Recent Compromise and Ransomware: Delayed Response with Medical Office
With each compromise involving a medical office, there are repercussions on many fronts. The patients will have to work through having their private information strewn across the darkweb for years, the office may have HIPAA issues manifesting in expensive fines and operationally costly updates for the firm, and of course the remediation of the issue causing further problems and expenses.
One such incident occurred with the Peachtree Neurological Clinic in Atlanta, GA. The first noticed issued involved ransomware for the clinic. This event was rather traumatic for the staff. As they begin to see the ransom page spread through the clinic work stations, their attention was captive. This was alleviated with relative ease as the clinic was able to use their back-ups. On the not so positive side, as the clinic began to examine the attack, certain anomalies became apparent.
This led to the discovery the system had been compromised. This was not merely from the ransomware attack, but because their system had been breached for 15 months, allowing the attackers access to a mass amount of data. If this was not bad enough, the clinic could not be sure with any reasonable certainty what data was exfiltrated over the 15 months. The clinic only knew that the time period was from February 2016 and May 2017.
This is another example of a learning opportunity with lessons for all. Although this has been a rather significant issue for the clinic and relatively embarrassing, certain activities should be logged and examined. This does not require a human to read through a volume and hope to be able to note trends. This may be operationalized with spreadsheets or scripts parsing the normal, baseline activity and seek the anomalies indicative of an issue. This InfoSec application is a good fit for machine learning. This is also an opportunity to review the signs of a phishing email and other emails with a focus of being malicious (e.g. links to malicious websites, attachments, etc.). These certainly are not going to reveal all of the issues in the event, however this provides the opportunity to, in the very least, assist with the defensive measures for the entity and raise awareness of potential vulnerabilities within the system and highlight human performance errors that can be avoided in the future.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.