Healthcare is in a difficult position during these times. In
between the pandemic, budgetary constraints, union negotiations, and other
issues, their road is, to say the least, tough. Now add in cybersecurity
issues, and the risks increase exponentially. All it takes is one person in the
right department to click on the right link or icon, and BAM, a compromise is
just around the corner. Goshen Health was unfortunate enough to learn this from
their own experience. In this example from late last year, Goshen Health had
the opportunity to personally test out their incident response (IR) plans.
Data
Healthcare facilities hold so much data, which is valuable for
numerous reasons. This is especially the case for the attackers. This is sold
on the dark web without an issue. In this case, 9,160 patients had their
protected health information (PHI) stolen from Goshen Health. The data could
have included many different points for each person. In this instance, the data
exfiltrated included the names, dates of birth, location, driver’s license
number, social security number, healthcare insurance details, names of doctors
providing care, and certain clinical information. This really would be
beneficial for the attackers or the person/organization purchasing this. All of
this fantastic data could be used for credit card fraud, fraud over the phone, utility
fraud, bank fraud, government, and medical identity fraud. The truly enterprising
attacker could use this data for years to come.
Post-Compromise
After the InfoSec department and administrators had
understood the compromise had happened, the facility notified the 9,160 patients
potentially affected with communication on September 30, 2019. Since this was
a phishing attack, Goshen Health secured the compromised email accounts.
Without this action in place, the breach would have kept open, and the attackers
would continue to leverage this as much as possible. After the notification,
the incident investigation began immediately. At first, Goshen Health believed
they would not need to issue patient notifications. This sounds
counter-intuitive given there was a breach of a medical facility. The team,
however, believed there was no PHI involved. This was a rather significant
oversight. As of August 1st, the compromised email accounts actually
had the patient PHI included. This has been noted in several successful attacks
in recent memory. Instead of leaving the PHI on the servers or in the cloud,
the data is emailed about. If the PHI was not in the compromised emails, the
organization would not have had to notify the government and staff. To reduce
the potential for this to occur again, the facility has improved the security
protection and added more forensic resources and technology, just in case they
were to be targeted again. For the investigation, they did contract with third-party forensic personnel to research the breach in November 2018. The subject
matter experts (SMEs) did not find evidence of PHI being involved initially. It
took them a year to identify the compromised email accounts, which held the
PHI. The organization filed the breach report with HHS Office for Civil Rights
on September 30, 2019. For those affected with their social security numbers,
the facility is offering free credit monitoring and identity theft protection
for one year. The organization had its employees attend email security and
phishing awareness training. The facility is recommending the patients monitor
their accounts for any irregularities.
Attack Method
Phishing strikes again. The phishing attack was in August
2018, from the 2nd to the 13th. For all of the patients
affected and the additional expenses to the facility, this was due to a simple
phishing email. This is another example of how far-reaching a simple click can
affect a large hospital, along with the expenses involved with the
investigation, and directly with the patients. The access was from an unknown,
unauthorized party.
In parting…
There seems to be a rather significant time lag with the
organization in more than one area. It took approximately a year to discover
the emails had PHI in them. This seems like this task would not have taken this
long to accomplish. There are logs and other resources available to review
this. This portion is especially curious.
Resources
Blankenship, F. (2019, October 4). Goshen health data breach
potentially exposes 9,160 patients’ sensitive records. Retrieved from https://4classaction.com/2019/10/04/goshen-health-data-breach-potentially-exposes-9160-patients-sensitive-records/
Dissent. (2019, October 2). IN:Goshen health notifies
patients potentially impacted by 2018 data security breach. Retrieved from https://www.databreaches.net/in-goshen-health-notifies-patients-potentially-impacted-by-2018-data-security-breach/
Garrity, M. (2019, October 3). Indiana hospital alerts 9,100
patients of breach. Retrieved from https://www.beckershospitalreview.com/cybersecurity/indiana-hospital-alerts-9-100-patients-of-data-breach.html
HIPAA Editor. (2019, October 8). 9,160 goshen health
patients affected by phishing-related email breach. Retrieved from https://www.hipaaanswers.com/9160-goshen-health-patients-affected-by-phishing-related-email-breach
HIPAA Journal. (2019, October 3). Goshen health notifies 9,160
patients of historic PHI breach. Retrieved from https://www.hipaajournal.com/goshen-health-notifies-9160-patients-of-historic-phi-breach/
No comments:
Post a Comment