Yet Another Compromise

 

There are constantly compromises being published across the industries, and many more unpublished for a variety of reasons. Many years ago, the attacks were initiated by people showing their skills and the corporation’s lack of focus on security allowing these exploits. Times certainly have changed. Now this endeavor has been operationalized, streamlined, and become a profit center with an ROI.

Every company is a target for the various attacks. At the heart of most of these attacks is data. This has many uses for the bad actors, from selling to being ransomed. There are no geographic boundaries either. A company in Michigan recently had the opportunity to enjoy this at great length.

HealthEC, LLC, a population health management platform, coupled with Corewell Health. The focus of the work is to identify high risk patients, which is great and beneficial for the patients. The company was recently compromised, leaking confidential data and information on over a million Michigan residents.

The data leaked included the patient’s name, address, date of birth, social security number, medical information (e.g., diagnosis, diagnosis code, mental/physical condition, prescription information, and provider’s name), and health insurance information. Just the first four data points being compromised is bad enough (e.g., for identity theft), but add in the medical information and health insurance information, and the successful attackers have a field day. This allows more for the potential for ransomware to come into play.

To accommodate concerns, HealthEC is offering 12 months of credit monitoring and identity protection services through TransUnion. This may sound great, and it is for the first 12 months. Think about what happens after the 12 months. The stolen data, in part, is permanent or could be updated with a quick and easy internet search.

Thank you.

Services 

Enterprise and Embedded System Cybersecurity Engineering & Architecture

Red Team Pentesting | HW & SW BoMs | CBoM | 

Vulnerability Management | Tabletop Exercises (TTX) | 

Embedded Systems Architecture | Threat Intelligence | 

TARA (Threat Assessment and Remediation Analysis) 

Disabled Veteran Owned and Operated 

 

Lengthy Time to Report Compromise: 8 Months for PHI Theft

Sharecare Health Data Services (SHDS) offers a secure method for electronic exchanges of data. The organization also manages healthcare business medical records. The organization is located in San Diego, CA. 

Compromise 

The attack began with the usual activity detected on June 26, 2018. The detected data was abnormal when compared to the normal baseline. This red-flag began their investigation. The initial analysis was the attackers had breached the defenses. The attackers had gained access to the systems which contained protected health information (PHI). This access may have started at the earliest on May 21, 2018. This unauthorized access includes 18,416 insurance members of  Blue Shield of California. AltaMed patients, approximately 5,767 each, were also affected. The data included a buffet of data the attackers would use and sell. This included the name, address, birth date, unique patient number, address where the health services were provided, internal SHDS processing notes, and medical record numbers. The attackers had unfettered access from May 21, 2018, to June 26, 2018, or over a month. On June 26, 2018, the attackers accessed the data and exfiltrated this to sites overseas. This was reported to the other healthcare organizations directly affected by this on December 31, 2018. Fortunately, the patient’s social security number, financial information, and detailed clinical information were not accessed. 

Notification

The unauthorized access occurred on at least May 21, 2018, and was detected on June 26, 2018. The reporting to the other affected healthcare organizations was December 31, 2018. The notice to the affected patients occurred on February 15, 2019. In addition to the client, the FBI was also notified. 

The notification for the other healthcare organizations was for the breach and potential for the data to have been accessed by these unauthorized parties. From the timeline, the extended period, over five months, for the other healthcare organizations to be notified was odd. There was no reason given for the five-month + reporting period. One of these affected healthcare organizations was AltaMed, with 5,500 of its patients being included in the compromised records pool. Oddly, to add confusion to the rationale, the patients affected by the breach were notified an additional 2.5 months later. 

Mitigation 

After this was detected SHDS contacted with Mandiant, the cybersecurity consultant, to help SHDS with the forensic analysis and review. On a positive note, once this was detected immediate steps were put in place to cease the unauthorized access. SHDS enhanced its security to minimize the potential for further successful attacks. They also revised their data retention policies. The business contracted with a third party to monitor its data systems 24 hours a day, seven days a week. SHDS offered the affected patient’s a year of free credit monitoring and identity theft protection services through AllClear ID. 

