Security by Obscurity

 

During the budgeting cycle, departments may ask for increases in their respective budget, padding it or to accommodate capital purchases. When the senior management does not recognize the importance of security, the thought may float through their mind of what if we do nothing? After all, nothing has happened.

Well, nothing has happened…yet. The healthcare industry is targeted for many reasons and there are many options as to the individual targets, methods of attack, and other facets. A breach in this environment is horrific operationally with systems shut down for days or weeks, ERs shut down, patient data exfiltrated, etc. There is also the potential for patient mortality being directly attributable to the breach. Financially this can be a nightmare as the healthcare provider has to quickly address the issues and contract with a forensic firm to review the breach, what was accessed, and everything else with the issue. This is not cheap.

By ignoring cybersecurity and thinking you can get through the next cycle without adequately addressing this, the healthcare provider is doing everything they can to set themselves up for failure on the business, functional, and patient care side.

Services 

Enterprise and Embedded System Cybersecurity Engineering & Architecture

Red Team Pentesting   |   HW & SW BoMs  |   CBoM  | 

Vulnerability Management   |   Tabletop Exercises (TTX)   | 

Embedded Systems Architecture   |   Threat Intelligence   | 

TARA (Threat Assessment and Remediation Analysis) 

 charles.parker@mielcybersecurity.net 810-701-5511

Human Cost in Healthcare Increases Criticality

 

The healthcare industry is interesting. This appears to be relatively straight-forward with the patient care staff and patient interactions. When you think through the full operation, there is much more involved through the entirety. Each step isn’t mainstream within the operations and is diverse. With all these attack points, the healthcare CISOs have their work cut out for them every day. This could include all the usual suspects (e.g., ransomware, phishing, supply chain compromises, data breaches, and social engineering).

One area gaining more traction and attention is IoMT. We’ve heard of IoT, especially with refrigerators, coffee makers, thermostats, and light bulbs. IoMT is differentiated from these as the focus are the medical devices. These may include the medical operational technology (OT) with wearable blood pressure devices, insulin pumps, ingestible sensors, remote patient care devices, and other monitoring devices.

The security has gotten better with these with the various technological improvements, e.g., BLE versus Bluetooth. This is a product of security starting to be built into the product sooner than later. There are still issues with misconfigurations, web app code the Dev Team thought was removed, and other issues.

As these devices interact more with patients, the risks increase substantially. Any security issues are amplified with the potential loss of life. This amplifies the need for security to be implemented early on with the Dev Team, and applied with the current version, not two or three versions down the line. A concentrated, thorough application of security with the software and hardware will significantly reduce the potential for incidence, which will allow your CISO to get a better night’s sleep. 

Services 

Enterprise and Embedded System Cybersecurity Engineering & Architecture

Red Team Pentesting   |   HW & SW BoMs  |   CBoM  | 

Vulnerability Management   |   Tabletop Exercises (TTX)   | 

Embedded Systems Architecture   |   Threat Intelligence   | 

TARA (Threat Assessment and Remediation Analysis) 

 charles.parker@mielcybersecurity.net 810-701-5511

Yet Another Compromise

 

There are constantly compromises being published across the industries, and many more unpublished for a variety of reasons. Many years ago, the attacks were initiated by people showing their skills and the corporation’s lack of focus on security allowing these exploits. Times certainly have changed. Now this endeavor has been operationalized, streamlined, and become a profit center with an ROI.

Every company is a target for the various attacks. At the heart of most of these attacks is data. This has many uses for the bad actors, from selling to being ransomed. There are no geographic boundaries either. A company in Michigan recently had the opportunity to enjoy this at great length.

HealthEC, LLC, a population health management platform, coupled with Corewell Health. The focus of the work is to identify high risk patients, which is great and beneficial for the patients. The company was recently compromised, leaking confidential data and information on over a million Michigan residents.

The data leaked included the patient’s name, address, date of birth, social security number, medical information (e.g., diagnosis, diagnosis code, mental/physical condition, prescription information, and provider’s name), and health insurance information. Just the first four data points being compromised is bad enough (e.g., for identity theft), but add in the medical information and health insurance information, and the successful attackers have a field day. This allows more for the potential for ransomware to come into play.

