A Season Of Health Breaches, A Season Of Changes

As spring ushers in a season of transformation, the healthcare sector finds itself at a crossroads, compelled to evolve rapidly in response to a series of recent, high-profile cyberattacks. One of the most significant incidents is the hack of Change Healthcare, a pivotal player in the U.S. healthcare system and a subsidiary of UnitedHealth. This organization, responsible for processing insurance and billing for hundreds of thousands of hospitals, pharmacies, and medical practices, holds sensitive health information on nearly half of all Americans. The breach profoundly impacted major entities like UnitedHealth, Walgreens, and CVS, carrying hefty financial repercussions and deeply affecting patient health. This incident underlines the critical need for systemic enhancements in cybersecurity and urgent reforms to safeguard sensitive data across the industry.

“Change” Was Changed

Following a cyberattack on February 21, UnitedHealth’s Change Healthcare continues to process over $14 billion of backlogged claims. UnitedHealth Group announced expectations for major clearinghouses to resume operations after a month-long effort to recover services that were disrupted nationwide, prompting a federal investigation. While critical services at Change Healthcare have been restored, UnitedHealth is cooperating with a HIPAA compliance investigation initiated by the U.S. Department of Health and Human Services. Addressing these issues will occupy Change Healthcare for the foreseeable future.

The outage, caused by a cyberattack from the ransomware gang known as ‘Blackcat,’ disrupted prescription deliveries and affected pharmacies across the country for multiple days. The breach continues to be investigated. Despite a recent crackdown on Blackcat, which included seizing its websites and decrypting keys, the hacker gang struck major businesses prior to this event and continues to threaten retaliation against critical infrastructure and hospitals in its wake.

A Sophisticated One-Two Punch

The health tech giant reportedly paid $22 million to ALPHV in March. Shortly after, a new hacking group began publishing portions of the stolen data in an effort to extort a second ransom payment from the company. The new gang, which calls itself RansomHub, published several files on the dark web that contained personal information about patients across an array of documents, some of which included internal files. RansomHub has stated it would sell the stolen data unless Change Healthcare paid a second ransom.

These recent incidents carry significant financial burdens and deeply impact patient health, emphasizing the urgent need for systemic change to bolster cybersecurity measures across the healthcare sector.

Change Now or Pay [Even More] Later

As of mid-April, UnitedHealth reported that the ransomware attack has cost more than $870 million in losses. Importantly, this is not the first—or only—time an organization has found itself exposed to such vulnerabilities. The recurring nature of these breaches underscores the urgent need for a paradigm shift in how the healthcare industry approaches cybersecurity. It’s not just about patching vulnerabilities as they arise, but fundamentally rethinking and fortifying digital defenses to withstand the relentless onslaught of cyber threats in today’s world. The cost of preventing such an attack could have been a small fraction of the $870 million paid in remediation costs.

An Ounce of Prevention is Worth a Pound of Cure

At the heart of the matter lies a complex web of security vulnerabilities. While healthcare organizations typically invest significant resources in securing their digital infrastructure, the recent breach underscores the sobering reality that even the most robust defenses can be compromised through misguided and parochial mindsets. Since the breach, it’s been revealed that only half of systems were adequately secured and patched, leaving a glaring gap that cybercriminals exploited with devastating consequences. This situation should serve as a catalyst for transformative change in the culture of Healthcare IT, prompting a reevaluation of existing security protocols and increased fortification of defenses through partnerships with capable service organizations.

These breaches, still unfolding, serve as a stark reminder of the constant vigilance required to protect against malicious cyberattacks in an industry where the stakes are exceptionally high, measured in human lives and the confidentiality of sensitive medical information. It is critical that the approach to cybersecurity strategies and implementations extends beyond traditional ROI calculations and reliance on already overstretched internal IT teams.

Check Box Compliance

When examining the breach, a crucial aspect to look at is the period of technological transition that at least one of the impacted organizations was navigating when the incidents occurred. Technology inherently evolves, yet it was during a pivotal moment of updating systems that the attackers found and exploited vulnerabilities. This situation starkly highlights the sophistication of cybercriminals in pinpointing and exploiting periods of vulnerability, reminding us of their relentless watchfulness for opportunities to infiltrate systems amidst organizational changes.

