Cybersecurity and the University of Utah Health Breach
The University system tends to focus on research in the specific disciplines. These may be business, psychology, sociology, criminal justice, medical, or any of the other areas within the University system. While the staff is fulfilling their tasks, the IT area of operations is continuously working to detect attacks and put in place mitigations to reduce the opportunity for a breach. This is a daunting task for many reasons. One such target was the University of Utah Health system. The organization was unfortunately breached at least twice recently.
The system is deluged with attacks and the beginning stages of attacks, just like any other medical facility. Unfortunately, two of these recently were successful.
The first was from January 22 through February 27, 2020. This successful attack was focused on email accounts. During this period there was an unauthorized access to a portion of the University of Utah Health staff email accounts. This was accomplished through the infamous phishing attack. This attack vector is so successful with such little capital or effort, this is bound to not slow down.
The second known successful attack was in the form of malware on a system. This was detected on February 3, 2020. Once this was found, the University of Utah Health contacted a third-party cybersecurity organization to assist them with the investigation. This investigation noted the malware may have been able to access a portion of the patient’s data, which was located in the respective employee’s email.
With both of these noted successful attacks, the commonality was the unauthorized access to patient data. With these breach instances, the patient data may have included the patient name, date of birth, medical record numbers, and a limited amount of treatment information.
The investigation into the attack was not a simple review of logs. The compromises were alleged of a complex nature and of a highly technical nature. This is not an unusual statement by the University of Utah Health. If they were to state the attack was exceptionally simple, the management would be having additional issues from many other parties, including potentially the federal government, attorneys, and others.
The organization is also mailing letters to the affected patients. This is the standard protocol. To lower the potential for this to occur again, the organization is updating InfoSec procedures with the employees. This may or may not be successful, based on the implementation. If after a few months, the management does not reinforce the idea of cybersecurity, any lessons learned will fall by the wayside.
This is yet another case of where training needs to be done through the year, insightful, and have some level of entertainment. Without this in place, the organizations will continue to be reactive post-breach, instead of pro-active to minimize the potential for a breach. Having known the method for the phishing attack would have been a great step forward. The industry could have learned from this and tailored other’s training to avoid this issue.
Bennett, L. (2020, March 21). University of Utah health says some patients’ data compromised in ‘phishing’ security breach. Retrieved from https://www.ksl.com/article/46732931/university-of-utah-health-says-some-patients-data-compromised-in-phishing-security-breach
DeWitt, K. (2020, March 20). U of U health announces phishing schemes caused unauthorized access to some employee accounts. Retrieved from https://www.abc4.com/news/top-stories/u-of-u-health-announces-phishing-schemes-caused-unauthorized-access-to-some-employee-email-accounts/
Roberts, A. (2020, March 21). Hacked: Some patient information compromised in U of U Health breach. Retrieved from https://kutv.com/news/local/some-u-of-u-health-patient-information-may-be-compromised-in-data-breach
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.