“Most of the time we think of, let's say, a school system gets hit with ransomware, a system has to shut down, and it's a localized incident,” said Geraghty, who is also director of the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC).
But attacks like the recent ransomware incident that disrupted Change Healthcare show just how hard systemic impacts can hit. Through that attack, actors were able to affect hospitals across the country.
“Here we have one organization — Change Healthcare — where it’s an individual organization that’s affecting the rest of the health-care system in the United States,” Geraghty said.
UnitedHealth Group’s Change Healthcare is a major medical claims processor. BlackCat ransomware struck the company, leading to a prolonged outage that left many hospitals and other health-care providers struggling to submit claims to insurance. Many have been running low on funds. The CEO of independent physician practices network Aledade told the Washington Post that about a quarter of U.S. physician practices are in severe financial distress.
Systemic risk is especially high in sectors where many players rely on the same vendor or technology. That’s what’s made Change Healthcare, MOVEit and Citrix Bleed nationwide events.
New Jersey organizations suffered from the latter two, with MOVEit compromising the personal info of more than 1 million residents, based on incidents reported to NJCCIC, per the state’s 2024 Threat Assessment report. And Citrix Bleed disrupted New Jersey hospitals, forcing problems ranging from slow patient care to postponed surgeries.
In contrast, election infrastructure is highly diversified, so a single attack would not have wide-scale impacts on election security, Geraghty said. He added that vendor and technology diversification is just one possible security approach, and that organizations can weigh the pros and cons of different strategies — but either way, they must have a strong plan.
As New Jersey looks ahead, systemic risks and attacks that spread along the software supply chain are only some of the threats it’s eyeing. Ransomware, hacktivism and other attacks are likely to continue too. NJCCIC predicts that in the state, potentially debilitating cyber attacks across sectors will continue through the year.
Since 2021, the volume of cyber attacks hitting New Jersey appears to have stayed relatively steady, ranging from 531 to 559 attacks annually. However, 2023 saw a shift in the reporting landscape that may put the seemingly consistent numbers in a different light.
In early 2023, the state passed a law requiring public entities and government contractors to report incidents, which drove a 41 percent increase in reporting, per the report. Geraghty said the relatively flat number of incidents reported likely reflects fewer disclosures from the private sector.
Entities reporting cyber incidents in 2023 most often cited social engineering, followed by hacking or incidents of unauthorized access and, finally, ransomware or other malware.
Looking ahead, New Jersey anticipates that politics may spark additional threats this year. Alongside attacks on state election infrastructure, New Jersey anticipates possible threats from China in retaliation for New Jersey’s efforts to build tighter relationships with Taiwan, per the report. New Jersey also has significant Muslim and Jewish populations, raising concern the state could be targeted by possible cyber attacks related to the Israel-Hamas conflict.
The report also highlighted risks of malicious AI-powered deepfakes and personalized phishing ploys as well as attacks that try to corrupt and manipulate AI systems. This could even mean compromising AI decision-making systems used in utilities’ operational technologies or in autonomous vehicles to cause physical damage or harm.
One tool to counter is collaboration. NJCCIC aims to encourage incident reporting from all sectors, emphasizing that it just wants info to forewarn other victims, Geraghty said. Encouraging more reporting means keeping the info private even from criminal or civil subpoenas, as well as making it clear that NJCICC isn’t regulatory and so won’t penalize organizations for deficient security controls revealed during reporting.
Federal grants have also helped the state provide more shared services to local governments, including an endpoint detection and response platform. New Jersey also expanded its managed detection and response platform to counties, school systems and municipalities, Geraghty said.