Moreover, this breach raises pertinent questions about the efficacy of regulatory compliance frameworks. These situations are heaped with compliance, however being compliant with industry regulations regarding the protection of Personally Identifiable Information (PII) health data clearly does not prevent incidents from occurring.

Healthcare Cybersecurity: A Call to Action

As we continue to navigate the relentless tide of cyber threats, the healthcare industry must confront the new realities of digital warfare that endanger countless lives and sensitive data. This challenge transcends the need for incremental changes; it calls for a revolutionary overhaul of our cybersecurity frameworks, strategies, and ROI models.

The recent breaches are a stark wake-up call, emphasizing the necessity for proactive and comprehensive security that anticipates threats before they emerge. It is crucial for healthcare leaders to prioritize investments in advanced security technologies and to cultivate a culture of collaboration by partnering with expert security service providers. These partnerships can integrate cyber resilience into the fabric of healthcare delivery. The cost of inaction is unacceptably high, not only in terms of financial losses but also in the erosion of patient trust, privacy, and wellbeing. Let us commit to safeguarding our future with every resource available, making security synonymous with healthcare itself.

Need to reevaluate your existing security protocols? Want to implement a more comprehensive and proactive approach? Contact us to get started.


This article was originally published in Forbes, please follow me on LinkedIn.

Turla Hacking Group: A Persistent International Threat

As we continue our series of articles on state-sponsored cyberattack groups, we turn our focus to the Russia-affiliated Turla hacking group. In previous articles, we examined some of the biggest threats on the cyberattack scene, including APT10 and APT28 (also known as Fancy Bear). These notorious groups are a lurking presence, and Turla is no exception. Active for over a decade, the Turla hacking group is believed to be operating out of Russia and closely affiliated with the FSB, the Russian intelligence agency and successor to the KGB. It is also known by the names “Waterbug” and “Venomous Bear,” and has been linked to numerous high-profile cyberattacks on government agencies, embassies, and organizations around the world.

Destructive Path

Turla has been linked to 45 high-profile attacks, including the German Bundestag in 2014, the Ukrainian Parliament in 2014, and the French TV5 Monde in 2015. The group also targets organizations in the Middle East, particularly in the energy sector. Turla’s use of sophisticated methods and its focus on government and diplomatic targets has led experts to believe the group is working on behalf of the Russian government, although this has yet to be definitively proven.

Methods of Mayhem

Turla is known for using a variety of tactics to compromise networks, including “living off the land” tactics, watering hole attacks, spear-phishing emails, and compromised satellite connections. The group also uses publicly available tools like Metasploit and PowerShell, as well as Command and Control (C2) infrastructure like Google Drive and Dropbox. One of Turla’s primary tactics is the use of “second-stage” malware, which is activated after a victim’s initial infection and used to establish a backdoor into the network. From there, the group can steal sensitive information and move laterally within the network to gain access to other systems.

Turla is especially dangerous due to its use of advanced, next-level tactics. In recent years, the group has been observed using a unique malware called “Turla” or “KRYPTON” that can steal data from air-gapped computers not connected to the internet. The malware uses “audio exfiltration” to transmit data using the computer’s speakers and microphones. The group is extremely sophisticated and can evade detection for long periods of time. In 2014, for example, Turla maintained a foothold in a European government agency’s network for over two years before being discovered.

Wrestling A Bear

Turla is a highly sophisticated and persistent hacking group that has been known to target a wide range of organizations around the world. Without the right tools and partnership, defending against Turla is like wrestling a bear. The group’s use of highly sophisticated second-stage malware and its ability to evade detection make it a formidable threat, and one that organizations should be aware of and take immediate steps to protect against. This includes implementing robust comprehensive security measures such as multi-factor authentication, intrusion detection and prevention systems, and regular security training for employees. Equally as important, organizations should be vigilant in monitoring their networks for signs of compromise and should take prompt action if suspicious activity is detected. Partnering with managed security providers can bring valuable expertise, resources, and technology to those looking to defend against the threat posed by Turla and similar groups. These providers can offer expert round-the-clock monitoring, incident response, and threat intelligence to help organizations stay ahead of the constantly evolving threat landscape.

