Through our lifetimes, we will need to visit a hospital, medical center or clinic for one reason or another. This may consist of the obligatory annual physical, stitches after a fall, or to refill medications. For various reasons, the commonality is the persons are visiting the medical facility for medical services. Dependent on the individual needs, this may be critical or a standard appointment. With these, the patient requires the services. When there is an issue with providing the service, this affects the medical facility, but also every single patient that would have received medical care at the facility. We’ve seen the effects of phishing attacks on most industries. Dependent on the specific attack, this can be especially problematic for the medical facilities. The Overlake Medical Center & Clinics have experienced this recently.
Overlake Medical Center & Clinics
The Overlake Medical Center & Clinics is based in Bellevue, Washington. The facility is non-profit and has 364 beds. All was well until the issue was detected.
The medical facility was the victim of the infamous, yet uncomplicated, phishing attack. In early December 2019, a small number of employees had seen the phishing lure and decided the email was legitimate when it actually was not, clicking on the link, image, or whatever the attack tool used was in this case. It was noted the unauthorized party, who had harvested the credentials, had infected the accounts between December 6-9, 2019. This was detected once the attackers began to access the email accounts on December 9th. Within hours, the medical center did secure the affected email accounts and began their investigation.
For some reason, the patient data was stored in the email accounts for the 109k affected patients. This possibly included names, dates of birth, phone numbers, addresses, health insurance information, insurer number, diagnoses, and treatment information. This is a treasure trove for the attackers. This data may be sold in whole or sliced into usable sections for specific malicious parties.
After the compromise was detected, the medical facility was required to notify the affected. This began on February 7, 2020, as they started to contact 109,000 patients. This is a rather arduous task due to the number of patients, and the subject matter. Even if a small ratio of the persons called the medical center seeking answers to their questions, there would still be a mass amount of labor to take the calls and talk to each proactive affected patient.
As of the notification date, this was the third-largest breach for the year.
The medical center did state there was no evidence the data had been used by the unauthorized parties. This is a hollow statement though. With the attackers having this, they or the purchasers, if applicable, could wait to use this, or if this was used, it may be difficult to pinpoint this compromise as the cause.
Additional Security Features
Due to the successful attack, the medical facility did reset the employee passwords and put into place additional security features (e.g. multi-factor authentication and email retention policies). The facility was also enhancing their staff education to attempt to assist them to better recognize and then avoid the phishing emails.
There is a question of the timing. They found the credentials had been compromised and used from December 6th through the 9th, 2019. They did not start to notify the affected parties until February 7, 2020. Granted the medical facility has to complete their investigation, including the attack vector analysis, and determining who was affected. If this were have taken a month, this still leaves a month for the medical practice to arrive at the data, which seems a bit long, even for a conservative approach to the forensic review.
While phishing attacks are an epidemic, there are measures that the medical facilities may put into place to reduce this issue to a reasonable level of acceptable risk. These include, however certainly are not limited to
· Having secured storage in place and tested regularly. Simply having storage in place is not enough. This would need to be tested to ensure the storage is viable.
· Log collection. This is a very useful tool. This allows the organization to periodically check activities, including attempted connections, and connections. There are several SIEMs in the market that will analyze these for the organization, reducing significantly the labor overhead which would need to be expended otherwise. One such highly regarded tool to accomplish this is Splunk.
· File integrity monitoring. This is coupled with the secured storage. If the files are lacking integrity, they are not exceptionally useful.
· Event detection. In order to know there has been an issue, the event has to be detected. This is another situation where a SIEM would provide the organization with the data and analysis to show the compromise and begin the incident response protocol. Two SIEMs which could be used to accomplish this are Splunk or AlienVault.
Davis, J. (2020, February 20). 109k patient records impacted in overlake medical phishing attack. Retrieved from https://healthitsecurity.com/news/109k-patient-records-impacted-in-overlake-medical-phishing-attack
Garrity, M. (2020, February 4). 10 tips for hospitals to mitigate ransomware attacks. Retrieved from https://www.beckershospitalreview.com/cybersecurity/10-tips-for-hospitals-to-mitigate-ransomware-attacks.html
Garrity, M. (2020, February 20). 364-bed Washington community hospital notifies 109,000 patients of phishing attack. Retrieved from https://www.beckershospitalreview.com/cybersecurity/364-bed-washington-community-hospital-notifies-109-000-patients-of-phishing-attack.html
McGee, M.K. (2020, February 25). Phishing in healthcare: Yet another major incident. Retrieved from https://www.databreachtoday.com/phishing-in-healthcare-yet-another-major-incident-a-13767
Overlake Medical Center & Clinics. (2020, February 7). Notice of phishing incident. Retrieved from https://www.overlakehospital.org/notice-of-phishing-incident
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!