Questions/Lessons Learned

With a breach and compromise, time is of the essence. In most cases, it is not prudent to wait for extended periods to report a breach. In this instance, it took over five months to report this to the other healthcare organizations, whose patients were affected by this SHDS issue. Overall, it took nearly eight months to notify the affected patients. This is simply unacceptable. The organization had the list of affected parties and still elected not to inform them in even a remotely timely manner. 

It is difficult to imagine how their InfoSec team did not detect unauthorized access for over a month. It seems as though their SIEM would have detected this well before the mass amount of data was exfiltrated. The issue begs the question, was the SIEM fully integrated into the system, or the filters/scripts not fully utilized? 

Resources

Davis, J. (2019, February 19). Blue shield, altamed patient data breached in business associate hack. Retrieved from https://healthitsecurity.com/news/blue-sheild-altamed-patient-dta-breached-in-business-associate-hack 

Dissent. (2019, February 16). AltaMed, blue shield of california notify patients and regulators after breach at sharecare health data systems. Retrieved from https://www.databreaches.net/altamed-blueshield-of-california-notify-patients-and-regulators-after-breach-at-sharecare-health-data-services/ 

Garrity, M. (2019, April 29). AltaMed alerts 5,500 patients of data breach. Retrieved from https://www.beckershospitalreview.com/cybersecurity/altamed-alerts-5-500-patients-of-data-breach.html 

HIPAA Journal. (2019, February 19). Patients receive notification of PHI theft 8 months after business associate data breach was detected. Retrieved from https://www.hipaa.journal.com/patients-receive-notification-of-phi-theft-8-months-after-business-associate-data-breach-was-detected/ 

Doctor's Management Services (DMS) - Pwned!

Doctor’s offices have a mission-to take care of their patients. This focus is on the patient’s mind also as the person is sitting in the doctor’s office waiting. One way to streamline operations and potentially improve cash flow is to outsource the billing function. There are many firms focused on efficiently billing for the doctor’s services. These businesses, due to their operations, hold much of the same data as the doctor’s offices. These businesses also derive income as they process the claims. These two factors make these businesses perfectly viable targets. One such business was Doctor’s Management Services (DMS). DMS is based in Massachusetts. The business primary mission is to provide medical billing and services to their clients, the doctor’s offices and hospitals.

Attack

The initial stages of the attack occurred on April 1, 2017. The attack vector was a remote desktop protocol attack through an endpoint. This was detected on Christmas Eve, 2018. When the files were encrypted and the staff was not able to access them, the management knew they had a rather significant problem. The business hired forensic professionals to investigate the incident. Through the investigation, the malware was determined to be GandCrab.

Unfortunately, this did not affect only one client. This affected 38 different practices. The patient’s PII could have been compromised as part of this compromise. This includes, much to the patient’s detriment, their name, address, date of birth, social security number, driver’s license number, Medicare/Medicaid information, and other medical information. This does not necessarily mean the patient’s PII had been accessed, however, I would be willing to presume it has. Otherwise, why would the attackers be seeking to breach their security? The business did report this to the HHS per HIPAA regulation. The business also notified the persons whose PII was affected.

Post-Encryption

As expected, the business was given a ransom amount. Once paid the decrypt key would be provided. The business refused to pay. This is generally the optimal route, given the opportunity for more malicious acts. The business elected to use their back-ups and rebuild the files.

Mitigation

Clearly, there was a need for improvement in this situation. The business updated its network security and limited access to the system from IPs outside of their organization. There was also additional staff training, to assist in the attempt to remove, as much as possible, the potential for this to occur again. 

Questions

The attackers appear to have had unfettered access to the system from April 1 through December 24, 2018. This is an exceptionally long time for an unauthorized third party to have full access to the system and not be noticed by the SIEM and InfoSec personnel. The question in the mind of many is what did the business have in place that did not work at all?

