Recent Compromise and Ransomware: Delayed Response with Medical Office
With each compromise involving a medical office, there are repercussions on many fronts. The patients have to work through having their private information strewn across the darkweb for years, the office may have HIPAA issues manifesting in expensive fines and operationally costly updates for the firm, and of course the remediation of the issue causing the further problems.
One such incident occurred with the Peachtree Neurological Clinic in Atlanta, GA. The first noticed issued involved ransomware for the clinic. This is rather traumatic for the staff. As they begin to see the ransom page spread through the clinic work stations, their attention was captive. This was alleviated with relative ease as the clinic was able to use their back-ups. On the not so positive side, as the clinic began to examine the attack, certain anomalies became apparent.
This led to the discovery the system had been compromised. This was not merely from the ransomware attack, however their system had been breached for 15 months, allowing the attackers access to a mass amount of data. If this was not bad enough, the clinic cannot be sure with any reasonable certainty what data was exfiltrated over the 15 months. The clinic only knows the time period was February 2016 and May 2017.
This is an another example of an opportunity learn from. Although this has been a rather significant issue for the clinic and relatively embarrassing. For the enterprise, certain activities should be logged and examined. This does not require a human to read through a volume and hope to be able to note trends. This may be operationalized with spreadsheets or scripts parsing the normal, baseline activity and seek the anomalies indicative of an issue. This InfoSec application is a good fit for machine learning. This is also an opportunity to review the signs of a phishing email and other with a focus of being malicious (e.g. links to malicious websites, attachments, etc.). These certainly are not going to catch all of the issues, however this has the opportunity to in the least assist with the defensive measures for the entity.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.