When ransomware hijacks your health care

I mean, that ransomware payment was made in March of this year. The next month was April and the cybersecurity firm Recorded Future counted 44 health care-targeted ransomware attacks in April, the most that they’ve ever seen in a single month. And, you know, of course, like, it’s difficult to say, you know, is this correlation or causation or just part of the same trends, but it does seem like that massive payment — $22 million is a particularly large ransom —  that that was a wake-up call to ransomware groups. “Look, you can take down these extremely critical and vulnerable networks and and get leverage that really forces these companies to pay through the nose.” And it is even more profitable than other kinds of ransomware targets.

CHAKRABARTI: Oh wow.

Part II

CHAKRABARTI: Andy, I just, like I said, I want to put a little bit more shape on how much this problem has grown because some of the numbers are actually quite astounding. I mean, we talked earlier about how federal authorities say that health care experienced the greatest growth in the number of cyberattacks out of 16 really critical sectors for national security.

I was also seeing, back in December of last year, so late last year, this is from the American Hospital Association itself. We’ll talk about how they’re also a little bit recalcitrant about this later in the show. But their head of cybersecurity, or their national advisor for cybersecurity, a gentleman named John Riggy, is quoted in a magazine called Chief Healthcare Executive.

He said, in 2023, “I think this year we’re going to break all records in terms of the numbers of individuals impacted by cyberattacks in health care.” And he says about 106 million individuals have been affected by cyberattacks involving health care organizations. That was at the end of 2023. 44 million at the end of 2022. So put another way, already at the end of last year, one in three Americans have had their health data touched by some kind of breach. I mean, that’s kind of astounding. What are some other ways we can understand how much this has grown?

GREENBERG: Well, Meghna, I mean, it’s astounding to hear that number about 2023, that that was supposedly, or that that was, in fact, the record at the time for how many Americans have been touched by these attacks, because there is absolutely no question that 2024 has already surpassed that easily in just the first half of the year.

Change Healthcare alone, the fact that the CEO of UnitedHealthcare, which owns Change Healthcare, told a  congressional hearing that about a third of Americans had their medical data breached in that attack.

CHAKRABARTI: In that one attack.

GREENBERG: One attack. Yes. And you know, there’s no question that more Americans were touched by the Ascension attack which affected 140 hospitals and 40 senior living facilities. And then, you know, that’s just the United States. There’s no reason really to limit our scope of this to just the U.S. Because if you look at the NHS, I mean, if you look at France, where a hospital was just targeted by a really notorious group called LockBit who leaked dozens of gigabits of people’s medical data. I mean, this is a worldwide phenomenon. And it is truly out of control.

I appreciate that you’re talking about it because I think ransomware for many people, feels like this old problem, but there is a very new or a new wave in this cyclical way, perhaps, focusing on hospitals and health care. And it is just particularly scary because these hackers have realized that that health care is a kind of pain point where it is intolerable to these victims not to pay the ransom, to just deal with the damage. You know, people’s lives are at stake and they know that. And they’ve built a massive business around it.

CHAKRABARTI: And there’s like this double threat, right? Because there’s first the immediate threat as we heard at the beginning from nurse Lisa. Like just the second the attack happens, hospital workers and employees are just locked out of critical systems where they have to like almost guess which is the right medication to give patients, right? So lives are at stake right away. But then also the data itself. I mean, that must be a long-term point of vulnerability when these ransomware groups, even after maybe they get paid, but like, do they give the data back that they’ve stolen? Or is that permanently sort of out there with the potential for exploitation?

GREENBERG: Well, you raise a really good point. I mean, ransomware groups in past years would simply encrypt networks. I mean, that alone is incredibly disruptive, as you said, probably, you know, has really affected people’s health and lives. But they realized at some point that some victims are well-prepared and have backups. They can recover from those backups and and don’t pay the ransom. So they started to do this double extortion where they would also steal as much data as they could. And then threatened to leak it onto the dark web, essentially, if the victim didn’t pay. So it’s this like one-two punch. And you can’t recover with backups from that kind of data leak. The data is just gone out of your control.

