And you thought the Experian compromise was problematic
Healthcare continues to bear the brunt of the attempted attacks. Over the last few years the healthcare industry has been targeted repeatedly. This is due primarily to the data and information being held being marketable for a longer period of time than other forms of data and information. This coupled with lax security certainly is not helpful. For instance, with financial information, e.g. credit card numbers, the useful life is much shorter than other forms. Once the patient is aware of an issue arising from checking their accounts, a third party service or other form is contacted, the person simply has to call their credit card company, the present credit card number is voided by the credit card company, and a new card is issued to the user. The stolen credit card is no longer valid.
With medical records, there is a different case. These have data that’s useful for the attackers over a much longer period of time. Dependent on the record and the healthcare agency, the file’s composition may differ. These generally have the social security number, addresses, billing data, and other relevant, marketable data.
The Health South-East Regional Health Authority, located in Norway, recently had the opportunity to experience an attack. The entity manages Norway’s hospitals located in its southeast region. Their system was compromised, which led to attackers to exfiltrate their client’s personal information and medical records. In the US, we are unfortunately becoming numb to this as there have been many of these over the last two years.
Two factors stand out with this incident. The records exfiltrated counted at approximately 2.9M. This is over half of Norway’s population of 5.2M. This makes the breach relatively massive. In addition, the entity’s InfoSec staff did not notice any issues. The healthcare entity received a notification from HelseCERT regarding activity red-flagged as abnormal. Recently there had not been evidence of any patient issues arising from this compromise. The management does not quite appreciate though the long-term effects of this. The data is marketable for extended periods, which is inclusive of a few months. The attackers who compromised the systems don’t have to sell this immediately or use it for their gain within this time period.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.