Resources

Cyware. (2019, April 25). Doctor’s management service hit with gandcrab ransomware attack compromising patient data. Retrieved from https://cyware.com/news/doctors-management-service-hit-with-gandcrab-ransomware-attack-compromising-patient-data-b6eebd02

Davis, J. (2019, April 25). Medical billing service reports April 2017 ransomware attack. Retrieved from https://healthitsecurity.com/news/medical-billing-service-reports-april-2017-ransomware-attack

Dissent. (2019, April 24). MA: Medical billing services notifies patients of ransomware incident. Retrieved from https://www.databreaches.net/ma-medical-billing-service-notifies-patients-of-ransomware-incident/

Jones, K. (2019, July 19). Gandcrab in huge profit as SMBv1 exploit is dismissed. Retrieved from https://hackercombat.com/gandcrab-in-huge-profit-as-smbv1-exploit-is-dismissed/

Olenick, D. (2019, April 25). GandCrab ransomware strikes doctor’s management services. Retrieved from https://www.scmagazine.com/home/security-news/ransomware/gandcrb-ransomeware-strikes-doctors-management-services/

Sowells, J. (2019, April 28). Another healthcare firm falls victim to gandcrab ransomware. Retrieved from https://hackercombat.com/another-healthcare-firm-falls-victim-to-gandcrab-ransomware/

Truta, F. (2019, April 25). GandCrab ransomware claims another healthcare firm. Retrieved from https://securityboulevard.com/2019/04/gandcrab-ransomware-claims-another-healthcare-firm

Woods, A. (2019, April 29). GandCrab attack on doctor’s management service exposed patient data. Retrieved from https://www.2-spyware.com/gandcrab-attack-on-doctors-management-service-exposed-patient-data

Healthcare Pwned... Again

Healthcare continues to be a significant target. The healthcare institution’s budgets have been decreased due to a number of different issues. These include patient mobility as there are more options than ever and patient insurance payments. The latter, at best are stable however have probably been decreasing as new contracts are renegotiated. While this is occurring, the costs (direct labor, overhead, utilities, supplies, etc.) have increased.

As margins continue to be narrowed, the cuts have to be made somewhere. Cybersecurity, since the measurement of the success is elusive, may not receive the positive budgetary attention it really should. While more staff members may be needed, the positions may not be opened for applicants. This makes securing the perimeter, infrastructure, cloud, etc. difficult at best. This coupled with the attackers not being limited by geography, further complicates the InfoSec mission. All it takes is one person making the wrong choice one time to begin a cascading effect. Verity Health Systems and Medical Foundation had the opportunity to learn from a recent related issue.  

Incidents

Over the recent period, there were a number of incidents. The first was in late November 2018 and another in mid-January 2019. There are other reports indicating there were two incidents in November. The access was simple enough; through three employee’s web email accounts. This allowed access to any emails or attachments in the respective compromised email accounts.

What makes this unusual is not only the number of successful attacks but also the timing. There were three attacks in such a short period of time is clearly not a good thing. For these to be successful infers a problematic, systemic issue. This forces the conversation on the level of insecurity. It is distinctly possible the SOC did not monitor the logs and other activities related to the email.

Data

The patients “possibly” affected were from many facilities. These included the Verity Medical Foundation, and Verity hospitals (O’Connor Hospital, St. Louise Regional Hospital, Seton Medical Center (inclusive of the Seton Coast side campus), St. Francis Medical Center, and St. Vincent Medical Center.

The accessed emails contained health and medical data for the patients (names, treatment information, medical conditions, billing codes, and health insurance policy numbers). There were other email accounts accessed which contained personal information (names, health insurance policy number, subscriber numbers, dates of birth, patient ID numbers, phone numbers, and addresses). A portion of the attachments unfortunately also had social security and driver license numbers. To top it off, the emails may have included, for certain Verity employees and 3rd parties, their personal and health data.

Remediation

Within hours of learning of each incident, the Verity InfoSec Team ceased the unauthorized third-party access, disabled the affected email accounts, disconnected the devices from the network, and removed the unauthorized emails sent to the other employees. These actions were a positive show of the prudent steps implemented. The thought is the attackers were actually seeking the user names and passwords. Due to the compromise and the access records containing PII and PHI, the business is offering credit monitoring services for one year free to any individual whose social security number or driver’s license number was involved.

