Cyberattack Exposes PHI in Email AccountsMeanwhile, Regulators Issue Alert on Advanced Persistent Threats
Navicent Health, a Macon, Georgia-based healthcare system, has revealed that after more than six months of study, it has determined that a cyberattack last year exposed the protected health information of more than 278,000 individuals.
Meanwhile, federal healthcare regulators have issued an alert about advanced persistent threats.
Delay in Quantifying the Impact
In a statement, Navicient Health says the cyberattack was detected last July, but the organization didn't determine until Jan. 24, with help from outside security forensics firms, that PHI was accessible in the email accounts that were hacked.
Navicent reported the incident to the Department of Health and Human Services on March 22, according to HHS' Office for Civil Rights' HIPAA Breach Reporting Tool website, which lists health data breaches impacting 500 or more individuals.
As of Friday, the Navicent Health incident is the fourth largest health data breach added to the federal tally so far in 2019. Eight of the 10 largest breaches posted on the OCR website so far in 2019 are listed as hacking/IT incidents (see: Tracking Common Causes of Recent Health Data Breaches).
Details From Breach Notification
Navicent Health's breach notification statement says data contained in the hacked email accounts included individuals' names, dates of birth, addresses and limited medical information, such as billing and appointment information. The accounts also contained the Social Security numbers of some individuals.
In a statement to ISMG, Navicent Health says that upon learning of the incident, it deleted impacted account credentials to prevent further access. "We also notified law enforcement and retained leading forensic security firms to investigate and conduct a comprehensive search for any personal information on the impacted email accounts."
Navicent says the incident had no impact on the organization's computer networks or electronic medical record systems.
"At this point, we do not know for certain if any personal information was ever viewed or acquired by the unauthorized party, and we are not aware of any instances of fraud or identity theft as a result of this incident."
Navicent adds that it is taking steps to enhancing security, including additional platforms for educating staff and reviewing technical controls.
Meanwhile, OCR this week issued a cybersecurity alert to covered entities and business associates warning of cyberattacks involving advanced persistent threats, including zero-day exploits.
While Navicent Health did not immediately respond to an Information Security Media Group request for additional details about its cyberattack, including whether it was a victim of an APT, the alert from OCR warns of the serious risks involved with such threats.
"These exploits are especially dangerous because their novel nature makes them more difficult to detect and contain than standard hacking attacks," OCR writes. "The possibility of such an attack emphasizes the importance of an organization's overall security management process, which includes monitoring of anti-virus or cybersecurity software for detection of suspicious files or activity."
OCR notes that zero-day exploits have been implicated in attacks on the healthcare sector, including the WannaCry ransomware attack in 2017.
The zero-day exploit EternalBlue targeted vulnerabilities in several Microsoft operating systems, OCR notes. "Soon after the EternalBlue exploit became publically known, the WannaCry ransomware was released and began spreading, eventually infecting hundreds of thousands of computers around the world," OCR says.
The damages due to WannaCry infections are estimated to be in the billions of dollars, OCR says. Analysis of WannaCry found that it used EternalBlue to spread and infect other systems. While the United Kingdom's National Health Service, which had up to 70,000 devices infected, was among the organizations most impacted by Wannacry, several HIPAA covered entities and business associates in the United States were also affected, OCR writes.
Easier Methods for Attacks
APTs are indeed cause for concern, but so are the other more common means of attack, says former healthcare CISO Mark Johnson of the consulting firm LBMC Information Security.
"APTs are hard to execute and even harder to detect," Johnson notes. "There are far easier ways to get into healthcare technical infrastructures other than these difficult attacks. In our proactive work with our clients, we are virtually assured of getting into an environment if they are not using multifactor authentication, regardless of how robust their patching and vulnerability management program is."
While all sectors need to be concerned about APTs, healthcare is a top target for these types of attacks, says former healthcare CIO David Finn, executive vice president at security consulting firm CynergisTek.
"Healthcare data is a high value target, and healthcare continues to lag in providing adequate security. On top of that, healthcare still runs on a lot of legacy systems and operating systems that may be unpatched or be unable to be patched. Once they've got a foot in the door, hackers can use more advanced malware, an APT, for example, to get on the network and that will lead to access to the medical and demographic data, which is exactly the treasure they were hunting."
Overall, zero-day attacks are down compared with other types of cyberattacks, including targeted attacks - especially spear-phishing, Finn notes.
Zero-day attacks "have gotten too expensive for the bad guys, particularly when you can use the tools already in use that target PowerShell or Microsoft Office or plain old email," he says. "There is little doubt that the delivery mechanism for the more sophisticated malware, like APTs, is email. Just about half of the malicious email attachments are Office files."