Hackers Hit Health System's ServerSt. Joseph Health System Describes Details, Response
A three-day hacker attack in December against an onsite server at St. Joseph Health System in Bryan, Texas, exposed information on about 405,000 individuals.
If details of the breach are confirmed by the Department of Health and Human Services' Office for Civil Rights, the incident would be the third largest hacking incident posted on HHS' "wall of shame" website listing breaches affecting 500 or more individuals since September 2009.
Major hacking attacks have been relatively rare in healthcare, with only 62 such attacks among the more than 800 breaches on the HHS tally. The largest was a 2012 incident at the Utah Department of Health, which affected 780,000 individuals.
For the most part, healthcare organizations have not been among the most common targets for the hacking community, says Brian Evans, a principal security and privacy consultant at Tom Walsh Consulting. "However, evidence suggests that many organizations just aren't that good at detecting incidents involving confidential information," he says. "I believe the primary reason hacking attacks are less common in healthcare is that many organizations are not mature enough to realize they have been hacked."
St. Joseph, a not-for-profit, Catholic integrated delivery system, revealed on Feb. 4 that during a 48-hour period spanning Dec. 16-18, 2013, the organization experienced a data security attack, in which unknown parties gained unauthorized access to a single server containing patient and employee files.
Tim Ottinger, the healthcare provider's vice president of advocacy and governmental affairs, tells Information Security Media Group that a forensics examination has determined that the unauthorized parties operated from IP addresses in China and elsewhere. The hackers accessed an onsite server that contained patient and employee data for several St. Joseph facilities in Texas.
Those facilities included St. Joseph Regional Health Center, Burleson; St. Joseph Center, Madison; St. Joseph Health Center, Grimes; and St. Joseph Health Center and St. Joseph Rehabilitation Center, both in Bryan.
Ottinger would not discuss how the attack was detected, but he says the organization took the affected server offline as soon as the incident was discovered and launched an investigation.
In the aftermath of the incident, St. Joseph has implemented "eight to 10 new processes and security measures, and we will be looking at putting into place additional ones" to safeguard data against potential security incidents in the future, Ottinger says. He declined to disclose details.
St. Joseph notified law enforcement, including the FBI, and other government regulatory bodies, including the Federal Trade Commission and HHS, about the incident, he says.
So far, the forensics investigation has not found any indication that any data was removed from the affected server, Ottinger says. Nonetheless, each affected individual is being offered one year of free credit monitoring, he says.
Individuals affected by the breach include about 2,000 current and former employees and their beneficiaries, whose impacted data may have included bank routing information, names, addresses, dates of birth, and Social Security numbers, he says.
Of the patients affected, data compromised by the breach may include names, addresses, dates of birth, Social Security numbers and some medical information, he says. The medical data exposed did not include patients' full medical records, but narrower information, such as registration information related to medical lab tests, Ottinger says.
Other Hacking Incidents
The HHS "wall of shame" website lists just two hacking incidents with more individuals affected than in the St. Joseph Health System breach.
Authorities believe the largest incident, which occurred March 10 to April 2, 2012 at the Utah Department of Health, involved East European hackers accessing a state server.
The second largest hacking incident listed on the HHS tally involved the Puerto Rico Department of Health and affected 475,000 individuals. That incident occurred in October 2008, before the HIPAA breach notification rule coming took effect.
As of Feb. 5, a total of about 62 hacking incidents were listed among the more than 800 major breaches listed on the HHS website (see: Health Data Breach Tally Tops 800). The hacking incidents affected more than 2 million of the 29.3 million individuals affected by major breaches listed on the HHS site.
More Hacking Incidents Ahead?
Health data breaches involving hackers are likely to become more frequent, says Evans, the consultant.
"Advanced attacks and malware are getting more common, but basic security gaps still exist in healthcare organizations regardless of size," he says. "They also continue to struggle with the justification and payoff of formally managing information risk, and this is reflected in their immature incident detection, handling, and response.
"As healthcare organizations and business associates formalize and mature these capabilities, it's only logical that more security incidents will be identified and reported. As a result, I do believe there will be more hacking attacks reported in the future."
Prevention and Detection
Healthcare organizations can take a number of steps to prevent and better detect hacking attacks, Evans says.
"Healthcare organizations will always experience security incidents, even if they have sound security practices. The extent of the damage from an incident largely depends on the quality of the response," Evans says. "It is critical for these organizations to have a trained and experienced incident response team coupled with a well-documented and tested process."
Organizations should also determine which combination of monitoring and analysis technologies is the most appropriate, the consultant advises.
"Early detection of attacks and data breaches requires the deployment of security monitoring and prevention technologies that match support expertise," Evans says. "Appropriate preparations can limit both the likelihood of an incident occurring and the damage from an incident that does occur."
Some key technologies organizations should consider using to help with breach detection, Evans says, include a security incident and event management system, database activity monitoring systems, file integrity checking software, data loss prevention software, anti-malware software and intrusion detection systems.
Organizations also should ensure that their user education and awareness programs address how to recognize and report security incidents, Evans says. "In some cases, users may not recognize an event as a security incident but may simply see a technical anomaly and contact the help desk," he says. "The best detection approach should be a blend of information from human and technical sources."