And you’re right as well that it raises a really important question of does it even matter if you pay the ransom? There was actually, we were talking about Change Healthcare earlier, that was a kind of worst case scenario in some ways. This is a bizarre kind of unique situation where Change Healthcare paid that $22 million to this ransomware group called BlackCat. BlackCat then appears to have stolen that money and didn’t share it with their own cybercriminal partners. They cheated their own partners, some of whom were involved, it appears, in breaching Change Healthcare and stealing that data.

So those jilted partners then reappeared and said, “We didn’t get paid any ransom. We still have all of this data that we’ve stolen on about a third of Americans.” And they actually offered it to a different ransomware group who then extorted Change Healthcare a second time. So, it shows that, you know, once this data is out there, it’s not like paying a ransom makes it go away. You know, data that is breached and stolen from a network is just permanently breached and out of the victim’s control, out of the patient’s control as well.

CHAKRABARTI: Wow. Okay. So, Andy, hang on here for just a second because I want to bring Dr. Jeff Tully into the conversation. He’s in San Diego, California. He’s an anesthesiologist and co director of the Center for Healthcare Cybersecurity at the University of California- San Diego. Dr. Tully, welcome to On Point.

DR. JEFF TULLY: Hi, Meghna. It’s great to be with you.

CHAKRABARTI: Okay, so I want to actually help all of us understand what the particular vulnerabilities are. And let me just ask you a simple question: How is it that these ransomware hackers are able to get into a health care system?

Because when we say health care system, we’re talking about everything from, you know, the number of terminals that nurses and doctors have to log into into every patient’s room to all the insurance companies, all the pharmaceutical, pharmacy companies, all the medical record keeping and administration. I mean, it’s a vast network when we say health care. So where are the places that the  hackers can worm their way in?

TULLY: Sure. So unfortunately, it can be as simple as a single employee, as we heard earlier, just clicking on the wrong email, right, and falling for a phishing scam. And there can be, you know, significant safeguards in place or tools that can be used to try to reduce these types of events, but we need to start thinking about ransomware as a matter of when and not if.

And the other thing that I would just mention, too, is health care runs on razor thin margins. And so the resources available to be dedicated to cybersecurity professionals or software tools, you know, that’s something that comes up against hard decisions. Do we allocate resources towards hiring more nurses or hiring an IT professional? And if you’re a small, rural, critical access hospital, those are incredibly difficult decisions because you may not have that much in the way of funding.

CHAKRABARTI: Okay. I’m going to come back to that because, uh, it, while it is true that health care runs on razor thin margins, there are many for-profit systems in health care in the United States, and I think that makes it a unique area to sort of push a little bit.

But Dr. Tully, I mean, perhaps more explicitly, so a phishing email, like maybe that’s why, Andy, you were saying that it sounds like it’s an old problem. Because I feel like we’ve been hearing about phishing emails for 10, 15, even 20 years. But what are sort of the typical, you know, safeguards that would be in place for any sort of information system, Dr. Tully? And I would love some detail, because as a patient, you just presume it’s your health information that, you know, by federal law it has to be very, very secure. But it sounds like there’s some systematic areas in which perhaps it’s not as secure as we would think.

TULLY: Yeah, so you’re absolutely right. There are regulatory requirements, HIPAA, the Office for Civil Rights, you know, there is a strong incentive to keep our health care information protected. And in many institutions, it does benefit from  strong encryption,  separation, network segmentation, things that sort of try to isolate this. The issue is that once these threat actors are able to get into the network, then they’re sort of behind the firewall, so to speak. And that makes it more easy for them to access some of this information, and if not stored or protected adequately, that’s where we see these types of breaches occurring.

