Over the last few years, there have been many breaches involving hospitals, doctor’s offices, and other institutions securing medical records. These records are generally held in an electronic format, such as with electronic medical records (EMR) and electronic health records (EHR). These definitely have a value on the dark web. These clearly are not simply laying about for anyone to exfiltrate, but are secured at various levels and applications of information and cybersecurity. To not apply security would be negligent and in violation of several laws, including HIPAA. With these records secured, the attackers need to find alternative methods to compromise the systems.
One such incident occurred in 1Q2018. Unity Point Health was compromised between February 1st - 7th and the attackers, as an extension of the compromise, were able to access approximately 16K patient medical records. This was accomplished through a phishing attack being used as the attack vector.
The attackers were able to exfiltrate the patient’s names, date of birth, medical record numbers, treatment information, surgical information, diagnoses, lab results, medications, dates of service, and insurance information. The attackers may have also had access to social security numbers and other patients financial information.
This provides a training opportunity for the medical field on what can happen with a compromise from a simple, yet effective, phishing email.
No comments:
Post a Comment