Cybersecurity and Another Hospital Attack
All is well here at Woesnotgone Meadow, where everyone has above average bandwidth.
At times, the citizens of the Meadow may bet the flu or another virus. With a certain portion of the population, the flu pneumonia has the potential to be very serious. At this point, the resident is transported to a hospital and becomes a patient. At this point, the patient provides their personal information, including their name, social security number, and insurance information. The hospital then becomes responsible for your personal, confidential data. Generally, this is not an issue and the hospital have your data secured.
At times, however, this is not the case.
Pawnee County Hospital is located in Nebraska. The hospital conducts business just as most hospitals do. Most of their days on the administrative side are not all too exciting. Things were about to change for the administrators. The subject attack was rather passive, yet in this case, very effective. On November 29, 2018, the hospital discovered the issue. A hospital staff member has received and opened an email. This happens dozens and dozens of times a day for most of the hospital’s staff members. In this case, as with the others, the employee thought (mistakenly) this was from a tested source. Unfortunately, the staff member opened the attachment and began the infection. The attacker had access from November 16 through 24. The employee’s email account contained reports for the business clinic reports, clinical summaries, and other pertinent internal documents. Post-discover, the hospital did contract with a third party for the forensic work.
As this is a hospital, the data they have been entrusted with contains primarily the patient’s confidential data and information (PHI & PII). The compromise allowed unauthorized access to this. The data the attacker’s had access to was the patient’s full name and at least one of the following (address, date of birth, date(s) of service, medical record number, clinical information, insurance information, and driver’s license/state ID numbers). The patient’s social security number may also have been involved.
Due to the compromise, the hospital was required to notify 7,038 to 7,175 patients of the issue. This was the direct result of the malware infecting the system. The compromise created quite an issue for the hospital. As for the remediation, the hospital did agree to provide for one year of their credit monitoring service. The IT department also began to update their systems. All of the staff members were required to reset their email passwords. There were additional security features involved.
This issue also continues to show the importance of employee training. With appropriate training perhaps there would be fewer of these types of issues.
Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest encryption.
Resources
Dissent. (2019; February 9). Pawnee county memorial hospital notifies 7,038 patients after employee email account compromised by phishing attack. Retrieved from https://www.databreaches.net/pawnee-county-data-breaches.net/pawnee-county-memorial-hospital-notifies-7038-patients-after-employee-email-account-compromised-by-phishing-attack/
Garrity, M. (2019, February 11). Nebraska hospital notifies 7,000 patients of phishing attack. Retrieved from https://www.beckershospitalreview.com/cybersecurity/nebraska-hospital-notifies-7-000-patients-of-phishing-attack.html
HIPAA Journal. (2019, February 11). 7,000 patients notified about pawnee county
memorial hospital malware attack. Retrieved from https://www.hipaajournal.com/7000-patients-notified-about-pawnee-county-memorial-hospital-malware-attack/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.