CHAKRABARTI: Okay. And so, I mean, Andy, do you have more to add to that? Because we’re going to talk about the financial system a little bit later and I’m just wondering why we’ve seen the growth in health care attacks versus we haven’t seen the similar precipitous growth in what would seem to be vulnerable industries.

GREENBERG: Well, I think maybe the unsaid thing here is that all networks are vulnerable. Like, cybersecurity is an extremely difficult problem. And the adversaries that defenders are going up against here are well-funded, highly professional and organized cybercriminal gangs. I mean, these are not teenage hackers or, you know, kind of like solo cybercriminals.

You know, that said, I think that there are two different kinds of targets we’re talking about here. One, you know, to Dr. Tully’s point, are hospitals who operate on very low margins, whose priority is the health of their patients and every dollar — you know, I’m not a doctor, but it seems to me that that’s how hospitals work. You put every dollar you can into life saving changes and improvements. You don’t necessarily, like, buy new computers or pay your cybersecurity I.T. team more.

But then there’s also UnitedHealthcare, which owns Change Healthcare and made $22 billion in profit last year, I believe, and probably will do that again this year. And then left one of their essentially like their external facing IT tools, a Citrix help desk tool, essentially, that is used to log into machines across its network, left that exposed without two-factor authentication. Meaning that if anybody could just steal a username and password, they could get access to that and then basically use that to get access to the rest of Change Healthcare’s network.

That is absolute negligence. That is a really fundamental and bad mistake that a well-funded company should have caught and secured. And there is really no excuse. I mean, Change Healthcare absolutely should not have been vulnerable in that way. And I do think it’s an example of why regulations are needed.

CHAKRABARTI: By the way, this lack of two factor authentication in that one particular case with Change Healthcare, it’s not just a guess. As you’ve reported, they admitted that to Congress. Yes?

GREENBERG: Absolutely. I mean, admitted it, I think, after two months of difficult questions and stonewalling and then, you know, were forced to go in front of Congress and talk about how this happened. Finally admitted in in that congressional hearing as well that they had paid a $22 million ransom. It’s not like Change Healthcare has been forthcoming about how this happened or how they how they behaved. But yes, you know, they did admit it ultimately.

And so in that case, we know how it happened. In many cases, we don’t actually even know the initial point of ingress. But yeah, it is often like an actual patchable, fixable mistake. And these are sometimes as you said, very well-funded private companies that can do more.

CHAKRABARTI: Mm. So Dr. Tully, tell me like, on average, maybe the Change Healthcare example, it seems kind of jaw dropping, right? A lack of two factor authentication. I mean, I need that to even log into my Google email. But maybe that’s an outlier here? I mean, how would you assess overall the level of on average security at various touch points in a health care system’s networks?

TULLY: I mean, there’s no question that we can do better and we can engage in efforts to raise overall the security posture of the entire national health care infrastructure.

I think that previous example highlights that there are different vendors and services that are widely used and widely adopted. And when those institutions or companies are affected, that can impact a hospital through no fault of its own. So being able to mitigate and control risk for a hospital is sometimes very challenging if you can’t have that same level of control over your vendors or other external parties.

And just to kind of put another pin in it, you know, the institutions that are most at risk are those smaller, more rural critical access hospitals, and they often don’t have the funding of these larger for profit companies. And so I think they’re really targets of opportunity. And a lot of the efforts that we’re engaged in is seeing how can we help raise the overall security of those institutions because they are a linchpin in in the network.

CHAKRABARTI: Okay, so this is a really good point. And I also want to maybe add a little context here. We’re talking about this now because of the massive growth in the past couple of years in the number of cyberattacks on hospitals. So, I mean, Andy, is it fair to say that perhaps it’s understandable that there wasn’t as rigorous a sort of mindset of cyber protection in health care before now? Because, you know, maybe you don’t cross a bridge until it comes to it or it collapses under your feet?