To limit the opportunity for this to occur again, the business is requiring mandatory training for the employees and improving and increasing the security measures. The business also put a call center in place for affected persons to call for questions and to get additional information.

Notification

Per the reports, there is no direct evidence of the unauthorized access or use of the patient’s individual health or personal information. Verity Health System of California, Inc. and Verity Medical Foundation have, however, notified patients who are potentially affected. These persons were informed their specific individual or a portion of their information may have been accessed without authorization. The attackers were still unknown.

Resources

Davis, J. (2019, March 26). Verity reports third data breach caused by employee email hack. Retrieved from https://healthitsecurity.com/news/verity-reports-third-data-breach-caused-by-employee-email-hack

Dissent. (2019, January 29). Verity health system of California, inc and verity medical foundation notify individuals and regulatory bodies of data security incident. Retrieved from https://www.databreaches.net/verity-health-system-of-california-inc-and-verity-medical-foundation-notify-individuals-and-regulatory-bodies-of-data-security-incident/

Spitzer, J. (2019, January 29). Verity health system reports 3 phishing attacks. Retrieved from https://www.beckershospitalreview.com/cyberseucrity/verity-health-system-reports-3-phishing-attacks.html

Woesnotgone Meadow; May 21, 2019

All is well here at Woesnotgone Meadow, where everyone has above average bandwidth.

At times, the citizens of the Meadow may bet the flu or another virus. With a certain portion of the population, the flu or pneumonia has the potential to be very serious. At this point, the resident is transported to a hospital and becomes a patient. At this point, the patient provides their personal information, including their name, social security number, and insurance information. The hospital then becomes responsible for your personal, confidential data. Generally, this is not an issue and the hospital have your data secured. At times, however, this is not the case.

Pawnee County Hospital is located in Nebraska. The hospital conducts business just as most hospitals do. Most of their days on the administrative side are not all too exciting. Things were about to change for the administrators. The subject attack was rather passive, yet in this case, very effective. On November 29, 2018, the hospital discovered the issue. A hospital staff member has received and opened an email. This happens dozens and dozens of times a day for most of the hospital’s staff members. In this case, as with the others, the employee thought (mistakenly) this was from a tested source. Unfortunately, the staff member opened the attachment and began the infection. The attacker had access from November 16 through 24. The employee’s email account contained reports for the business clinic reports, clinical summaries, and other pertinent internal documents. Post-discover, the hospital did contract with a third party for the forensic work.

As this is a hospital, the data they have been entrusted with contains primarily the patient’s confidential data and information (PHI & PII). The compromise allowed unauthorized access to this. The data the attacker’s had access to was the patient’s full name and at least one of the following (address, date of birth, date(s) of service, medical record number, clinical information, insurance information, and driver’s license/state ID numbers). The patient’s social security number may also have been involved.

Due to the compromise, the hospital was required to notify 7,038 to 7,175 patients of the issue. This was the direct result of the malware infecting the system. The compromise created quite an issue for the hospital. As for the remediation, the hospital did agree to provide for one year of their credit monitoring service. The IT department also began to update their systems. All of the staff members were required to reset their email passwords. There were additional security features involved.

This issue also continues to show the importance of employee training. With appropriate training perhaps there would be fewer of these types of issues.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest encryption.

Resources

Dissent. (2019; February 9). Pawnee county memorial hospital notifies 7,038 patients after employee email account compromised by phishing attack. Retrieved from https://www.databreaches.net/pawnee-county-data-breaches.net/pawnee-county-memorial-hospital-notifies-7038-patients-after-employee-email-account-compromised-by-phishing-attack/

Garrity, M. (2019, February 11). Nebraska hospital notifies 7,000 patients of phishing attack. Retrieved from https://www.beckershospitalreview.com/cybersecurity/nebraska-hospital-notifies-7-000-patients-of-phishing-attack.html

HIPAA Journal. (2019, February 11). 7,000 patients notified about pawnee county memorial hospital malware attack. Retrieved from https://www.hipaajournal.com/7000-patients-notified-about-pawnee-county-memorial-hospital-malware-attack/

Woesnotgone Meadow; May 7, 2019

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth.

