At one point or another, we all need healthcare during our
life. The facilities are located in every state, in rural and metropolitan
areas. One aspect which seems to be pervasive through these is the supply chain
implementing 3rd parties into the system. For a healthcare facility
to have a full vertical integration of the supply chain, excluding all vendors
for everything is a rarity in these days. The vendor integration allows the
vendor’s communication, invoicing, and other necessities a little more
convenient. This, unfortunately, has the potential to bring risk to your organization.
One area not addressed to a significant extent is supply chain management. When
the business allows its vendors access to its system for efficiency or
convenience, there should be a full vetting process. It does not appear this
was the case with Spectrum Health of Lakeland. The medical facility is located
in St. Joseph, MI.
Attack
The supply chain has been a completely viable attack point
for over a decade. While this is a risky point, not enough attention has been
paid to it. This is the point when you apply a common saying to the
circumstances; you are only as strong as your weakest link. This is truly
applicable to the supply chain. As you grant access to or contract with
services outside of the organization, unless the senior management has the
vendor fully vetted and this regularly updated, the organization is inviting a
significant amount of risk into the organization.
These issues occurred with their billing functions. The
management contracted with the medical billing to Wolverine Services Group. The
vendor was pwned. They were a victim of a very successful ransomware attack. The
attackers gained access to the data and encrypted this. Later they did decrypt
it. These fateful events occurred in September 2018. Spectrum Health was
notified on December 17, 2018. They announced a press release on March 14,
2019. As you can tell by the dates, there is a rather significant lag in time.
Normally, this would not take this amount of time. In this instance, verifying
the attack’s symptoms took a bit time. Both Spectrum Health and Wolverine
Solutions Group did also conduct their own separate investigation. This assuredly
was costly and required many people’s time.
Affected
This directly impacted and affected approximately 60k
Spectrum Health Lakeland patients. Fortunately this affected only the patients
of this specific facility. There are many other facilities, which could also
have been involved. The company has stated they cannot confirm nor deny if the
patient’s confidential data was exfiltrated. If you think through this however,
would an attacker spend the time to complete the reconnaissance and other steps
to be confident in their ability to breach and steal data?
This also affected other organizations who were clients of Wolverine
Services Group. So far, this also affected the North Ottawa Community Health
System, Mary Free Bed Rehabilitation Hospital, Health Alliance Plan, Blue Cross
Blue Shield of Michigan
Data
The evidence does appear to indicate the data was accessed
by unauthorized parties. The data included names, social security numbers,
addresses, health services provided, insurance companies, and amounts due. This
information would be very helpful in social engineering or identity theft.
Thoughts
For a business working with confidential, sensitive data,
especially in the age of HIPAA, one would think the Wolverine Services Group
(WSG) would have a relatively sophisticated cybersecurity system in place. This
may include log analysis, a SIEM, and other monitoring. In the case at hand, it
took 2-3 months for the WSG to realize they had been breached. Even with
advanced techniques to cover their tracks, WSG still should have been able to
detect the issue.
The company cannot confirm or deny the confidential data had
been stolen. While this may be true, in the last the attackers viewed this. They
could have copied it and exfiltrated this with no issue. The attackers not
attempting to steal the data after spending the time and money to learn their
system and breach does not hold water, especially when you consider the risk
being arrested and jailed and the attacker has 2-3 months of availability.
This emphasizes the need to examine the business supply
chain in depth. If there are any vendors that connect to your system, their
cybersecurity stance truly needs to be evaluated. There is absolutely no need
to accept or introduce any risk not completely understood unless you want your
organization in the Sunday paper.
Resources
Garrity, M. (2019, March 15). Spectrum health is the 3rd
provider affected in wolverine vendor cyberattack. Retrieved from https://www.beckershospitalreview.com/cybersecurity/spectrum-health-is-the-third-provider-affected-in-wolverine-vendor-cyberattack.html
Kransz, M. (2019, March 14). 60k patients at spectrum health
Lakeland possibly impacted by data breach. Retrieved from https://www.mlive.com/news/kalamazoo/2019/03/60k-patients-at-spectrum-health-lakeland-possibly-impacted-by-data-breach.html
Wittkowski, T. (2019, March 15). Spectrum health Lakeland announces
data breach-Officials say cyber attack happened through vendor. Retrieved from https://www.heraldpalladium.com/news/local/spectrum-health-lakeland-announces-data-breach/
WSJM. (2019, March 14). Spectrum health Lakeland affected by
healthcare data breach. Retrieved from https://www.wsjm.com/2019/03/14/spectrum-health-lakeland-affected-by-healthcare-data-breach/
No comments:
Post a Comment