GREENBERG: Well, I do think that’s probably true. And, you know, and Dr. Tully made this point and I was trying to as well that I wouldn’t argue that, that we should move money, we should like prioritize cybersecurity over patients’ care inside of hospitals. That’s what makes this problem so difficult. I mean, these are, you know, organizations whose first priority is patients’ health care, patients’ health. And every dollar that you spend, you know, locking down systems, hiring rather expensive cybersecurity executives to kind of scour for vulnerabilities and fix things, that is money that is taken from actual health care. So, you know, I’m not sure that that that is an easy fix.

On the other hand, as I was saying, some of these are private companies. So, you know, I think that we have to split this up and talk about the for-profit companies and the well-funded ones versus, as Dr. Tully was saying, these rural hospitals, in some cases.

I do think that there are other parts of this as well. There are other ways of, you know, there’s not just defense here. The United States government should be doing more to go after these groups, I think. It’s a very difficult situation because they’re in Russia, beyond the reach of western law enforcement. We see federal law enforcement agencies trying to disrupt these groups in ways that don’t involve arrests because they cannot literally lay hands on these Russian hackers who are honestly protected by the Russian state.

But that doesn’t mean  that the U. S. government — and I would even argue, the U.S. military — I mean, that’s the extent of the critical situation here. Where I believe even like U.S. Military hackers ought to be doing more to disrupt these hackers’ networks, to take back the ransoms that they steal, to impose costs on them, as we say in cybersecurity, to make this less of an attractive business to be in.

CHAKRABARTI: Dr. Tully, we’ve only got about a minute before our next break, but again, just to understand what the current lay of the land is so that we can accurately assess what needs to change in the future. I mean, how many, what percentage of hospitals across the country would you say are lacking a cybersecurity professional in situ at the hospital?

TULLY: Yeah. So back in 2017, there was a congressionally mandated task force that released a report that estimated that up to 80% of small, medium-sized, rural critical access hospitals did not have a single full time IT security professional on staff. So a workforce challenge is one of the primary things that we need to focus on solving for sure.

CHAKRABARTI: And these are, again, those small rural hospitals you’re talking about.

TULLY: Exactly. Which is a significant, if not a majority of the component of the national health care infrastructure.

CHAKRABARTI: Wow. But that was 2017. We’re in 2024 now. Has that changed? Do we know?

TULLY:  It’s gotten better for sure. But we still can talk about ways to make working in health care more attractive to people who would otherwise be in big technology finance companies.

CHAKRABARTI: Aha. That is a critical part of this question.

Part III

CHAKRABARTI: Now, as I’ve mentioned a couple of times, I mean, at least in my mind, if there’s any critical sector that would seem to be a massive target for ransomware hackers, it would be the financial services industry. Because, I mean, those companies are making trillions of dollars in transactions globally every single day.

However, the financial sector reported less than half the number of ransomware attacks that were reported by health care companies last year, and that’s according to an FBI report on internet crime. So what are financial sector companies doing that health care is not? We put that question to Chuck Brooks.

CHUCK BROOKS: The financial industry has always dealt with fraud, you know, false personalities, fake IDs, etc. They were already focused on security. So when we moved more into the connectivity and the digital age, they already had a mindset for security. That’s their main focus.

CHAKRABARTI: Brooks is a cybersecurity consultant and he teaches in the Cybersecurity Risk Management graduate program at Georgetown University.

And again, the key thing, as he said, is that financial companies were security focused even before the digital age. So when everything moved online, the financial sector invested early in cybersecurity and invested a whole lot. And they also adopted very aggressive standards.

BROOKS: They’ve set up networks to monitor sort of the zero trust, which is being promoted in government, to know exactly who’s connected and why they’re connected to their networks. They’ve also introduced sort of military grade encryption for a lot of them, for the banks, etc. They hired people right out of government and military that have expertise in cyber, and they invested in it early on.

CHAKRABARTI: Brooks says health care should also recommit to what he calls the basics: multi factor authentication — as we mentioned before — password protection, router protection, etc. The kind of stuff you already do just to log into your online banking account.

