Cybersecurity and Hospitals

Hospitals have an exceptionally important role in society-to provide medical treatment. If this is not important enough, taxing the staff, budgetary constraints, and operations in general, there is the COVID-19. To add to this mountain of woe is in one instance is Beaumont Hospital announcing a data breach from last year. Beaumont Health is Michigan’s largest healthcare system.

Incident

In May 2019, the Beaumont Health System email system was breached by an unauthorized third party. The attacker accessed several of Beaumont’s employee email accounts. A portion of these held patient data. The health system became aware of the breach on March 29, 2020. The attackers had access from May 23, 2019, through June 3, 2019. The press release and articles do not indicate how this was discovered or the attack vector (e.g. phishing, social engineering, or another tactic).

One question which should be asked is why detecting this takes nearly a year. During the year the 112k+ persons, or approximately 5% of the 2.3m patients the health system has records for, affected by this were living their lives, thinking everything was fine and there were no worries. This has also been estimated at approximately 114k patients. One day, the affected persons then receive a notice of the unauthorized access, the data compromised, and the hospital’s regrets. Was the InfoSec team under-staffed or simply the SIEM was not configured to detect this activity?

The health systems investigation was not able to ascertain if any of the data was actually copied or downloaded by the attackers. In retrospect, if you were going to go to the work and resource use to breach a hospital, once you accomplished your goal, you would not simply walk away.

Data

The unauthorized access is problematic on its own level. To add insult to the injury, the data access included the patient’s name, date of birth, diagnosis, procedure, treatment location, treatment type, prescription information, Beaumont patient account number, and medical record numbers.

But wait; there’s more. A portion of this sample, approximately 460 patients, also had their social security numbers, financial account information, health insurance information, and driver’s license or state identification numbers involved with this. The data was held in emails and email attachments.

When we think through this, the data involved may be used in a myriad of ways. This includes taking over the patient’s identity, filing false tax returns, gaining credit cards in their name, etc. Also, the records could be ransom-wared off. This will add the concern to the already stressed population.

Post-Incident

To remediate the issue, Beaumont has taken steps to better their internal processes and procedures to better their cybersecurity stance. Their press release also notes they will be addressing future threats. The health system is also going to provide additional training for the staff.

The health system’s recommendations to the affected parties were to monitor their insurance statements. Granted this is obvious, however, more action on the health system’s part would have been warranted.

History repeats itself

It would be great to say this was a one-off incident and there has never been an issue. Unfortunately, this is not the case. This represents the second breach this year announced. The prior announcement was in January when the health system notified 1,182 patients that a former employee had been accessing the records of patients. These patients had received treatments after automobile accidents. This data was forwarded to a personal injury attorney.

Resources

Ainsworth, A. (2020, April 17). Beaumont health alerts patients that unauthorized third-party accessed emails containing personal information. Retrieved from https://www.clickondetroit.com/news/local/2020/04/17/beaumont-health-alerts-patients-that-unauthorized-third-party-accessed-emails-containing-personal-information/

Davis, J. (2020, April 21). Beaumont health reports 2019 data breach impacting 114k patients. Retrieved from https://healthitsecurity.com/news/beaumont-health-reports-2019-data-breach-impacting-114k-patients

Fox2 Detroit. (2020, April 18). Beaumont health says 112k patients were impacted by data breach. Retrieved from https://www.fox2detroit.com/news/beaumont-health-says-112k-patients-were-impacted-by-data-breach

HIPAA Journal. (2020, April 20). Beaumont health notifies 112,000 patients about ma 19 data breach. Retrieved from https://www.hipaajournal.com/beaumont-health-notifies-112000-patients-about-may-2019-data-breach/

Shamus, K.J. (2020, April 17). Beaumont health security breach puts personal information of 112,000 at risk. Retrieved from https://www.bridgemi.com/business-bridge/beaumont-health-security-breach-puts-personal-information-112000-risk and https://www.freep.com/story/news/health/2020/04/17/beaumont-health-security-breach-personal-information/5155716002/

Stone, J. (2020, April 20). Detroit hospital network says data breach affected more than 100,000 patient accounts. Retrieved from https://www.cyberscoop.com/beaumont-health-data-breach/

Walsh, D. (2020, April 18). Data breach at Beaumont exposes information of 112,000 patients. Retrieved from https://www.modernhealthcare.com/cybersecurity/data-breach-beaumont-exposes-information-112000-patients

WXYZ. (2020, April). Beaumont says data incident impacted 112k people; names, SSNs and more were in emails accessed. Retrieved from https://www.wxyz.com/news/beaumont-says-data-incident-impacted-112k-people-names-ssns-and-more-were-in-emails-accessed

About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.