Hospital pwned!

Hospitals are located throughout the country, and now more than ever are especially operationally stressed. As part of the intake process, the hospitals have to take in patient data. This accumulates rapidly. The hospitals hold a mass amount of patient data. The data grows daily. This data, while it does take space on the servers, also holds value for the bad actors looking to act maliciously with this. There are various tools the attackers can use in order to compromise a system. Munson Healthcare found this out the hard way.

Munson Healthcare

 Munson Healthcare is based in Traverse City, MI. Munson Healthcare operates Munson Healthcare Charlevoix Hospital. This is northern Michigan’s largest health care system. In addition to the Munson Healthcare Charlevoix Hospital, the firm also operations hospitals in Cadillac, Grayling, Kalkaska, St. Ignace, Manistee, Gaylord, and Frankfort.

Attack

After some time, the IT department began to notice certain issues with the email system in January 2020. There was a bit of suspicious activity within the system, which led to further investigation. The IT department detected the root of the issue. The email system had been compromised.

The attackers used the tried and true phishing technique. The attack has such low overhead and ease of use, there is no surprise this was used and was successful. In this case, the victims were actually more than what may normally be encountered. Here, 29 employees took the hook and clicked on a link or opened an attachment they should not have.

As indicated, the phishing attack was successful. The attackers had their unauthorized access from July 31 to October 22, 2019, or over 2.5 months. During this time, the attackers had unfettered access and had the ability to access to patient data. It is surprising it took nearly three months for the IT department to detect the issue. Upon the detection, the healthcare organization contracted with third-party cybersecurity professionals to investigate the breach.

Data

The healthcare facility was not sure how many patients were affected by the breach. The actual number, per the estimate from Munson, is the number is in the hundreds for the affected patients. The patient data may have included the patient names, date of birth, health insurance information, and treatment. The patient data was in the affected employee’s email accounts.

In a limited number of the affected patients, there may also have leaked the financial account numbers, driver’s license numbers, and social security numbers. The limited sample from the overall breached records is much more serious as the data included is more useful when used with the other data.

Post-Attack Actions

Obviously, this is not the optimal circumstance for the healthcare organization. As this included patient data, they had the opportunity to learn from this and report the breach to the U.S. Department of Health and Human Services per HIPAA. In addition to reporting this, the organization also is providing a credit monitoring service for the patients whose social security numbers were included with the compromise.

Internally, Munson Healthcare also had their employees undergo additional cybersecurity training. While this is a step in the right direction, this is a false hope for the future if not implemented correctly. A one-off training this year, and returning to the same routine of the single, annual training where a portion of the employee’s eyes glaze over, while the remainder eyes are trained on their cell phone paying attention to everything except for the presentation.

As for the infrastructure, the IT department has implemented additional cybersecurity measures. Given what occurred, this is a natural extension.

Looking Forward

This is yet another case of where training needs to be done through the year, insightful, and have some level of entertainment. Without this in place, the organizations will continue to be reactive post-breach, instead of pro-active to minimize the potential for a breach.

Resources

Foley, S. (2020, February 29). Munson healthcare notifies patients of data security incident. Retrieved from https://www.cheboygannews.com/news/20200229/munson-healthcare-notifies-patients-of-data-security-incident

Garrity, M. (2020, February 27). 20 michigan Health system employees fall victim to phishing attack, exposing patient data. Retrieved from https://www.beckershospitalreview.com/cybersecurity/29-michigan-health-system-employees-fall-victim-to-phishing-attack-exposing-patient-data.html

Newsbreak. (2020). 20 michigan health system employees fall victim to phishing attack, exposing patient data. Retrieved from https://www.newsbreak.com/news/0OGRRIqF/29-michigan-health-system-employees-fall-victim-to-phishing-attack-exposing-patient-data

Usher, K.H. (2020, February 27). Data breach at munson leaks patient records. Retrieved from https://www.cadillacnews.com/news/data-breach-at-munson-leaks-patient-records/article_661d3882-0b76-51d2-a309-26b7f11eea4e.html

Winant, D. (2020, February 28). 29 michigan health system employees fall victim to phishing attack, exposing patient data. Retrieved from https://seclists.org/dataloss/2020/q1/176