In the Meadow, our residents generally are healthy. Occasionally, we have an issue when someone gets sick or hurt. Last May, Jerry slipped on ice and fractured his ankle. When these occur, there may be a brief or longer visit at a healthcare facility. These facilities over the last few years have been a target for attackers, as they attempt to breach their system. One such institution is the Roper St. Francis Healthcare facility.

The Roper St. Francis Healthcare facility is based in Charleston, SC. The healthcare facility was targeted for a phishing attack on a rather large scale. The types of attacks have been relatively steady and popular over the last five years. In this case, there were 13 employee email accounts that were successfully compromised. The successful attack was detected on November 30, 2018. In this case, it is fortunate that the hospital’s operations were not affected. Also, the hospital’s electronic medical records (EMR) were not accessed.

Once detected, the hospital responded quickly. One of the first moves was to block access to corporate accounts. They then began the forensic review. The review noted the compromise was open and active from November 1, 2018, through December 1, 2018. The end date is the day after this was discovered. The hospital also contracted with a third party for a thorough forensic review. The third party in-depth review indicated a number of the compromised email accounts did contain confidential data and information. This data included the patient’s name, medical record numbers, health insurance information, and medical record information. For a portion of these, the patient’s social security number and financial information were also exposed.

The affected patients were notified by mail on January 25, 2019. The hospital also posted a notice on its website on January 29, 2019. The affected patients were offered complimentary credit monitoring services. Internally the healthcare facility is strengthening the email cybersecurity and providing continuing education for this type of attack. These steps are prudent and necessary to prevent, as much as possible, for this to occur again.

This successful attack once again shows the weakest link, in general, is the use. There also needs to be better and regular training to watch for this, along with a more robust defense.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.

Resources

Balchunas, C. (2019, February 4). Roper st. francis phishing attack: What did hackers get access to? Retrieved from https://abcnews4.com/news/local/roper-st-francis-phishing-attack

Davis, J. (2019, February 4). Roper st. francis, valley professionals phishing attacks breach patient data. Retrieved from https://healthitsecurity.com/news/roper-at-francis-valley-professionals-phishing-attack-breach-patient-data

Dissent. (2019, February 4). SC: Roper st. francis notifying patients after employee fall for phishing attack. Retrieved from https://www.databreaches.net/sc-roper-st-frances-notifying-partients-after-employees-fall-for-phishing-attack/

HIPAA Journal (2019, February 4). 13 accounts compromised in roper st. francis healthcare phishing attack. Retrieved from https://www.hipaajournal.com/13-accounts-compromised-in-roper-st-francs-healthcare-phishing-attack/

Phillips, P. (2019, January 29). Roper st. francis healthcare notifies patients after employee emails compromised. Retrieved from http:///www.live5news.com/2019/01/29/roper-st-frances-healthcare-notifies-patients-after-employee-emials-compromised/

Staff Report. (2019, February 5). Roper st. frances employee emails compromised. Retrieved from https://charlestonbusiness.com/news/health/75936/

Woesnotgone Meadow; April 25, 2019; Vendor Cybersecurity Issues affecting Eye Institute!

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth.

The day started out like any other day. Get up, get ready, load the vehicle, work, return home, repeat. On this day though, I went to the mailbox, just as I have done for years. Today though, there was a letter from the Wolverine Solutions Group. Not recognizing the name, curiously I opened the letter. It seems as though my healthcare provider, Michigan Eye Institute, used Wolverine Solutions Group for mailing services. Wolverine Solutions Group happens to have had a minor, itsy issue with cybersecurity-they were successfully attacked with ransomware, locking up their servers along with workstations. But other than that, everything was fine.