To accommodate concerns, HealthEC is offering 12 months of credit monitoring and identity protection services through TransUnion. This may sound great, and it is for the first 12 months. Think about what happens after the 12 months. The stolen data, in part, is permanent or could be updated with a quick and easy internet search.

Thank you.

Services 

Enterprise and Embedded System Cybersecurity Engineering & Architecture

Red Team Pentesting | HW & SW BoMs | CBoM | 

Vulnerability Management | Tabletop Exercises (TTX) | 

Embedded Systems Architecture | Threat Intelligence | 

TARA (Threat Assessment and Remediation Analysis) 

Disabled Veteran Owned and Operated 

 

Now I have seen it all

 

There are several companies offering cybersecurity in operation, with yet more popping up. This will probably not slow down with the need for cybersecurity persons increasing daily. Seemingly, the nation has noticed over-night with the pipeline attack that cybersecurity is actually important. These companies have various clients in their respective industries.

One of these recently in the news for all the wrong reasons is located in Atlanta. Vikas Singla, COO of Securolytics, was accused of and indicted on June 8 for attacking the Gwinnett Medical Center. The attack itself took place in 2018 and disrupted the hospital’s phone service, obtaining information from a digitizing device, and disrupting network printing services.

Singla has pleaded not guilty to the 18 charges. There were 17 counts of intentional damage to a protected computer and one count of obtaining information from a protected computer. He was released on a $20k unsecured bond. He is to return to court on June 23, 2021.

The thought is this was done for financial gain. The reason for the attack has not been published, other than this was for financial gain. While this is unknown, this does showcase the need for the review of any insider threat. This is not something people want to act on, as we want to trust our employees, however, this and other instances showcase our need to review this periodically.

Lengthy Time to Report Compromise: 8 Months for PHI Theft

Sharecare Health Data Services (SHDS) offers a secure method for electronic exchanges of data. The organization also manages healthcare business medical records. The organization is located in San Diego, CA. 

Compromise 

The attack began with the usual activity detected on June 26, 2018. The detected data was abnormal when compared to the normal baseline. This red-flag began their investigation. The initial analysis was the attackers had breached the defenses. The attackers had gained access to the systems which contained protected health information (PHI). This access may have started at the earliest on May 21, 2018. This unauthorized access includes 18,416 insurance members of  Blue Shield of California. AltaMed patients, approximately 5,767 each, were also affected. The data included a buffet of data the attackers would use and sell. This included the name, address, birth date, unique patient number, address where the health services were provided, internal SHDS processing notes, and medical record numbers. The attackers had unfettered access from May 21, 2018, to June 26, 2018, or over a month. On June 26, 2018, the attackers accessed the data and exfiltrated this to sites overseas. This was reported to the other healthcare organizations directly affected by this on December 31, 2018. Fortunately, the patient’s social security number, financial information, and detailed clinical information were not accessed. 

Notification

The unauthorized access occurred on at least May 21, 2018, and was detected on June 26, 2018. The reporting to the other affected healthcare organizations was December 31, 2018. The notice to the affected patients occurred on February 15, 2019. In addition to the client, the FBI was also notified. 

The notification for the other healthcare organizations was for the breach and potential for the data to have been accessed by these unauthorized parties. From the timeline, the extended period, over five months, for the other healthcare organizations to be notified was odd. There was no reason given for the five-month + reporting period. One of these affected healthcare organizations was AltaMed, with 5,500 of its patients being included in the compromised records pool. Oddly, to add confusion to the rationale, the patients affected by the breach were notified an additional 2.5 months later. 

Mitigation 

After this was detected SHDS contacted with Mandiant, the cybersecurity consultant, to help SHDS with the forensic analysis and review. On a positive note, once this was detected immediate steps were put in place to cease the unauthorized access. SHDS enhanced its security to minimize the potential for further successful attacks. They also revised their data retention policies. The business contracted with a third party to monitor its data systems 24 hours a day, seven days a week. SHDS offered the affected patient’s a year of free credit monitoring and identity theft protection services through AllClear ID. 