Now, whether hospitals are willing to make that investment is another story. They take cybersecurity seriously. But in April, the American Hospital Association, the largest hospital lobbying group in the country, issued a statement to the House saying, “Hospitals and health systems are not the primary source of cyber risk exposure facing the health care sector.”

Instead, the AHA pointed the finger at third party business associates or other health entities, including the Center for Medicare and Medicaid Services. They said the that those were the initial points of attack that eventually filtered into hospital data systems. Now, nevertheless, Brooks says collaboration between the government and private health care companies will be a key tool for getting health care cybersecurity standards up to date.

BROOKS: The National Institute of Standards, it’s actually the Department of Commerce, but it works closely with the Department of Homeland Security, and it’s called NIST. And they basically do cybersecurity frameworks for every industry. And the good news is that all that information out there is free, and companies can go to their website and adopt an industry-specific security framework that will work for their industry.

And they don’t have to follow it to a T, but they can adopt some of the premises of it, from education to even media, you know, everyone’s a target. If you look at everyone as being a target, everyone has to play in the game of cybersecurity defense.

CHAKRABARTI: Okay, Andy Greenberg, let me turn back to you on this. So, first of all, do you think Brooks’ comparison between sort of not just the amount invested by financial services companies, but their whole mindset, that zero tolerance mindset, knowing everything about, every reason why anyone would be connecting to their systems. Do health care companies have to reach to that extent to have the kind of security that patients deserve?

GREENBERG: Oh, I think absolutely. The zero trust mindset is kind of like the contemporary buzzword in the cybersecurity industry. I could point you to a dozen companies that would be very happy to sell your health care provider a zero trust system with a lot of consultancy and service fees.

But, you know, I think that it’s just really important to say again that the financial services sector is swimming in money compared to these hospitals. I mean, I do think that health care companies, private health care companies — UnitedHealthcare is a great example — should absolutely have implemented this. But that’s after they do the absolute basic of implementing two-factor authentication on a public facing tool like the Citrix tool that was exploited in their attack. So yeah, I mean, absolutely zero trust is probably the kind of industry standard, but there’s so far to go for many of these companies to protect themselves before that.

CHAKRABARTI: Mm. So, Dr. Tully though, I mean, like I said, I don’t doubt the seriousness with which individual hospitals and individual groups are taking this because I mean, nobody wants their patient data to be leaked all over the dark web or for medical staff not to be able to care for the people in need.

But I am kind of curious about this AHA statement from just April of this year, because it was in response to the Biden administration’s proposal in the latest HHS budget request that would have instituted some penalties that hospital systems would incur if their cybersecurity practices were weren’t improved. And the AHA basically urged Congress to reject those proposals from the Biden administration. And what do you think about that?

TULLY: Yeah, so at the center, we are a nonpartisan advocacy group, and I could definitely understand the perspective of the American Hospital Association, which is an interest group working on behalf of hospitals. I think ultimately, the most successful solution to this problem is going to be some degree of regulation that also builds in the incentives to be able to address some of these disparities.

And I think there are various proposals, including one from Senator Warner that kind of starts to move in this direction. What I would like to do, if it’s okay, just to kind of leave listeners with a little bit of optimism is comment on some of the ways that the federal government is already engaged in solutions to this topic and working with some very talented individuals and agencies to kind of address some of these pain points as we work on the larger policy solutions.

So, CISA who you mentioned earlier —

CHAKRABARTI: Actually, Dr. Tully, can you give me a second here?

TULLY: Sure.

CHAKRABARTI: I really want everyone to hear clearly what you’re about to say, but your line is kind of — it’s very digitized and shaky right now. So we want to reconnect with you so that we can get a clearer line.

TULLY: Sounds great.

