A Tale of Two Hacker IncidentsHealthcare Organizations Facing More Cyberthreats
Two recent hacking incidents that each affected more than 100,000 individuals illustrate the variety of cyberthreats healthcare organizations face during these chaotic times.
See Also: Determining the Total Cost of Fraud
Friday, Salt Lake City, Utah-based medical testing laboratory Utah Pathology Services reported to federal regulators an email hack affecting 112,000. Earlier in August, Severna Park, Maryland-based Dynasplint Systems, which sells splints for patients with connective tissue issues, reported a hacking incident involving a network server that affected about 103,000.
The two hacking incidents are among the largest posted so far this year on the Department of Health and Human Services’ Office for Civil Rights’ HIPAA Breach Reporting Tool website that lists health data breaches affecting 500 or more individuals.
Don't Overlook Data Security
At a time when healthcare organizations are dealing with the COVID-19 crisis, they must make sure they continue to give adequate attention to data security.
“A key umbrella theme for healthcare these days is that pandemic response must include heightened security of information systems and data,” says Cathie Brown, vice president of professional services at privacy and security consultancy Clearwater.
“In recent months, the pandemic has created a situation where the landscape in healthcare has changed dramatically,” she notes. “Cybercriminals are taking advantage of healthcare’s focus on COVID-19. It shows in the increase in successful attacks.”
Keith Fricke, principal consultant at tw-Security, predicts: “The fourth quarter of 2020 will bring a spike in criminal phishing campaigns due to the holiday season, an election year and possibly more hurricane-related destruction prompting charitable agencies seeking donations.”
Utah Pathology Incident
In a statement, Utah Pathology Services notes that on June 30, it learned than an “unknown third party” attempted to redirect funds from the organization. “This suspicious activity did not involve any patient information or the completion of any financial transactions,” the lab says.
“Upon discovery of the attempted fraud, Utah Pathology quickly secured the impacted email account and launched an investigation.”
A spokesman for the organization tells Information Security Media Group that the incident involved the compromise of an Office 365 account and an email that fraudulently appeared to be sent internally from an employee requesting a wire transfer. This is typical of a business email compromise scheme.
The wire transfer was not made, and law enforcement was notified, the spokesman says.
The lab’s ongoing forensic investigation has discovered that the personal information of certain individuals was accessible to the hacker attempting to commit fraud, Utah Pathology says in its statement.
That includes names, dates of birth, phone numbers, mailing addresses, email addresses, insurance information, health information, and, for a small percentage of patients, Social Security numbers.
"At this time, we do not have evidence that any patient information has been misused,” the lab says in its statement. But Utah Pathology is offering affected individuals 12 months of prepaid credit and identity monitoring.
The lab also says it’s implementing additional security measures.
Dynasplint Systems Hack
Dynasplint Systems says in a statement that on May 26, it experienced a data security incident in which employees were unable to access an information system.
Dynasplint does not say whether the incident involved ransomware, and the company declined ISMG’s request for additional details.
A forensics investigation determined that certain information was accessed without authorization during the incident, including names, addresses, dates of birth, Social Security numbers and medical information, the company says.
"Dynasplint Systems reported this matter to the FBI and will provide whatever cooperation is necessary to hold perpetrators accountable,” the company says. Individuals whose Social Security numbers were exposed are being offered prepaid identity monitoring services.
Healthcare organizations need to be well-prepared to prevent, detect and respond to security incidents, Fricke says. Key steps include: using multifactor authentication for email accounts, promptly applying software patches, training the workforce on spotting phishing emails, testing restores of backups, and conducting penetration tests “at least annually to find weaknesses before the criminals do.”
Multifactor authentication is particularly valuable in helping to prevent business email compromise schemes, Fricke says. But implementing MFA “may mean sunsetting legacy applications and systems that do not support it.”
Brown of Clearwater says protection against BEC scams requires several layers of defense.
“The human layer is most important and includes awareness training for all staff, especially those in the C-suite,” she says. “Many people feel they are too smart to fall for these attacks, but BEC attacks are more sophisticated than ever.”
Another important step, she says, is to require two approvals to release funds for wire transfers and ACH [automated clearinghouse] transactions.
“User behavior analytics is gaining traction in larger organizations, looking for anomalous activity for computer accounts of users,” Fricke notes. “More organizations are outsourcing centralized log management and paying third parties to monitor network activity 24x7.”
Organizations should also revisit their breach response plans and policies and conduct drills to test their efficacy, he notes.
Brown also urges organizations not to delay efforts to enhance their cyber risk management programs.
“What is spent on these projects in dollars can pay huge dividends when it comes to protecting against breaches and cyberattacks. Healthcare must be diligent in the security defense measures to protect patient data.”