There are three businesses involved with the cybersecurity oversight.

a.            Michigan Eye Institute. The medical practice focussing on the eye, located in Flint, MI.

b.            Client Financial Services. This was a vendor for the Michigan Eye Institute.

c.            Wolverine Solutions Group. They provide mailing services to the businesses in the health-related industry. This includes health-insurers and providers. The business is located in Detroit. They also provide billing services. A sample of their clients include Blue Cross Blue Shield of Michigan, Health Alliance Plan, McLaren Health Plan, Three Rivers Health, and North Ottawa Community Health System.

Timeline

On or about September 23, 2018, Wolverine Solutions Group (WSG) had the opportunity to experience a ransomware attack. The attack primarily focussed on encrypting their records. This locked up their servers and workstations, which was clearly bad. WSG hired on October 3, 2018 a forensic subject matter expert to review and analyze the events and attack. They began the decryption process and restoring files and other affected areas. The expert did not identify any evidence any data had been exfiltrated.

Due to the effort, most of the programs were restored by October 25, 2018. The critical operations were up and operating on November 5, 2018. WSG notified on November 28, 2018 Client Financial Services (CFS), who is a vendor to the Michigan Eye Institute, of the cybersecurity issue. WSG provided on February 5, 2019, Michigan Eye Institute the final list of affected users and the categories of data affected.

Ransomware is seen so often in nearly all industries. This is partially due to this being such a cost effect attack, with results. The operations of this involve encrypting the data and attempting to force the target, post-successful attack, to pay the fee. In this case, however, allegedly weak encryption was used.

Data

Unfortunately for the patients, it appears the data involved would be the patient’s name, address, date of birth, social security number, insurance contract information and numbers, and medical information. This is truly bad for the patient’s involved. This data is very saleable and marketable multiple times, depending on how it is bundled.

Help for the Patients

The patients are being offered identity theft protection through AllClear ID for 12 months. This also allows for an annual credit score and credit report, and a $1M identity theft insurance policy. Although this sounds good, the length honestly should be much longer. Any person with the patient’s data will probably wait for one year and one month before using this, to the patient’s detriment.

Questions/Concerns/Comments

In the review of the overall environment, there are a few questions. The business used WSG for mailing services. This is perfectly acceptable and a part of the natural operations. As WSG focus is mailing, why would they have access to medical records, and why were they on WSG’s system? The medical records are not associated with a list of people to mail information to. Possibly they were mailing bills, however, this would be the only circumstance for a viable reason.

It took the business over five months to notify the users/patients of the cybersecurity issue. The patients were exposed for over five months. During this time, they were unaware of the data being out there sold.

The forensic team did not believe any data was exfiltrated or “extracted” yet the patient’s information was affected. Thinking through the events, if the attacker is focused on the system and risking federal prison, is the attacker really going to not secure the data and walk away once they finally compromised the perimeter defense? This is not a viable option.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.

Resources

1051 The Bounce. (2019, March 11). Are you one of the 600,00 michigan residents affected in data breach. Retrieved from https://1051thebounce.com/2019/03/11/are-you-one-of-600000-michigan-residents-affected-in-data-breach/

13ABC. (2019, March 11). Michigan residents warned about health care data breach. Retrieved from https://www.13abc.com/content/news/Michigan-residents-warned-about-health-care-data-brech-506985321.html

62CBS Detroit. (2019, March 11). Health care data breach affects 600k michigan residents. Retrieved from https://detroit.cbslocal.com/2019/03/11/health-care-data-breach-affects-600k-michigan-residents

Davis, J. (2019, March 12). More than 600,000 affected by michigan health care data breach. Retrieved from https://securitytoday.com/articles/2019/03/12/more-than-600000-affected-by-michigan-health-care-data-breach.aspx?m=1

Goedert, J. (2019, March 15). 600,000 affected by huge data breach in michigan. Retrieved from https://www.healthdatamanagement.com/news/600-000-affected-by-huge-data-breach-in-michigan

Scott. (2019, March 12). Data breach may have exposed 600,000 michigan residents. Retrieved from https://smallbusinessbigthreat.com/blog/2019/03/12/data-breach-may-have-exposed-600000-michigan-residents/

Strachan, J. (2019, March 11). More than 600,000 in Michigan Affected by health care data breach. Retrieved from https://patch.com/michigan/across-mi/more-600-000-michigan-affected-health-care-data-breach

The Associated Press. (2019, March 11). Michigan residents warned about health care data breach. Retrieved from https://www.kansas.com/news/business/article22740489.html

Wolverine Solutions Group. (2019, February 27). Notice of breach/cybersecurity incident-updated 02.27.2019. Retrieved from https://www.wolverinemail.com/cyber-security-event/

Wolverine Solutions Group. (2019, February 28). Letter signed by Robert Tokar.