Questions/Lessons Learned

With a breach and compromise, time is of the essence. In most cases, it is not prudent to wait for extended periods to report a breach. In this instance, it took over five months to report this to the other healthcare organizations, whose patients were affected by this SHDS issue. Overall, it took nearly eight months to notify the affected patients. This is simply unacceptable. The organization had the list of affected parties and still elected not to inform them in even a remotely timely manner. 

It is difficult to imagine how their InfoSec team did not detect unauthorized access for over a month. It seems as though their SIEM would have detected this well before the mass amount of data was exfiltrated. The issue begs the question, was the SIEM fully integrated into the system, or the filters/scripts not fully utilized? 

Resources

Davis, J. (2019, February 19). Blue shield, altamed patient data breached in business associate hack. Retrieved from https://healthitsecurity.com/news/blue-sheild-altamed-patient-dta-breached-in-business-associate-hack 

Dissent. (2019, February 16). AltaMed, blue shield of california notify patients and regulators after breach at sharecare health data systems. Retrieved from https://www.databreaches.net/altamed-blueshield-of-california-notify-patients-and-regulators-after-breach-at-sharecare-health-data-services/ 

Garrity, M. (2019, April 29). AltaMed alerts 5,500 patients of data breach. Retrieved from https://www.beckershospitalreview.com/cybersecurity/altamed-alerts-5-500-patients-of-data-breach.html 

HIPAA Journal. (2019, February 19). Patients receive notification of PHI theft 8 months after business associate data breach was detected. Retrieved from https://www.hipaa.journal.com/patients-receive-notification-of-phi-theft-8-months-after-business-associate-data-breach-was-detected/ 

Healthcare Pwned... Again

Healthcare continues to be a significant target. The healthcare institution’s budgets have been decreased due to a number of different issues. These include patient mobility as there are more options than ever and patient insurance payments. The latter, at best are stable however have probably been decreasing as new contracts are renegotiated. While this is occurring, the costs (direct labor, overhead, utilities, supplies, etc.) have increased.

As margins continue to be narrowed, the cuts have to be made somewhere. Cybersecurity, since the measurement of the success is elusive, may not receive the positive budgetary attention it really should. While more staff members may be needed, the positions may not be opened for applicants. This makes securing the perimeter, infrastructure, cloud, etc. difficult at best. This coupled with the attackers not being limited by geography, further complicates the InfoSec mission. All it takes is one person making the wrong choice one time to begin a cascading effect. Verity Health Systems and Medical Foundation had the opportunity to learn from a recent related issue.  

Incidents

Over the recent period, there were a number of incidents. The first was in late November 2018 and another in mid-January 2019. There are other reports indicating there were two incidents in November. The access was simple enough; through three employee’s web email accounts. This allowed access to any emails or attachments in the respective compromised email accounts.

What makes this unusual is not only the number of successful attacks but also the timing. There were three attacks in such a short period of time is clearly not a good thing. For these to be successful infers a problematic, systemic issue. This forces the conversation on the level of insecurity. It is distinctly possible the SOC did not monitor the logs and other activities related to the email.

Data

The patients “possibly” affected were from many facilities. These included the Verity Medical Foundation, and Verity hospitals (O’Connor Hospital, St. Louise Regional Hospital, Seton Medical Center (inclusive of the Seton Coast side campus), St. Francis Medical Center, and St. Vincent Medical Center.

The accessed emails contained health and medical data for the patients (names, treatment information, medical conditions, billing codes, and health insurance policy numbers). There were other email accounts accessed which contained personal information (names, health insurance policy number, subscriber numbers, dates of birth, patient ID numbers, phone numbers, and addresses). A portion of the attachments unfortunately also had social security and driver license numbers. To top it off, the emails may have included, for certain Verity employees and 3rd parties, their personal and health data.

Remediation

Within hours of learning of each incident, the Verity InfoSec Team ceased the unauthorized third-party access, disabled the affected email accounts, disconnected the devices from the network, and removed the unauthorized emails sent to the other employees. These actions were a positive show of the prudent steps implemented. The thought is the attackers were actually seeking the user names and passwords. Due to the compromise and the access records containing PII and PHI, the business is offering credit monitoring services for one year free to any individual whose social security number or driver’s license number was involved.

