Through our lifetimes, we will need to visit a hospital,
medical center or clinic for one reason or another. This may consist of the
obligatory annual physical, stitches after a fall, or to refill medications.
For various reasons, the commonality is the persons are visiting the
medical facility for medical services. Dependent on the individual needs, this
may be critical or a standard appointment. With these, the patient requires the
services. When there is an issue with providing the service, this affects the medical
facility, but also every single patient that would have received medical care
at the facility. We’ve seen the effects of phishing attacks on most industries.
Dependent on the specific attack, this can be especially problematic for the medical
facilities. The Overlake Medical Center & Clinics have experienced this
recently.
Overlake Medical
Center & Clinics
The Overlake Medical Center & Clinics is based in
Bellevue, Washington. The facility is non-profit and has 364 beds. All was
well until the issue was detected.
Attack
The medical facility was the victim of the infamous, yet uncomplicated,
phishing attack. In early December 2019, a small number of employees had seen
the phishing lure and decided the email was legitimate when it actually was
not, clicking on the link, image, or whatever the attack tool used was in this
case. It was noted the unauthorized party, who had harvested the credentials,
had infected the accounts between December 6-9, 2019. This was detected once
the attackers began to access the email accounts on December 9th. Within
hours, the medical center did secure the affected email accounts and began
their investigation.
Data
For some reason, the patient data was stored in the email
accounts for the 109k affected patients. This possibly included names, dates of
birth, phone numbers, addresses, health insurance information, insurer number, diagnoses,
and treatment information. This is a treasure trove for the attackers. This
data may be sold in whole or sliced into usable sections for specific
malicious parties.
Post-Attack
After the compromise was detected, the medical facility was
required to notify the affected. This began on February 7, 2020, as they started
to contact 109,000 patients. This is a rather arduous task due to the number of
patients, and the subject matter. Even if a small ratio of the persons called the
medical center seeking answers to their questions, there would still be a mass
amount of labor to take the calls and talk to each proactive affected patient.
As of the notification date, this was the third-largest
breach for the year.
The medical center did state there was no evidence the data
had been used by the unauthorized parties. This is a hollow statement though.
With the attackers having this, they or the purchasers, if applicable, could
wait to use this, or if this was used, it may be difficult to pinpoint this
compromise as the cause.
Additional Security
Features
Due to the successful attack, the medical facility did reset
the employee passwords and put into place additional security features (e.g.
multi-factor authentication and email retention policies). The facility was
also enhancing their staff education to attempt to assist them to better recognize
and then avoid the phishing emails.
Questions
There is a question of the timing. They found the credentials
had been compromised and used from December 6th through the 9th,
2019. They did not start to notify the affected parties until February 7, 2020.
Granted the medical facility has to complete their investigation, including the
attack vector analysis, and determining who was affected. If this were have
taken a month, this still leaves a month for the medical practice to arrive at
the data, which seems a bit long, even for a conservative approach to the
forensic review.
Helpful Tips
While phishing attacks are an epidemic, there are measures which
the medical facilities may put into place to reduce this issue to a reasonable
level of acceptable risk. These include, however certainly are not limited to
·
Having secured storage in place and tested
regularly. Simply having storage in place is not enough. This would need to be
tested to ensure the storage is viable.
·
Log collection. This is a very useful tool. This
allows the organization to periodically check activities, including attempted
connections, and connections. There are several SIEMs in the market which will
analyze these for the organizational, reducing significantly the labor overhead
which would need to be expended otherwise. One such highly regarded tool to
accomplish this is Splunk.
·
File integrity monitoring. This is coupled with
the secured storage. If the files are lacking integrity, they are not exceptionally
useful.
·
Event detection. In order to know there has been
an issue, the event has to be detected. This is another situation where a SIEM
would provide the organization with the data and analysis to show the
compromise and begin the incident response protocol. Two SIEMs which could be
used to accomplish this are Splunk or AlienVault.
Resources
Davis, J. (2020, February 20). 109k patient records impacted
in overlake medical phishing attack. Retrieved from https://healthitsecurity.com/news/109k-patient-records-impacted-in-overlake-medical-phishing-attack
Garrity, M. (2020, February 4). 10 tips for hospitals to
mitigate ransomware attacks. Retrieved from https://www.beckershospitalreview.com/cybersecurity/10-tips-for-hospitals-to-mitigate-ransomware-attacks.html
Garrity, M. (2020, February 20). 364-bed Washington community
hospital notifies 109,000 patients of phishing attack. Retrieved from https://www.beckershospitalreview.com/cybersecurity/364-bed-washington-community-hospital-notifies-109-000-patients-of-phishing-attack.html
McGee, M.K. (2020, February 25). Phishing in healthcare: Yet
another major incident. Retrieved from https://www.databreachtoday.com/phishing-in-healthcare-yet-another-major-incident-a-13767
Overlake Medical Center & Clinics. (2020, February 7).
Notice of phishing incident. Retrieved from https://www.overlakehospital.org/notice-of-phishing-incident
No comments:
Post a Comment