Cybersecurity and Ongoing Healthcare Concerns
Healthcare continues to be a significant target. The healthcare institution’s budgets have been decreased due to a number of different issues. These include patient mobility as there are more options than ever and patient insurance payments. The latter, at best are stable however have probably been decreasing as new contracts are renegotiated. While this is occurring, the costs (direct labor, overhead, utilities, supplies, etc.) have increased.
As margins continue to be narrowed, the cuts have to be made somewhere. Cybersecurity, since the measurement of the success is elusive, may not receive the positive budgetary attention it really should. While more staff members may be needed, the positions may not be opened for applicants. This makes securing the perimeter, infrastructure, cloud, etc. difficult at best. This coupled with the attackers not being limited by geography, further complicates the InfoSec mission. All it takes is one person making the wrong choice one time to begin a cascading effect. Verity Health Systems and Medical Foundation had the opportunity to learn from a recent related issue.
Incidents
Over the recent period, there were a number of incidents. The first was in late November 2018 and another in mid-January 2019. There are other reports indicating there were two incidents in November. The access was simple enough; through three employee’s web email accounts. This allowed access to any emails or attachments in the respective compromised email accounts.
What makes this unusual is not only the number of successful attacks but also the timing. There were three attacks in such a short period of time is clearly not a good thing. For these to be successful infers a problematic, systemic issue. This forces the conversation on the level of insecurity. It is distinctly possible the SOC did not monitor the logs and other activities related to the email.
Data
The patients “possibly” affected were from many facilities. These included the Verity Medical Foundation, and Verity hospitals (O’Connor Hospital, St. Louise Regional Hospital, Seton Medical Center (inclusive of the Seton Coast side campus), St. Francis Medical Center, and St. Vincent Medical Center.
The accessed emails contained health and medical data for the patients (names, treatment information, medical conditions, billing codes, and health insurance policy numbers). There were other email accounts accessed which contained personal information (names, health insurance policy number, subscriber numbers, dates of birth, patient ID numbers, phone numbers, and addresses). A portion of the attachments unfortunately also had social security and driver license numbers. To top it off, the emails may have included, for certain Verity employees and 3rd parties, their personal and health data.
Remediation
Within hours of learning of each incident, the Verity InfoSec Team ceased the unauthorized third-party access, disabled the affected email accounts, disconnected the devices from the network, and removed the unauthorized emails sent to the other employees. These actions were a positive show of the prudent steps implemented. The thought is the attackers were actually seeking the user names and passwords. Due to the compromise and the access records containing PII and PHI, the business is offering credit monitoring services for one year free to any individual whose social security number or driver’s license number was involved.
To limit the opportunity for this to occur again, the business is requiring mandatory training for the employees and improving and increasing the security measures. The business also put a call center in place for affected persons to call for questions and to get additional information.
Notification
Per the reports, there is no direct evidence of the unauthorized access or use of the patient’s individual health or personal information. Verity Health System of California, Inc. and Verity Medical Foundation have, however, notified patients who are potentially affected. These persons were informed their specific individual or a portion of their information may have been accessed without authorization. The attackers were still unknown.
Resources
Davis, J. (2019, March 26). Verity reports third data breach caused by employee email hack. Retrieved from https://healthitsecurity.com/news/verity-reports-third-data-breach-caused-by-employee-email-hack
Dissent. (2019, January 29). Verity health system of California, inc and verity medical foundation notify individuals and regulatory bodies of data security incident. Retrieved from https://www.databreaches.net/verity-health-system-of-california-inc-and-verity-medical-foundation-notify-individuals-and-regulatory-bodies-of-data-security-incident/
Spitzer, J. (2019, January 29). Verity health system reports 3 phishing attacks. Retrieved from https://www.beckershospitalreview.com/cyberseucrity/verity-health-system-reports-3-phishing-attacks.html
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.