Woesnotgone Meadow; December 19, 2018

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth.

In the Meadow, the residents take care of their health, for the most part. When we need to, the doctor is always available for our visits, complaints, and general layman conjecture on the root causes of our ailments. At times, Dr. Gerry even listens to us ask if we need a drug that we had just seen on the television the night before.

The Elizabethtown Community Hospital (ECH), which is part of The University of Vermont Health Network had the opportunity to work through an incident response recently. ECH operates six community based primary healthcare centers, and an ER and outpatient center.

ECH had, what they termed, a “data security incident” aka compromise, recently. This was detected in October 2018. This has affected an estimated 32k patients. Although the system was compromised, ECH did not have any clear evidence any individual patient record was accessed. Although there is no clear evidence, to be conservative, ECH is still publicizing this so the potentially affected clients may be prepared.

This event was due to an ECH email account being compromised. The email account did contain client’s names, dates of birth, addresses, and limited medical information (i.e. billing, medical record numbers, dates of service, and a brief summary of rendered services). Unfortunately, a portion of the patients (approximately 1,200) did have their social security number included with the compromised data.

Once this was detected, nine days after the compromise, ECH changed the affected account(s) password(s), made the security features more robust, and contracted with a forensic cybersecurity firm to analyze the incident. This did not, fortunately, spread to the computer network or electronic medical records (EMR)

To assist with the issue, the affected patients are being offered free credit monitoring services. The length of time was not noted for this service to be provided. For the patient’s, this is of marginal value, as the attackers could use this data a day, week, or month after the credit monitoring service has lapsed.

This continues the lesson of staff training for phishing attacks. This attack protocol continues to be prominent and not slowing down any in its usage. All this attack needs, to be successful, is for a few of the targets to click on the link or attachment!

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.

Resources
Demol, P. (2018). ECH data breach exposes patient info. Retrieved from https://www.suncommunitynews.com/articles/the-sun/ech-data-brach-exposes-patient-info/

Woesnotgone Meadow; December 13, 2018

Woesnotgone Meadow

December 13, 2018

#

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth.

Occasionally, people in the Meadow are sick. This can be the usual flue or cold, or something more serious as with a broken bone. When these occur, the people soon become patients of the local doctor, locations are not the massive hospitals you see on tv, but are smaller facilities. With these, there are not two or three redundant systems in place, in case one becomes inoperable. If one of the patient care or administrative systems were to not work, there would be a problem. If multiple systems were to be affected, the residents of the Meadow would have a big problem.

Two hospitals had the opportunity to manage this issue. These were located in Wheeling WV and Ohio. They had a total of approximately 340 beds.

Effects

Both hospitals are owned by the Ohio Valley Health Service & Education Corporation. These hospitals were the Ohio Valley Medical Center in Wheeling, WV, and East Ohio Regional Hospital in Martins Ferry, OH. Fortunately, the compromise wasn’t throughout the system. This did, however, affect approximately 30-40 computers of the over 1,300 systems. Granted, this is a lower amount, but still enough for a potent attack if targeted properly. The staff was unable to accept patients from emergency service transports. The patients were diverted to other hospitals ERs. The walk-ins, fortunately, were accepted. Due to the lack of system functionality, the staff was forced to use a paper charting system.

