At one point or another, we all need healthcare during our life. The facilities are located in every state, in rural and metropolitan areas. One aspect which seems to be pervasive through these is the supply chain implementing 3rd parties into the system. For a healthcare facility to have a full vertical integration of its supply chain, excluding all vendors for everything is a rarity these days. The vendor integration allows the vendor’s communication, invoicing, and other necessities a little more convenient. This unfortunately has the potential to bring risk to your organization. One area not addressed to a significant extent is supply chain management. When the business allows its vendors access to its system for efficiency or convenience, there should be a full vetting process. It does not appear this was the case with Spectrum Health of Lakeland. The medical facility is located in St. Joseph, MI.
The supply chain has been a completely viable attack point for over a decade. While this is a risky point, not enough attention has been paid to it. This is the point when you apply a common saying to the circumstances; you are only as strong as your weakest link. This is truly applicable to the supply chain. As you grant access to or contract with services outside of the organization, unless the senior management has the vendor fully vetted and this regularly updated, the organization is inviting a significant amount of risk into the organization.
These issues occurred with their billing function. The management contracted with the medical billing to Wolverine Services Group. The vendor was pwned. They were a victim of a very successful ransomware attack. The attackers gained access to the data and encrypted this. Later they did decrypt it. These fateful events occurred in September 2018. Spectrum Health was notified on December 17, 2018. They announced a press release on March 14, 2019. As you can tell by the dates, there is a rather significant lag in time. Normally, this would not take this amount of time. In this instance, verifying the attack’s symptoms took a bit of time. Both Spectrum Health and Wolverine Solutions Group did also conduct their own separate investigation. This assuredly was costly and required many people’s time.
This directly impacted and affected approximately 60k Spectrum Health Lakeland patients. Fortunately this affected only the patients of this specific facility. There are many other facilities, which could also have been involved. The company has stated they cannot confirm nor deny if the patient’s confidential data was exfiltrated. If you think through this however, would an attacker spend the time to complete the reconnaissance and other steps to be confident in their ability to breach and steal data?
This also affected other organizations who were clients of Wolverine Services Group. So far, this also affected the North Ottawa community Health System, Mary Free Bed Rehabilitation Hospital, Health Alliance Plan, Blue Cross Blue Shield of Michigan
The evidence does appear to indicate the data was accessed by unauthorized parties. The data included names, social security numbers, addresses, health services provided, insurance companies, and amounts due. This information would be very helpful in social engineering or identity theft.
For a business working with confidential, sensitive data, especially in the age of HIPAA, one would think the Wolverine Services Group (WSG) would have a relatively sophisticated cybersecurity system in place. This may include log analysis, a SIEM, and other monitoring. In the case at hand, it took 2-3 months for the WSG to realize they had been breached. Even with advanced techniques to cover their tracks, WSG still should have been able to detect the issue.
The company cannot confirm or deny the confidential data had been stolen. While this may be true, in the end the attackers viewed this. They could have copied it and exfiltrated this with no issue. The attackers not attempting to steal the data after spending the time and money to learn their system and breach, does not hold water, especially when you consider the risk of being arrested and jailed and the attacker has 2-3 months of availability.
This emphasizes the need to examine the business supply chain in depth. If there are any vendors that connect to your system, their cybersecurity stance truly needs to be evaluated. There is absolutely no need to accept or introduce any risk not completely understood, unless you want your organization in the Sunday paper.
Garrity, M. (2019, March 15). Spectrum health is the 3rd provider affected in wolverine vendor cyberattack. Retrieved from https://www.beckershospitalreview.com/cybersecurity/spectrum-health-is-the-third-provider-affected-in-wolverine-vendor-cyberattack.html
Kransz, M. (2019, March 14). 60k patients at spectrum health Lakeland possibly impacted by data breach. Retrieved from https://www.mlive.com/news/kalamazoo/2019/03/60k-patients-at-spectrum-health-lakeland-possibly-impacted-by-data-breach.html
Wittkowski, T. (2019, March 15). Spectrum health Lakeland announces data breach-Officials say cyber attack happened through vendor. Retrieved from https://www.heraldpalladium.com/news/local/spectrum-health-lakeland-announces-data-breach/
WSJM. (2019, March 14). Spectrum health Lakeland affected by healthcare data breach. Retrieved from https://www.wsjm.com/2019/03/14/spectrum-health-lakeland-affected-by-healthcare-data-breach/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!