Woesnotgone Meadow; May 21, 2019

All is well here at Woesnotgone Meadow, where everyone has above average bandwidth.

At times, the citizens of the Meadow may bet the flu or another virus. With a certain portion of the population, the flu or pneumonia has the potential to be very serious. At this point, the resident is transported to a hospital and becomes a patient. At this point, the patient provides their personal information, including their name, social security number, and insurance information. The hospital then becomes responsible for your personal, confidential data. Generally, this is not an issue and the hospital have your data secured. At times, however, this is not the case.

Pawnee County Hospital is located in Nebraska. The hospital conducts business just as most hospitals do. Most of their days on the administrative side are not all too exciting. Things were about to change for the administrators. The subject attack was rather passive, yet in this case, very effective. On November 29, 2018, the hospital discovered the issue. A hospital staff member has received and opened an email. This happens dozens and dozens of times a day for most of the hospital’s staff members. In this case, as with the others, the employee thought (mistakenly) this was from a tested source. Unfortunately, the staff member opened the attachment and began the infection. The attacker had access from November 16 through 24. The employee’s email account contained reports for the business clinic reports, clinical summaries, and other pertinent internal documents. Post-discover, the hospital did contract with a third party for the forensic work.

As this is a hospital, the data they have been entrusted with contains primarily the patient’s confidential data and information (PHI & PII). The compromise allowed unauthorized access to this. The data the attacker’s had access to was the patient’s full name and at least one of the following (address, date of birth, date(s) of service, medical record number, clinical information, insurance information, and driver’s license/state ID numbers). The patient’s social security number may also have been involved.

Due to the compromise, the hospital was required to notify 7,038 to 7,175 patients of the issue. This was the direct result of the malware infecting the system. The compromise created quite an issue for the hospital. As for the remediation, the hospital did agree to provide for one year of their credit monitoring service. The IT department also began to update their systems. All of the staff members were required to reset their email passwords. There were additional security features involved.

This issue also continues to show the importance of employee training. With appropriate training perhaps there would be fewer of these types of issues.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest encryption.

Resources

Dissent. (2019; February 9). Pawnee county memorial hospital notifies 7,038 patients after employee email account compromised by phishing attack. Retrieved from https://www.databreaches.net/pawnee-county-data-breaches.net/pawnee-county-memorial-hospital-notifies-7038-patients-after-employee-email-account-compromised-by-phishing-attack/

Garrity, M. (2019, February 11). Nebraska hospital notifies 7,000 patients of phishing attack. Retrieved from https://www.beckershospitalreview.com/cybersecurity/nebraska-hospital-notifies-7-000-patients-of-phishing-attack.html

HIPAA Journal. (2019, February 11). 7,000 patients notified about pawnee county memorial hospital malware attack. Retrieved from https://www.hipaajournal.com/7000-patients-notified-about-pawnee-county-memorial-hospital-malware-attack/

Woesnotgone Meadow; December 19, 2018

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth.

In the Meadow, the residents take care of their health, for the most part. When we need to, the doctor is always available for our visits, complaints, and general layman conjecture on the root causes of our ailments. At times, Dr. Gerry even listens to us ask if we need a drug that we had just seen on the television the night before.

The Elizabethtown Community Hospital (ECH), which is part of The University of Vermont Health Network had the opportunity to work through an incident response recently. ECH operates six community based primary healthcare centers, and an ER and outpatient center.

ECH had, what they termed, a “data security incident” aka compromise, recently. This was detected in October 2018. This has affected an estimated 32k patients. Although the system was compromised, ECH did not have any clear evidence any individual patient record was accessed. Although there is no clear evidence, to be conservative, ECH is still publicizing this so the potentially affected clients may be prepared.

This event was due to an ECH email account being compromised. The email account did contain client’s names, dates of birth, addresses, and limited medical information (i.e. billing, medical record numbers, dates of service, and a brief summary of rendered services). Unfortunately, a portion of the patients (approximately 1,200) did have their social security number included with the compromised data.