CHAKRABARTI: I’m just going to. Yeah. Because I don’t know, maybe some hackers don’t want you to talk to people and tell them what we should do to improve the situation! (LAUGHS) But we’ll get you back on a clearer line, and then you can explain the things that are positive steps we can take. So let’s get that done. And while we do that, Andy, let me ask you, though, I’m still intrigued by this AHA statement and their posture here because they are a massive health care lobbying group that puts a lot of pressure and spends a lot of money in lobbying Congress.

And just give me your honest assessment of when they said that they say a well-documented source of cybersecurity risk, including the Change Healthcare cyberattack, is from vulnerabilities in third party technology, not hospitals’ primary systems. So it sounds like they’re saying there, “Well, the hospitals themselves, they don’t need to do much to improve.”

GREENBERG: Well, that’s absolutely, I mean, it certainly sounds like they’re changing the subject. But they’re also correct. I mean, you could, you can see this with Change Healthcare. That was a payment system that went down and, you know, disabled more than a thousand health care providers across the country. The Synnovis attack in the UK that we talked about, that was a testing lab company that is a joint venture with the NHS. And because of that third party down time, these hospitals couldn’t do any blood tests, for instance, and had to solicit new blood donations to find, you know, O-type blood that they could give to any patient because they couldn’t test patients’ blood.

I’ve reported on another situation in which, you know, this was actually in 2017, where the disruption of a speech-to-text software company caused massive problems in many U.S. hospitals, dozens. Because doctors who were reading changes into patients’ medical records out loud didn’t know that this system had been disrupted so everybody lost track of the updates to medical records, didn’t know which patients were due for which tests before their procedures.

So there is so much third party and kind of cascading dependency in the risks here. So they’re right about that. But I don’t feel like that should let hospitals, you know, we shouldn’t listen to a lobbying group tell us that hospitals don’t also need to secure themselves.

CHAKRABARTI: Yeah. So, you know, I do want to just go back to your point that, of course, the financial services industry has a ton of money, no doubt about that. But they’re also dealing with money, right? So there’s very little/zero tolerance amongst people and companies to have their money have any exposure, any vulnerability. But the same goes for health care, right? I mean, there are studies that I’m sure you know well that show that actually these cyberattacks have increased mortality rates at hospitals that have been targeted. So people’s lives are actually on the line. So with that in mind, should there should be like a zero tolerance approach as well.

Is it not possible for — maybe through the help of the federal government, I don’t know — but for health care companies to say, or hospital systems to say, “Look, for all of these third parties that we’re contracting with, just like financial services do, part of our contract is you’re going to have to shore up your cybersecurity as well?”

GREENBERG: I think that that is absolutely part of the solution. And I think you’re right that hospitals, yes, should be demanding that of the private companies that they work with, which is feasible because they have the profit margins to actually protect themselves. But I want to return to this idea, too. I don’t mean to change the subject myself. I’m also really interested in hearing Dr. Tully’s, you know, optimistic points about what’s going well here.

But, you know, implementing regulation is only one part of what the federal government should be doing here. That is still kind of putting the onus on the victims to protect themselves. But this is a geopolitical problem. You know, these hospitals and health care providers are being attacked by a foreign adversary. These extremely well-organized criminal groups in Russia protected by the Russian state.

And we’ve seen situations in the past where U.S. Cyber Command, like the actual U.S. Military hackers who are some of the most talented and well-resourced in the world have gone off and disrupted the networks of even cybercriminal groups who were believed to be a threat to like the — I think actually it was the 2018 election at the time. And I don’t see why we can’t do something similar here. I don’t mean to sound hawkish, but why is U.S. Cyber Command not going out and disrupting the networks of these hackers who are posing a very direct risk to American lives?

CHAKRABARTI: Well, I mean, it doesn’t sound hawkish to me. I mean, the federal government itself considers health care a core sector for national security and safety. But I think we have Dr. Tully back on a slightly better line. And we’ve got a few minutes left, Dr. Tully. So lay out those reasons why people have to be at least hopeful about steps forward that can be taken.

TULLY: Sure. And sorry about that. I hope my network isn’t compromised.

