Physicians are located throughout the nation. These all have their specialties. As these practices vary in size, their budgets spent on cybersecurity vary greatly. The rule of thumb, for better or worse, has been the greater amount spent on cybersecurity the more intricate and hardened the system is. This, however, has not always been the case.
Recently Brookside ENT and Hearing Center had the pleasure of managing a successful cybersecurity attack and compromise. This doctor’s office was located in Michigan. The successful attack initially encrypted the files and complete computer system for the Brookside ENT and Hearing Center. The attacker demanded a $6,500 ransom for the decrypt key. The ransom was refused, which normally is a good route to follow if you have viable backups and/or are able to recreate the data without a significant issue. Naturally the attackers were not exceptionally happy with this response. As a direct result from this the entirety of the practice’s computer network was erased. This included all of the patient files and records. This was, to say the least, a bad situation.
The medical practice was owned by John Bizon, MD and William Scalf, MD. After all the records were erased, the owners decided to retire and close the practice. Rebuilding the practice’s data and other pertinent information was simply not worth it for the owners/doctors. This adversely affected the patients.
The data affected was rather expansive. This included all the appointment schedules, payment data, and other patient information. On the bright side, it appears no patient data was accessed and the electronic health records (EHR) were encrypted. The potential issue with this is the encryption protocol in place was not published. It is presumed this an industry standard and not home-rolled or an outdated version.
The FBI was actively investigating the successful attack. Unfortunately, the attack vector and tools had not been published yet. The data for this could have been used as a learning tool and case study for others. The attack could have been a simple phishing attack with the right staff members clicking on an image or link.
This illustrates the need for purposeful training for the staff members on the various cybersecurity topics. It is by far too late for this practice; however, others may learn from this.
Davis, J. (2019, April 1). Michigan practice to shutter after hackers delete patient files. Retrieved from https://healthitsecurity.com/news/michigan-practice-to-shutter-after-hackers-delete-patient-files
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!