Attack method

The tools used with these types of attacks vary greatly. The specific tools used depend on the target surface and environment. There is not a panacea for the usage. In this case, the hospitals were a victim of a ransomware attack. The hospitals implemented a defense in depth. The attack only breached the first layer and did not compromise the second layer. This attack began on Friday, November 23, 2018, and was to be resolved by Sunday, November 25, 2018. While this timeline is great, there was no update as of Monday morning, November 26, 2018.

There have been many articles on the effect on the services, including using paper charts, and other issues, but not on the “how” question. This could be from a phishing attack, wanton USB being plugged into a system, or other attacks. The remediation was also not addressed. It is difficult to learn from our mistakes when we refuse to provide any data.

Data

The attackers were focussed on data or revenue. There is always some form of enrichment directly from the attack. If there were to be some form of an asset to exfiltrate, they would target it. In this case, the targetted data was patient data. Thankfully, none was exfiltrated.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.

Resources

CISOMAG. (2018, November 27). Ohio hospital suffers ransomware attack. Retrieved from https://www.cisomag.com/ohio-hospital-system-suffers-ransomware-attack/

Conn, A. (2018, November 24). Updated: OVMC/EORH system attacked, progress made in rebuilding. Retrieved from https://wtov9.com/news/local/ovmceorh-system-added-cannot-transport-patients

Dark Reading Staff. (2018, November 26). Ransomware attack forced ohio hospital system to divert ER patients. Retrieved from https://www.darkreading.com/vulnerabilities---threats/ransomware-attack-forced-ohio-hospital-system-to-divert-er-patients-/d/d-id/1333333

Davis, J. (2018, November 26). Weekend ransomware attack interrupts care at 2 ohio hospitals. Retrieved from https://healthitsecurity.com/news/weekend-ransomware-attack-interrupts-care-at-2-ohio-hospitals

Elliott, K. (2018, November 26). Ohio hospitals become latest ransomware victims. Retrieved from https://techtalk.pcpitstop.com/2018/11/26/two-ohio-hospitals-offline/

Goud, N. (2018). West virginia hospitals become a victim of a ransomware attack. Retrieved fromhttps://www.cybersecurity-insiders.com/west-virginia-hospitals-become-a-victim-of-a-ransomware-attack/

Gurubaran, S. (2018, November 27). Ransomware attack hits ohio hospital and the emergency rooms are unable to take patients. Retrieved from https://gbhackers.com/ransomware-attack-hits-ohio-hospital/

Leventhal, R. (2018, November 26). Ohio/wv rnasomware atatck forces some er patients elsewhere. Retrieved from https://healthcare-informatics.com/news-item/cybersecurity/ohiovw-ransomware-attack-forces-some-er-patients-elsewhere

Lyngaas, S. (2018, November 27). Ransomware infects hospitals in ohio, west virginia. Retrieved from https://www.cyberscoop.com/ransomware-infects-hospitals-ohio-west-virginia/

Monica, K. (2018, November 26). Ransomware attack prompts ohio hospitals to enter EHR downtime. Retrieved from https://ehrintelligence.com/news/ransomware-attack-prompts-ohio-hospitals-to-enter-ehr-downtime

Paganini, P. (2018, November 26). Ransomware attack disrupted emergency rooms at ohio hospital system. Retrieved from https://securityaffairs.co/wordpress/78441/breaking-news/ohio-hospital-system-ransomware.html

Spitzer, J. (2018, November 26). Ohio, west virginia hospitals say patient’s information safe after attempted ransomware attack. Retrieved for https://www.beckerhospitalreview.com/cybersecurity/ohio-west-virginia-hospitals-say-patient-information-safe-after-attempted-ransomware-attack.html

The Intelligencer. (2018, November). OVMC, EORH computers attacked by hackers. Retrieved from http://www.theintelligencer.net/news/top-headlines/2018/11/ovmc-eorh-computers-are-attacked-by-hackers/

WTRF. (2018, November 26). OVMC-EORH computer system attacked, no patient information compromised.

WV News. (2018, November 25). Hospitals in wheeling, wv, and ohio impacted by ransomware attack. Retrieved from https://www.wvnews.com/news/hospitals-in-wheeling-wv-and-ohio-impacted-by-ransomware-attack/