CHAKRABARTI: (LAUGHS)

TULLY: So CISA, the Cybersecurity Infrastructure and Security Agency does have a program called the Ransomware Warning Pilot that reaches out proactively to institutions that are found to have critical vulnerabilities that have been exploited previously by ransomware attacks.

And I’m aware of several hospitals who have had successfully avoided a ransomware attack based on that type of intervention. The House in June announced a new partnership with Microsoft and Google to extend a host of secure tools and services to these smaller, more rural critical access hospitals. And the government is funding research into this problem, which is sorely needed, particularly through a new agency called the Advanced Research Projects Agency for Health, which is looking to fund kind of transformational digital security projects. One of which I have to say I’m involved in, where we’re looking to really improve the response to these types of attacks.

We’ve talked a lot about privacy, but the patient safety elements I think are the most important from the standpoint of a physician. And so I’m interested in developing open source tools and methods and plans that hospitals can use to make their patient care safer during these types of events. And I’m very encouraged and optimistic by our progress on that front.

CHAKRABARTI: And do you dare give a timeline on when some of these things will move out of research phase and actually be available to hospital systems small and large?

TULLY: I mean, some of our projects are wrapping up next year, and we’re going to be releasing as we go along some of these plans and tools. And so I’m very optimistic that we’re gonna we’re gonna start to see some impacts here on a short-term basis.

CHAKRABARTI: Well, Dr. Jeff Tully, co-director of the Center for Healthcare Cybersecurity at the University of California- San Diego. Thank you so much for joining us today.

TULLY: Thank you so much for having me.

CHAKRABARTI: Alright, Andy, we’ve got a couple of minutes left here and I do want to ask, is there a role for, you know, the 330 million Americans who are users of the health care systems as well? I mean, is there something that we ought to do on our end to try and increase security with our health care records?

GREENBERG: Well, I don’t know. Class action lawsuits? (LAUGHS) I do think that, unfortunately, this is a situation of cascading victimization. Essentially, these companies are the victims. And yet they are controlling our data. And there’s only so much that the companies can do themselves. And then there’s even less that we can do as the kind of final victim of these attacks.

CHAKRABARTI: But Andy, let me just jump in here. Because specifically when you mentioned class action lawsuits, that does raise this important question. I mean, we have HIPAA laws, right, that are supposed to protect the privacy of everybody’s medical information. And if companies are not doing, especially the ones that can afford it, what they need to do in order to shore up cybersecurity to protect that data. I mean, shouldn’t, don’t they carry some kind of liability there?

GREENBERG: Oh, absolutely. I’m not sure about HIPAA laws specifically. As Dr. Tully said, you know, HIPAA laws involve requiring encryption and other protections on certain data, but don’t necessarily work against an adversary that is in the hen house, like a fox in the hen house. It’s not meant to prevent an actual adversarial hacker from getting in who was motivated to get past that encryption to find the credentials that unlock that encryption.

And also not only that, you know, HIPAA is about privacy, but there’s a question of disruption here as well. I would say, in fact, the main damaging thing that ransomware groups do is disable networks and take hospitals down. So HIPAA can’t really help us there.

You know, I mentioned class action lawsuits. I guess I was joking because they’re a little distasteful. There’s something kind of gross about ambulance-chasing lawyers. But I also, I fully believe that those are warranted and that the class action lawsuits, I think that are already underway against Change Healthcare —

CHAKRABARTI: And Ascension, apparently. There are two.

GREENBERG: And Ascension. I guess I’m, even more so with Change, I’m happy to see those. I think they are one part of how our American system holds companies accountable.

CHAKRABARTI: Well, Andy Greenberg is senior writer for WIRED where he covers hacking, cybersecurity and surveillance. His latest book is Tracers in the Dark: The Global Hunt for the Crimelords of Cryptocurrency. Andy, thank you so much for joining us today.

GREENBERG: Thank you, Meghna.