Once this was detected, nine days after the compromise, ECH changed the affected account(s) password(s), made the security features more robust, and contracted with a forensic cybersecurity firm to analyze the incident. This did not, fortunately, spread to the computer network or electronic medical records (EMR)

To assist with the issue, the affected patients are being offered free credit monitoring services. The length of time was not noted for this service to be provided. For the patient’s, this is of marginal value, as the attackers could use this data a day, week, or month after the credit monitoring service has lapsed.

This continues the lesson of staff training for phishing attacks. This attack protocol continues to be prominent and not slowing down any in its usage. All this attack needs, to be successful, is for a few of the targets to click on the link or attachment!

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.

Resources
Demol, P. (2018). ECH data breach exposes patient info. Retrieved from https://www.suncommunitynews.com/articles/the-sun/ech-data-brach-exposes-patient-info/

Sutter Health Medical Records Issue

Medical records hold a mass amount of data. These include not only the medical diagnosis but may also include payment information along with health insurance data. Per each individual record, the sales price may not be large, however, the value resides more in the data itself. The price depends on not only the data in each file but also how these are bundled.

The medical records are limited as to the access. Not every person in the medical facility requires access to these. The data may lure staff members of the medical facility to view these records, when not authorized, to gain knowledge. Certainly, this could be more of a curiosity issue or more of a malicious slant with the exfiltration and sale of the data. In prior years, this had occurred with celebrities or other prominent figures.

Another incident of this type occurred recently. Sutter Health in California recently fired two employees after they accessed medical records. Normally this would not be an issue as many persons are allowed to view medical records as part of their role and responsibility for their position, however, the staff members were not authorized to do so. The two employees allegedly accessed the medical records of Joseph DeAngelo. He is suspected to be the Golden State Killer.

Naturally, medical records are to be held in an exceptionally secure manner and accessed by authorized parties only when required for their position. This not only includes data segregation and encryption but also authorization.

Medical Data Targeted!

Medical Data is such a significant target for the attackers. The data is able to be bundled
together or separated to be sold, dependent on the type of data and the potential markets
on the dark web.

Yet another example of this was reported in May 2018. LifeBridge Health appears to
have been targeted and compromised. It appears the compromise of 500k patient
records occurred on September 27, 2016. This was detected in March 2018. Thus it
took approximately 1.5 years for the business to realize they had been targeted, recon
had occurred, and the system was compromised. This was not noted by the business
or its InfoSec Department, but after a forensic firm had been hired. The data probably
exfiltrated was patient names, addresses, birth dates, insurance information, and the
gemstone of the patient’s social security number.

Although the press release states the business takes protecting the patient’s data
very seriously, as these all do, the breach and also compromise timeline is problematic.
The patient’s data was exposed on the dark web for sale and abuse for up to 1.5 years.
The InfoSec team should have been able to notice the traffic moving the data from the business.

Medical records as phishing targets

Over the last few years, there have been many breaches involving hospitals, doctor’s offices, and other institutions securing medical records. These records are generally held in an electronic format, such as with electronic medical records (EMR) and electronic health records (EHR). These definitely have a value on the dark web. These clearly are not simply laying about for anyone to exfiltrate, but are secured at various levels and applications of information and cybersecurity. To not apply security would be negligent and in violation of several laws, including HIPAA. With these records secured, the attackers need to find alternative methods to compromise the systems.

One such incident occurred in 1Q2018. Unity Point Health was compromised between February 1st - 7th and the attackers, as an extension of the compromise, were able to access approximately 16K patient medical records. This was accomplished through a phishing attack being used as the attack vector.

The attackers were able to exfiltrate the patient’s names, date of birth, medical record numbers, treatment information, surgical information, diagnoses, lab results, medications, dates of service, and insurance information. The attackers may have also had access to social security numbers and other patients financial information.

This provides a training opportunity for the medical field on what can happen with a compromise from a simple, yet effective, phishing email.

As always, please contact us for a consult as needed.

Thank you!