This article was originally published in Forbes, please follow me on LinkedIn.

APT28 Aka Fancy Bear: A Familiar Foe By Many Names

We are looking at the biggest threats on the cybersecurity scene – and the most nefarious hacker groups behind them – and this week the spotlight turns to APT28, or Fancy Bear. Don’t let the name fool you. There is nothing cute about Fancy Bear, also known as APT28, Pawn Storm, Sednit, STRONTIUM, and Sofacy. Just like John Wick is known in the Russian underworld as ‘Baba Yaga,’ this group has Russian roots and probably has additional names on that scene.

A Big Name Among Big Names

APT28 is a notorious cyber espionage group that has been active since at least 2007. APT28 has been known to target governments, military organizations, and other high-value targets in various countries using their signature techniques. The group has been linked to several high-profile cyberattacks, including the alleged 2016 US presidential election hack and the 2017 NotPetya malware attack.

One of the most notable campaigns associated with APT28 is the 2016 hack of the Democratic National Committee (DNC) in the United States. This attack resulted in the theft of sensitive emails and other information that were later leaked to the public and was seen as an attempt to interfere with the US presidential election. It was widely condemned. More recently, CISA said it discovered the Russian hacking group had infiltrated a satellite communications provider with critical infrastructure customers.

A Profile in Malice

APT28 is considered to be a highly sophisticated and well-funded state-sponsored group backed by the Russian government. The group has been the subject of several high-profile reports and warnings from cybersecurity companies and government agencies, including the US Department of Homeland Security. It targets governments, military organizations, media, research, and private sector companies for the purpose of gathering intelligence, stealing sensitive information, and criminal financial gain.


APT28 is known for its use of advanced malware and hacking techniques to gain access to its targets’ networks. In addition to using advanced malware and spear-phishing tactics, the group is also known for using “watering hole” attacks, where it infects websites that are known to be frequented by targets. It also uses “living-off-the-land” tactics, whereby the group utilizes legitimate tools and infrastructure already present on a victim’s network in order to move laterally and evade detection.

APT28 is known for using a variety of command and control (C2) infrastructure to communicate with its malware and to exfiltrate stolen data. This infrastructure often uses a combination of different protocols, such as HTTP and DNS, making it difficult to detect and block. One of the group’s most well-known tools is Sednit, which has been used in several APT28 campaigns. Sednit is a sophisticated piece of malware that can steal sensitive information and maintain a persistent presence on a victim’s network.

The group also uses spear-phishing campaigns to target specific individuals and gain access to their networks. These campaigns often use social engineering tactics, such as sending emails that appear to be from a trusted source, to trick victims into clicking on malicious links or attachments.

Defending Against APT28

Organizations can protect themselves against APT28 and other advanced threat actors by implementing strong cybersecurity measures. These include:

  • Partnerships with reputable Managed Security Providers (MSSPs)
  • Regular software updates and patching
  • Employee education and training on security best practices
  • Incident response plans
  • Managed and comprehensive security monitoring and mitigation
  • Immediate action in the case of suspected breaches

APT28 is one of the most serious threats in existence today, and it’s important for organizations and individuals to be aware of its tactics in order to better protect themselves from attacks.

This article was originally published in Forbes, please follow me on LinkedIn.

How Climate Change Impacts IT

Whether we like it or not, our planet is facing some detrimental damage. Ntirety CEO Emil Sayegh reminds us that IT is not immune to climate change in our latest blog. 

 How Climate Change Impacts IT 

 While our heads (and data) might be in the cloud, ultimately our IT and technology infrastructure lives right here on a planet that is facing an existential crisis. Global climate change is happening, though its causes continue to be a societal debate. While we know that global climate has changed since before recorded human history, many pinpoint the source of our current pattern changes to man-made reasons, with a steady focus on greenhouse gases, carbon emissions, and energy consumption. In any case, the planet is experiencing greater weather swings and events than recent memory can extend — floods, severe heat, blizzards, hurricanes, intense rain, and droughts appear to occur more often. 

