Have Pharmacies Hit Their Colonial Pipeline Moment?

In 2021, a ransomware attack (https://en.wikipedia.org/wiki/Colonial_Pipeline_ransomware_attack) hit a large American oil pipeline company called Colonial Pipeline. The oil pipeline managed 55% of the oil shipped by pipelines, mainly from Texas to the east coast of the U.S., including from Florida to New York.

The ransomware did not impact any of the computer systems controlling the actual pipelines, but all of Colonial Pipeline’s systems were temporarily halted out of an abundance of caution, and, this fact will come back in later importance, customers could not be billed for oil received. So, everything related to Colonial Pipeline was shut down.

I remember the day well because everything was fine until the U.S. government came on the news to tell people not to panic and that gas supplies were fine. Ironically, this led to an immediate public panic with everyone going around trying to fill-up their cars and trucks in case the gasoline outage lasted longer than anyone expected…a reasonable worry.

Living in Florida, I hesitated a few hours after the warning because there was no gas shortage. I even learned that our oil and gas came in using trucks instead of the pipeline so the pipeline shutdown would not impact us. But never underestimate a population’s willingness to panic when told not to panic. Even I eventually got worried and decided it would be prudent to fill-up just in case the public’s panic led to an unneeded gas shortage.

But by the time I got to the pumps later that night, there was no gas to be found. I drove around 40 miles that night, my gas getting increasingly lower with my expanding search, and never found a pump that was not empty. It was not until the next day that I found a gas station that had gas long enough for me to get a fill-up.

And this was only possible because the Florida Governor had stepped in and temporarily removed laws that allowed emergency suppliers from other areas to help. There were gasoline lines and shortages in many other states that had nothing to do with the Colonial Pipeline. I had a friend in the Netherlands who told me that their country was told to fill up on gas because of possible indirect impacts. So, a temporary downtime event in parts of the U.S. had caused supply constraint worries globally. This is our new connected world.

The Colonial Pipeline fallout was unprecedented. It not only caused a multi-national response, but the U.S. and its allies dedicated a new focus on fighting ransomware. From this one event, grew a new multi-country, multi-agency response. In the U.S. it included DOJ, FBI, CIA, ?and CISA, and a new consortium of allied countries and public-private partnerships, all seeking to reduce the impact of ransomware. It created new defenses, such as going after ransomware cryptocurrency money streams, shutting down and arresting money launders, and even led the U.S. President talking to Russia’s Putin about the problem. Not many cybersecurity attacks have led to the world’s leaders having a conversation, but this one did.

The Colonial Pipeline event showed that ransomware could cause significant problems to well-monied, but ill-prepared companies and societies around the world. It revealed the hidden in-plain-sight secret that the world’s mission-critical infrastructures and industries were not prepared to prevent and efficiently mitigate ransomware attacks. It should not be that one attack against one company could topple an industry that the world’s people relied upon like a row of dominoes. Colonial Pipeline was a wake-up call in many ways.

Pharmacy’s Colonial Pipeline Moment

The pharmacy industry likely had theirs (https://www.wsj.com/articles/change-healthcare-attack-raises-cash-concerns-for-pharmacies-afed55ec) at the end of February. In this case, a ransomware group hit a prescription processor called Change Healthcare. Change Healthcare is ultimately owned by large medical insurer, United Healthcare. The ransomware event impacted Optum group, which worked using Change Healthcare’s software and services, and ended up affecting 67,000 pharmacies, impacting over 131 million customers (the total U.S. population is 332M). The ransomware event also impacted Tricare, the U.S. military’s healthcare service for the U.S. armed forces.

Note: There is strong evidence that Change Healthcare paid $22M in ransom to help recover their systems, but the ransomware group took the money and ran. It executed what is known as an “exit scam”, and many involved members of the ransomware gang didn’t receive any money from the large ransom payment and those short-changed members are publicly threatening to release Change Healthcare’s stolen confidential data publicly if Change Healthcare doesn’t pay even more money.

Because of the ransomware attack, many pharmacies could not deliver needed medications and medical supplies to customers and many, many more had to resort to far slower manual procedures.

What was the biggest problem?

The inability of pharmacies to bill for their products and services, similar to what happened in the Colonial Pipeline ransomware attack. In the near aftermath of the Change Healthcare attack, many of the impacted customer pharmacies moved to a competitor of Change Health’s called Availity. I am sure some of the movers will not be moving back.

I am sure most other pharmacy software and service providers who are competitors of Change Healthcare are simply breathing a breath of fresh air that the recent ransomware attack did not hit them instead. Few companies and industries are really prepared. Each of them is just a ransomware group’s focus from becoming the next critical supply infrastructure taken down. Ransomware is able to take out infrastructure and supply lines with relative impunity. Our industries and supply lines are simply not adequately prepared (yet).

What can a company or industry do?

The methods used by ransomware (and all hackers and malware) have not changed significantly over the last three decades. Hackers and their malware programs use the same methods they used over 30 years ago because they still easily work today. What are those root hacking methods?

They are social engineering (involved in 70% to 90% of all successful hacks), unpatched software and firmware (involved in 33% of successful hacks), and stolen login credentials (involved in about 30% of hacks, 79% of which were stolen using social engineering). These three root hacking cause issues are 99% of the reasons why hacking is so successful.

Everything else CISOs and cyber defenders have to do, even if required, even if still important, even if a good thing to do, is a distraction to most efficiently making your organization immediately far more resilient to cybersecurity attacks.

Ask yourself: How much of my day is spent focusing on resolving these three problems versus everything else?

Defenses

In light of these absolute facts, what defenses will work?

Three things:

·???????? Mitigating social engineering and phishing (https://www.amazon.com/Fighting-Phishing-Everything-Social-Engineering/dp/1394249209)

·???????? Aggressive, perfect patching on the things that are being exploited (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

·???????? Use phishing-resistant MFA (https://blog.knowbe4.com/u.s.-government-says-to-use-phishing-resistant-mfa, https://www.dhirubhai.net/pulse/why-majority-our-mfa-so-phishable-roger-grimes, and https://www.dhirubhai.net/pulse/my-list-good-strong-mfa-roger-grimes)

Yes, you can be exploited by other things (e.g., zero-days, insider attacks, SQL injection, etc.), but the vast majority of successful hacking attacks are related to just three root causes and if successfully mitigated, would get rid of almost all of the risk.

Ransomware makes its way into organizations using the same three hacking methods. We reviewed over 100 reports by ransomware vendors and identified these three hacking root causes as the main reasons why ransomware is so successful. You can read about our research here: https://info.knowbe4.com/wp-root-causes-ransomware.

Ransomware is a huge threat to every industry, infrastructure, and supply chain. What can you do? Aggressively pursue mitigating the three biggest root causes for how ransomware breaks into your organization by using the three best defenses listed above. Everything else will likely just lead to your organization more quickly becoming the next ransomware victim.