To limit the opportunity for this to occur again, the business is requiring mandatory training for the employees and improving and increasing the security measures. The business also put a call center in place for affected persons to call for questions and to get additional information.

Notification

Per the reports, there is no direct evidence of the unauthorized access or use of the patient’s individual health or personal information. Verity Health System of California, Inc. and Verity Medical Foundation have, however, notified patients who are potentially affected. These persons were informed their specific individual or a portion of their information may have been accessed without authorization. The attackers were still unknown.

Resources

Davis, J. (2019, March 26). Verity reports third data breach caused by employee email hack. Retrieved from https://healthitsecurity.com/news/verity-reports-third-data-breach-caused-by-employee-email-hack

Dissent. (2019, January 29). Verity health system of California, inc and verity medical foundation notify individuals and regulatory bodies of data security incident. Retrieved from https://www.databreaches.net/verity-health-system-of-california-inc-and-verity-medical-foundation-notify-individuals-and-regulatory-bodies-of-data-security-incident/

Spitzer, J. (2019, January 29). Verity health system reports 3 phishing attacks. Retrieved from https://www.beckershospitalreview.com/cyberseucrity/verity-health-system-reports-3-phishing-attacks.html

Woesnotgone Meadow; April 25, 2019; Vendor Cybersecurity Issues affecting Eye Institute!

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth.

The day started out like any other day. Get up, get ready, load the vehicle, work, return home, repeat. On this day though, I went to the mailbox, just as I have done for years. Today though, there was a letter from the Wolverine Solutions Group. Not recognizing the name, curiously I opened the letter. It seems as though my healthcare provider, Michigan Eye Institute, used Wolverine Solutions Group for mailing services. Wolverine Solutions Group happens to have had a minor, itsy issue with cybersecurity-they were successfully attacked with ransomware, locking up their servers along with workstations. But other than that, everything was fine.

There are three businesses involved with the cybersecurity oversight.

a.            Michigan Eye Institute. The medical practice focussing on the eye, located in Flint, MI.

b.            Client Financial Services. This was a vendor for the Michigan Eye Institute.

c.            Wolverine Solutions Group. They provide mailing services to the businesses in the health-related industry. This includes health-insurers and providers. The business is located in Detroit. They also provide billing services. A sample of their clients include Blue Cross Blue Shield of Michigan, Health Alliance Plan, McLaren Health Plan, Three Rivers Health, and North Ottawa Community Health System.

Timeline

On or about September 23, 2018, Wolverine Solutions Group (WSG) had the opportunity to experience a ransomware attack. The attack primarily focussed on encrypting their records. This locked up their servers and workstations, which was clearly bad. WSG hired on October 3, 2018 a forensic subject matter expert to review and analyze the events and attack. They began the decryption process and restoring files and other affected areas. The expert did not identify any evidence any data had been exfiltrated.

Due to the effort, most of the programs were restored by October 25, 2018. The critical operations were up and operating on November 5, 2018. WSG notified on November 28, 2018 Client Financial Services (CFS), who is a vendor to the Michigan Eye Institute, of the cybersecurity issue. WSG provided on February 5, 2019, Michigan Eye Institute the final list of affected users and the categories of data affected.

Ransomware is seen so often in nearly all industries. This is partially due to this being such a cost effect attack, with results. The operations of this involve encrypting the data and attempting to force the target, post-successful attack, to pay the fee. In this case, however, allegedly weak encryption was used.

Data

Unfortunately for the patients, it appears the data involved would be the patient’s name, address, date of birth, social security number, insurance contract information and numbers, and medical information. This is truly bad for the patient’s involved. This data is very saleable and marketable multiple times, depending on how it is bundled.

Help for the Patients

The patients are being offered identity theft protection through AllClear ID for 12 months. This also allows for an annual credit score and credit report, and a $1M identity theft insurance policy. Although this sounds good, the length honestly should be much longer. Any person with the patient’s data will probably wait for one year and one month before using this, to the patient’s detriment.