These climate events do not only have an impact on lives. Significant events can affect the continuity and survival of industries and businesses, especially when they affect information technology systems. Climate change has a tangible and increasingly critical effect on IT — it is a business continuity issue, it is a cost issue, and it is also a core strategy issue. It is high time that we consider the impact of climate change on IT. 

Elon Agrees 

Tech legend Elon Musk halted purchases of Tesla vehicles with Bitcoin last year due to the “rapidly increasing use of fossil fuels for Bitcoin mining,” which experts estimate uses more energy than entire countries such as Sweden and Malaysia. Musk is not the only one to sound the alarm on the environmental impact of Bitcoin — Treasury Secretary Janet Yellen has also warned that it uses a “staggering” amount of power. Regardless of whether Bitcoin and other cryptocurrencies are a polluters or not, the negative connotations around the impact of its enormous energy consumption on the environment has affected its valuation, and even maybe its future trajectory. 

Threats are Significant and Real 

Historical weather events such as hurricanes Sandy and Katrina continue to echo years after their arrival. However, these unstoppable and formerly outlier events occur every year with greater frequency, causing hundreds of billions in damages and massive outages. Their aftermath must always be dealt with. In February of 2021, Texas endured a weeklong flash winter storm completely out of the weather norm. Known as the Great Texas Snow Storm, “Snovid,” or the “Snowmageddon,” the economic impact of that event was a staggering $200 billion. 

Disaster preparation and recovery are just a couple of reasons why organizations must focus on continual backups, replication to offsite locations, and the drive to create zero-downtime resilience through disaster recovery plans, power backups, and nimble cloud architectures. We do this because the threats are real and becoming more frequent. With enough planning, the right partners, tools and capabilities, you can get through these incidents with a minimal interruption to the business. 

Inside a Crisis 

Rather than drive inside all the reasons why you should prepare for a crisis and how, it would be better to set the tone of what happens behind the scenes When a crisis hits, it can appear to be a frantic scene. When a severe weather event hits and creates an IT disruption, efficient operations and a return to normal operations are more critical than ever for all impacted. 

The early moments are the most critical, but recovery events include: 

  • Emergency Notifications
  • Assessment
  • Monitoring of Disaster Recovery Operations
  • Triage\Troubleshooting
  • Analysis
  • Reassessment
  • Status updates

In a pressure-filled scenario, the impact of any potential missteps is amplified, adding time to the recovery efforts. Your IT disaster recovery plan must be clear, it must be relevant, and your team must be ready to execute its well-rehearsed disaster recovery plan. This is where all the documentation, preparation, planning, and partnerships meet the road. 

Hackers Ready to Pounce 

Here’s the bad news. When a weather disaster strikes an organization or locality, it is public information. You can expect that opportunistic scammers are somewhere close behind, just like vultures. That’s where you will see the relief scams, phony fundraisers, and other schemes that follow weather events. You will also see social hack attempts and phishing attempts come through when there are known disruptions in the air. 

Unexpected disruptions and recovery efforts can open security vulnerabilities. For example, in the event where a backup or tertiary site comes online, there is an opening to take advantage of the possibility that the backup systems are exposed in any way—patches, permissions, vulnerabilities, default passwords, configuration, etc. Just as in all cybersecurity, it comes down to the weakest link in the chain. If one entry point behind the virtual security wall can be exploited during a weather-related recovery, that is all an outsider needs to find. 

Tech as Climate Readiness 

The challenge of business continuity is a core business mission, but with an increase in climate change related events around us, this challenge is more critical than ever before. Preparations, planning, and the right partnerships matter. Capabilities matter. Depending on the business in question and the locality of its IT systems, the impact that climate bears upon business continuity will vary. Almost every organization should prepare to leverage principles including offsite strategies, resiliency, security considerations, geographic strategy, and cloud technology in order to step up to this modern-day challenge. 

With one part process, another part readiness, and another part technology-focused, organizations that embrace cloud infrastructure have greater capabilities to roll through crisis scenarios because they have improved resiliency, speed, and the very nature of security is aligned with the fluid nature of cloud. We cannot know in advance the timing and arrival of every calamitous weather event, but we can prepare with better process, enabled by better tools to adapt through multiple situations. 

 Check out this piece, originally published in Forbes, here and follow me on LinkedIn.