Encryption & Key Management , Governance & Risk Management , Incident & Breach Response
Beacon Health Is Latest Hacker VictimPhishing Leads to Email Compromise, Exposing PHI
Yet another large hacker attack has been revealed in the healthcare sector. But unlike three recent cyber-attacks, which targeted health insurers, this latest breach, which affected nearly a quarter-million individuals, involved a healthcare provider organization.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
South Bend, Ind.-based Beacon Health System recently began notifying 220,000 patients that their protected health information was exposed as a result of phishing attacks on some employees that started in November 2013, leading to hackers accessing "email boxes" that contained patient data.
The Beacon Health incident is a reminder that healthcare organizations should step up staff training about phishing threats as well as consider adopting multi-factor authentication, shifting to encrypted email and avoiding the use of email to share PHI.
"Email - or at least any confidential email - going outside the organization's local network should be encrypted. And increasingly, healthcare organizations are doing just that," says security and privacy expert Kate Borten.
Unfortunately, in cases where phishing attacks fool employees into giving up their email logon credentials, encryption is moot, she says. "Although encryption is an essential protection when PHI is sent over public networks, and stored somewhere other than within IT control, it is only one of many, many security controls. There's no silver bullet."
At the University of Vermont Medical Center, which has seen an uptick in phishing scams in recent months, the organization has taken a number of steps to bolster security, including implementing two-factor authentication "for anything facing the Web, because that can pretty much render phishing attacks that are designed to steal credentials useless," says CISO Heather Roszkowski.
The Latest Hacker Attack
On March 26, Beacon Health's forensic team discovered the unauthorized access to the employees' email accounts while investigating a cyber-attack. On May 1, the team determined that the affected email accounts contained PHI. The last unauthorized access to any employee email account was on Jan. 26, the health system says.
"While there is no evidence that any sensitive information was actually viewed or removed from the email boxes, Beacon confirmed that patient information was located within certain email boxes," Beacon Health says in a statement posted on its website. "The majority of accessible information related only to patient name, doctor's name, internal patient ID number, and patient status (either active or inactive). The accessible information, which was different for different individuals, included: Social Security number, date of birth, driver's license number, diagnosis, date of service, and treatment and other medical record information."
The provider organization says it has reported the incident to the U.S. Department of Health and Human Services, various state regulators, and the FBI.
Hospital Patients Affected
A Beacon Health spokeswoman tells Information Security Media Group that the majority of those affected by the breach were patients of Memorial Hospital of South Bend or Elkhart General Hospital, which combined have more than 1,000 beds. The two facilities merged in 2012 to form the health system. Individuals who became patients of Beacon Health after Jan. 26 were not affected by the breach, she says.
The breach investigation is being conducted by the organization's own forensics team, the spokeswoman says.
Affected individuals are being offered one year of identity and credit monitoring.
The news about similar hacker attacks earlier this year that targeted health insurers Anthem Inc. and Premera Blue Cross prompted Beacon's forensics investigation team to "closely review" the organization's systems after discovering it was the target of a cyber-attack, the Beacon spokeswoman says.
In the wake of the incident, the organization has been bolstering its security, including making employees better aware of "the sophisticated tactics that are used by attackers," she says. That includes instructing employees to change passwords and warning staff to be careful about the websites and email attachments they click on.
The Phishing Threat
Security experts say other healthcare entities are also vulnerable to phishing.
"The important takeaway is that criminals are using fake email messages - phishing - to trick recipients into clicking links taking them to fake websites where they are prompted to provide their computer account information," says Keith Fricke, principle consultant at consulting firm tw-Security. "Consequently, the fake website captures those credentials for intended unauthorized use. Or they are tricked into opening attachments of these fake emails and the attachment infects their computer with a virus that steals their login credentials."
As for having PHI in email, that's something that, while common, is not recommended, Fricke notes. "Generally speaking, most employees of healthcare organizations do not have PHI in email. In fact, many healthcare organizations do not provide an email account to all of their clinical staff; usually managers and directors of clinical departments have email," he says. "However, for those workers that have a company-issued email account, some may choose to send and receive PHI depending on business process and business need."
Recent Hacker Attacks
As of May 28, the Beacon Health incident was not yet posted on the HHS' Office for Civil Rights' "wall of shame" of health data breaches affecting 500 or more individuals.
OCR did not immediately respond to an ISMG request to comment on the recent string of hacker attacks in the healthcare sector.
Other recent hacker attacks, which targeted health insurers, include:
- An attack on Anthem Inc. , which affected 78.8 million individuals, and is the largest breach listed on OCR's tally.
- A cyber-assault on Premera Blue Cross announced on March 17, that resulted in a breach affecting 11 million individuals.
- An "unauthorized intrusion" on a CareFirst BlueCross BlueShield database disclosed on May 20. The Baltimore-based insurer says the attack dated back to June 2014, but wasn't discovered until April 2015. The incident resulted in a breach affecting 1.1 million individuals.
But the recent attack on Beacon Health is yet another important reminder to healthcare provider organizations that it's not just insurers that are targets. Last year, a hacking assault on healthcare provider Community Health System affected 4.5 million individuals.
Smaller hacker attacks have also been disclosed recently by other healthcare providers, including Partners HealthCare. And a number of other healthcare organizations in recent months have also reported breaches involving phishing attacks. That includes a breach affecting nearly 760 patients at St. Vincent Medical Group (see Phishing Leads to Healthcare Breach).
"Healthcare provider organizations are also big targets - [they have] more complex environments, and so have more vulnerabilities that the hackers can exploit," says security and privacy expert Rebecca Herold, CEO of The Privacy Professor. "Another contributing factor is insufficient funding for security within most healthcare organizations, resulting in insufficient safeguards for PHI in all locations where it can be stored and accessed."
A delay in detecting hacker attacks seems to be a common theme in the healthcare sector. Security experts say several factors contribute to the delayed detection.
"Attacks that compromise an organization's network and systems are harder to detect these days for a few reasons," says Fricke, the consultant. "Criminals wait longer periods of time before taking action once they successfully penetrate an organization's security defenses. In addition, the attack trend is to compromise the accounts of legitimate users rather than gaining unauthorized access to a system via a brute force attack."
When criminals access a system with an authorized account, it's more difficult to detect the intrusion, Fricke notes. "Network security devices and computer systems generate huge volumes of audit log events daily. Proactively searching for indicators of compromise in that volume of log information challenges all organizations today."
As organizations step up their security efforts in the wake of other healthcare breaches, it's likely more incidents will be discovered and revealed, says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
"The challenge that many healthcare entities face is that oftentimes, the better they do at information security, the more likely it is they find potential problems. Implementing new information security tools sometimes can detect problems that may be years old," he says. "But the alternative - keeping your head in the sand - can lead to far worst results for patients and the organization."
However, as more of these delayed-detection incidents are discovered, "regulators and plaintiffs may question why any particular security issue was not identified and corrected earlier," he warns.
Accordingly, organizations should consider if there were reasonable issues that led to any delays in identifying or correcting any security lapses and maintain any related documentation supporting the cause of any delays, he suggests.
"Hindsight is 20-20, and it is always easy for regulators to question why more wasn't done sooner, and it could be challenging for the organization if it is asked to justify why it spent resources on other projects," Greene says.