Questions/Concerns/Comments

In the review of the overall environment, there are a few questions. The business used WSG for mailing services. This is perfectly acceptable and a part of the natural operations. As WSG focus is mailing, why would they have access to medical records, and why were they on WSG’s system? The medical records are not associated with a list of people to mail information to. Possibly they were mailing bills, however, this would be the only circumstance for a viable reason.

It took the business over five months to notify the users/patients of the cybersecurity issue. The patients were exposed for over five months. During this time, they were unaware of the data being out there sold.

The forensic team did not believe any data was exfiltrated or “extracted” yet the patient’s information was affected. Thinking through the events, if the attacker is focused on the system and risking federal prison, is the attacker really going to not secure the data and walk away once they finally compromised the perimeter defense? This is not a viable option.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.

Resources

1051 The Bounce. (2019, March 11). Are you one of the 600,00 michigan residents affected in data breach. Retrieved from https://1051thebounce.com/2019/03/11/are-you-one-of-600000-michigan-residents-affected-in-data-breach/

13ABC. (2019, March 11). Michigan residents warned about health care data breach. Retrieved from https://www.13abc.com/content/news/Michigan-residents-warned-about-health-care-data-brech-506985321.html

62CBS Detroit. (2019, March 11). Health care data breach affects 600k michigan residents. Retrieved from https://detroit.cbslocal.com/2019/03/11/health-care-data-breach-affects-600k-michigan-residents

Davis, J. (2019, March 12). More than 600,000 affected by michigan health care data breach. Retrieved from https://securitytoday.com/articles/2019/03/12/more-than-600000-affected-by-michigan-health-care-data-breach.aspx?m=1

Goedert, J. (2019, March 15). 600,000 affected by huge data breach in michigan. Retrieved from https://www.healthdatamanagement.com/news/600-000-affected-by-huge-data-breach-in-michigan

Scott. (2019, March 12). Data breach may have exposed 600,000 michigan residents. Retrieved from https://smallbusinessbigthreat.com/blog/2019/03/12/data-breach-may-have-exposed-600000-michigan-residents/

Strachan, J. (2019, March 11). More than 600,000 in Michigan Affected by health care data breach. Retrieved from https://patch.com/michigan/across-mi/more-600-000-michigan-affected-health-care-data-breach

The Associated Press. (2019, March 11). Michigan residents warned about health care data breach. Retrieved from https://www.kansas.com/news/business/article22740489.html

Wolverine Solutions Group. (2019, February 27). Notice of breach/cybersecurity incident-updated 02.27.2019. Retrieved from https://www.wolverinemail.com/cyber-security-event/

Wolverine Solutions Group. (2019, February 28). Letter signed by Robert Tokar.

Woesnotgone Meadow; December 13, 2018

Woesnotgone Meadow

December 13, 2018

#

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth.

Occasionally, people in the Meadow are sick. This can be the usual flue or cold, or something more serious as with a broken bone. When these occur, the people soon become patients of the local doctor, locations are not the massive hospitals you see on tv, but are smaller facilities. With these, there are not two or three redundant systems in place, in case one becomes inoperable. If one of the patient care or administrative systems were to not work, there would be a problem. If multiple systems were to be affected, the residents of the Meadow would have a big problem.

Two hospitals had the opportunity to manage this issue. These were located in Wheeling WV and Ohio. They had a total of approximately 340 beds.

Effects

Both hospitals are owned by the Ohio Valley Health Service & Education Corporation. These hospitals were the Ohio Valley Medical Center in Wheeling, WV, and East Ohio Regional Hospital in Martins Ferry, OH. Fortunately, the compromise wasn’t throughout the system. This did, however, affect approximately 30-40 computers of the over 1,300 systems. Granted, this is a lower amount, but still enough for a potent attack if targeted properly. The staff was unable to accept patients from emergency service transports. The patients were diverted to other hospitals ERs. The walk-ins, fortunately, were accepted. Due to the lack of system functionality, the staff was forced to use a paper charting system.

