, that follow-the-money approach, and maybe following the ransom payments to where they're cashed out. I mean, these ransomware hackers still have to, at some point, liquidate those bitcoin ransoms and turn them into rubles if they want to buy their Lamborghini, so maybe we can prevent the money laundering that allows them to profit.
FRAYER: So what is actually at risk for patients when this happens, when your health care provider gets hacked?
GREENBERG: Well, we've seen numerous times that it results in actual delays of operations. I mean, we've seen ambulances diverted from hospitals that were heading to ERs with God knows what sort of, you know, injury or health care crisis for the patients inside. You know, it is not a stretch to say that this has absolutely caused lives.
FRAYER: That's Andy Greenberg. He's a senior cybersecurity writer for WIRED. Andy, thank you so much for being here.
GREENBERG: Oh, thank you for having me. Transcript provided by NPR, Copyright NPR.
NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.
