2 Healthcare Hacking Incidents Affect 310,000 PatientsExperts Urge Entities to Bolster Security Now, Before They Become Similar Victims
An Alabama medical clinic and an Indiana-based orthopedic practice have each reported hacking incidents that were discovered last fall affecting the protected health information of more than 310,000 individuals in total.
Both of the incidents were reported this week to the Maine attorney general's office, but neither has shown up as of Wednesday on the U.S. Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.
The larger of the two hacking incidents, affecting more than 228,000 individuals, including seven Maine residents, was reported on Tuesday by Fultondale, Alabama-based Norwood Clinic, a multispecialty medical practice with 25 physicians.
The other breach, a ransomware incident affecting nearly 84,000 individuals, including six Maine residents, was reported Monday by Muncie, Indiana-based Central Indiana Orthopedics, which has seven treatment locations in Indiana.
In both cases, the entities list various measures they are taking to bolster security in the wake of those incidents, including strengthening identity and access management and authentication controls. But some experts say the breaches are the latest examples of why other entities need to take similar actions now, before they too become victims of such attacks.
"As has become typical, organizations - especially regulated ones - are quick to deliver messaging regarding how effectively they’re closing the barn door now that the horse has been stolen and sold," says Michael Hamilton, former CISO of the city of Seattle and co-founder of security firm Critical Insight.
"The fact that this cycle occurs with such frequency is a reflection of how IT security is regarded in the entirety of the private sector: It’s a large cost and does nothing for the bottom line or to promote the business," he says.
Norwood Clinic Hack
In a notification statement posted on its website, Norwood Clinic says it discovered on Oct. 22, 2021, that it had been the victim of cyberattack that resulted in unauthorized access to data stored on servers in its network.
"Immediately after discovering the incident, Norwood took steps to secure and safely restore its systems and operations," the statement says. Norwood Clinic engaged cybersecurity experts to conduct a forensics investigation to determine the nature and scope of the incident and to assist in the remediation efforts, the statement says.
The investigation determined that an unauthorized party had gained access to Norwood Clinic's servers that stored patient information. But the investigation was unable to confirm the specific information that may have been accessed or acquired.
Norwood Clinic says information stored on the affected servers may have included patient name, contact information, date of birth, Social Security number, driver's license number, limited health information and/or health insurance policy number. The clinic says the affected information did not include any individuals' financial account information or debit or credit card numbers.
The clinic is offering 12 months of complimentary credit, identity and dark web monitoring services to all potentially affected individuals. Norwood Clinic says it "has no reason to believe that any individual’s information has been misused as a result of this event."
In the aftermath of the incident, Norwood says it has "continued to strengthen its security posture" by adding security controls, including revising email settings and policies, updating and modifying network security technical hardware, adding additional password complexity rules and instituting "additional secure login mechanisms" for all accounts.
An attorney representing Norwood Clinic did not immediately respond to Information Security Media Group's request for additional details about the data breach, including the type of hacking incident and whether ransomware was involved.
Central Indiana Orthopedics Incident
Central Indiana Orthopedics, or CIO, says in its notification statement that on Oct. 16, 2021, it discovered "unusual activity" on its network. Its forensic investigation found evidence that some CIO files had been accessed by an unauthorized actor, the statement says.
CIO in a statement tells ISMG that it discovered the incident when it experienced a ransomware attack on its environment. A ransom was not paid, CIO says.
Based on its investigation, CIO says information that may have been subject to unauthorized access includes individuals' names, addresses, Social Security numbers and limited medical information.
CIO says it has not received any reports of related identity theft since the incident, but it is offering affected individuals complimentary credit monitoring, dark web monitoring and identity theft protection services.
Like Norwood Clinic, CIO in the wake of its incident says it is taking measures to bolster security. That includes changing administrative credentials and restoring operations "in a safe and secure mode."
While Norwood Clinic and CIO each say they are taking a variety of actions to enhance their security following their breaches, some experts stress that many other healthcare entities also need to take similar and other actions now, before they too fall victim to comparable cyber incidents.
"Strengthening security controls should have been on the radars of healthcare organizations for many years now," says Keith Fricke, principal consultant at privacy and security consultancy tw-Security.
Current challenges in implementing these controls include a national shortage of information security professionals and the effect that COVID-19 has had on hospital budgets and staffing, he says.
"Smaller organizations may have the mindset that 'it won’t happen to me'; criminals are less discriminate about who they attack - they look for ways to gain unauthorized access to organizations of all sizes," Fricke says.
Hamilton says organizations in the healthcare sector, such as hospitals, are already working on slim margins, which often puts a squeeze on security funding. "That cost is, for many executives, something they will neglect in order to better manage cash. This is now routinely a regrettable decision."
Kevin Gonzalez, director of security at security firm Anvilogic, says: "The unfortunate reality is that many large organizations have a lot of political red tape around implementing necessary, and fairly simple, security controls such as improved password policies and multifactor authentication, due to a fear of impacting the 'speed of business.'" Or, he says, organizations practice "optimism bias" - they think that their other security controls that don't affect users will keep away a breach, or they don't consider security at all.
Having a complex password policy or multiple forms of authentication are not in themselves silver bullets, Gonzalez says. "Security is a layered effort. The more layers of security you build into your environment, the better likelihood of preventing or detecting a potential compromise early on."
What organizations need to be doing now to fortify their security "is what they’ve been told to do all along, but now the urgency is palpable," Hamilton says.
"Line your organization up with a security framework, identify gaps in controls and develop a corrective action plan, resource the plan, and work on improvements. Then do it again. But because the geopolitical clock is ticking, an immediate focus should be response planning: Get ready to take a punch and get up off the mat," he says.
Fricke says cybercriminals have high interest in compromising computer accounts with elevated privileges. Therefore, protecting those accounts with multifactor authentication is essential, he says.
Also, regularly scanning internet-facing systems for vulnerabilities and remediating high-risk findings is critical. "We continue to see healthcare breach metrics point to compromised servers via hacking as the predominant reason breaches occur. Organizations must regularly conduct internal phishing campaigns, track click rates and provide training. Phishing is a primary vector of attack," he says.
The potential for critical infrastructure entities in the U.S. to become targets or inadvertent victims of possible cyberattacks related to the Ukraine-Russia war is also a critical consideration that healthcare sector organizations should keep in mind, some experts say.
For instance, government officials have warned of potential distributed denial-of-service, wiper malware and other disruptive attacks (see: Feds Warn Health Sector of Ukraine-Russia Conflict Threats).
Organizations should ask their internet service providers what DDoS prevention capabilities they have in place, Fricke says. "Same goes for any organization filtering email through a third-party service."
Hamilton says now would be a very good time for entities to modify organizational policies regarding the use of company computing equipment for personal use. "Through my own measurements and additional validating research, 40% of the compromised assets can be traced to the use of personal email. A policy of personal use on personal devices will do more to limit exposure to the 'bait' than any other control."
Fricke says that entities should also carefully review their cyber insurance policies. "In these times of conflict, insurance carriers may view cyberattacks as an act of war. Consequently, policy language may exclude coverage with respect to acts of war."