Attack method

The tools used with these types of attacks vary greatly. The specific tools used depend on the target surface and environment. There is not a panacea for the usage. In this case, the hospitals were a victim of a ransomware attack. The hospitals implemented a defense in depth. The attack only breached the first layer and did not compromise the second layer. This attack began on Friday, November 23, 2018, and was to be resolved by Sunday, November 25, 2018. While this timeline is great, there was no update as of Monday morning, November 26, 2018.

There have been many articles on the effect on the services, including using paper charts, and other issues, but not on the “how” question. This could be from a phishing attack, wanton USB being plugged into a system, or other attacks. The remediation was also not addressed. It is difficult to learn from our mistakes when we refuse to provide any data.

Data

The attackers were focussed on data or revenue. There is always some form of enrichment directly from the attack. If there were to be some form of an asset to exfiltrate, they would target it. In this case, the targetted data was patient data. Thankfully, none was exfiltrated.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.

Resources

CISOMAG. (2018, November 27). Ohio hospital suffers ransomware attack. Retrieved from https://www.cisomag.com/ohio-hospital-system-suffers-ransomware-attack/

Conn, A. (2018, November 24). Updated: OVMC/EORH system attacked, progress made in rebuilding. Retrieved from https://wtov9.com/news/local/ovmceorh-system-added-cannot-transport-patients

Dark Reading Staff. (2018, November 26). Ransomware attack forced ohio hospital system to divert ER patients. Retrieved from https://www.darkreading.com/vulnerabilities---threats/ransomware-attack-forced-ohio-hospital-system-to-divert-er-patients-/d/d-id/1333333

Davis, J. (2018, November 26). Weekend ransomware attack interrupts care at 2 ohio hospitals. Retrieved from https://healthitsecurity.com/news/weekend-ransomware-attack-interrupts-care-at-2-ohio-hospitals

Elliott, K. (2018, November 26). Ohio hospitals become latest ransomware victims. Retrieved from https://techtalk.pcpitstop.com/2018/11/26/two-ohio-hospitals-offline/

Goud, N. (2018). West virginia hospitals become a victim of a ransomware attack. Retrieved fromhttps://www.cybersecurity-insiders.com/west-virginia-hospitals-become-a-victim-of-a-ransomware-attack/

Gurubaran, S. (2018, November 27). Ransomware attack hits ohio hospital and the emergency rooms are unable to take patients. Retrieved from https://gbhackers.com/ransomware-attack-hits-ohio-hospital/

Leventhal, R. (2018, November 26). Ohio/wv rnasomware atatck forces some er patients elsewhere. Retrieved from https://healthcare-informatics.com/news-item/cybersecurity/ohiovw-ransomware-attack-forces-some-er-patients-elsewhere

Lyngaas, S. (2018, November 27). Ransomware infects hospitals in ohio, west virginia. Retrieved from https://www.cyberscoop.com/ransomware-infects-hospitals-ohio-west-virginia/

Monica, K. (2018, November 26). Ransomware attack prompts ohio hospitals to enter EHR downtime. Retrieved from https://ehrintelligence.com/news/ransomware-attack-prompts-ohio-hospitals-to-enter-ehr-downtime

Paganini, P. (2018, November 26). Ransomware attack disrupted emergency rooms at ohio hospital system. Retrieved from https://securityaffairs.co/wordpress/78441/breaking-news/ohio-hospital-system-ransomware.html

Spitzer, J. (2018, November 26). Ohio, west virginia hospitals say patient’s information safe after attempted ransomware attack. Retrieved for https://www.beckerhospitalreview.com/cybersecurity/ohio-west-virginia-hospitals-say-patient-information-safe-after-attempted-ransomware-attack.html

The Intelligencer. (2018, November). OVMC, EORH computers attacked by hackers. Retrieved from http://www.theintelligencer.net/news/top-headlines/2018/11/ovmc-eorh-computers-are-attacked-by-hackers/

WTRF. (2018, November 26). OVMC-EORH computer system attacked, no patient information compromised.

WV News. (2018, November 25). Hospitals in wheeling, wv, and ohio impacted by ransomware attack. Retrieved from https://www.wvnews.com/news/hospitals-in-wheeling-wv-and-ohio-impacted-by-ransomware-attack/