Breach Notification , Business Continuity Management / Disaster Recovery , Business Email Compromise (BEC)
Entities Dealing With Email Breach, IT Systems/Phone OutageLatest Incidents Foreshadow Challenges Heading Into New Year
A Kentucky-based musculoskeletal healthcare practice on Monday began notifying nearly 107,000 individuals that their protected health information potentially had been compromised in an email hacking incident that occurred over the summer.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
Meanwhile, a Missouri-based medical center on Tuesday was still dealing with "a systemwide network outage" that has been affecting its phone and computer systems since Friday.
The incidents spotlight some of the top security challenges that healthcare sector entities have been dealing with throughout 2021 and that will undoubtedly persist, if not worsen, in the new year, some experts say.
"We have seen an increase in business email compromise attacks in the last few months," says Jon Moore, chief risk officer at privacy and security consultancy Clearwater.
Also, ransomware will continue to be an issue for the healthcare sector until it is no longer profitable for the criminal organizations deploying it, he adds.
"These are sophisticated professional actors. They are reinvesting a portion of their ill-gotten gains to further mature and develop their methods and tools," he says.
Orthopaedic Practice Email Hack
In a breach report filed to Maine's attorney general on Monday, Paducah, Kentucky-based Southern Orthopaedic Associates, which does business as Orthopaedic Institute of Western Kentucky, says names and Social Security numbers were among the PHI contained in several employee email accounts that were accessed by an unauthorized actor between June 24 and July 8.
The incident was first detected on July 7 after the practice became aware of suspicious activity relating to one employee email account, OIWK says in a sample breach notification letter submitted to the Maine attorney general.
The practice's investigation determined the unauthorized actor had gained access to a company official’s email account and impersonated that official to gain access to a few other email accounts, an OIWK spokeswoman tells Information Security Media Group.
Because OIWK was unable to determine which email messages in the accounts may have been viewed by the unauthorized actor, the practice reviewed the entire contents of the affected email accounts to identify what personal information had been accessible, the notification letter says. This review was completed by Oct. 21.
"By our investigation, there is no evidence data or files were taken by the unauthorized actor. As soon as the suspicious activity was discovered, OIWK took immediate action and isolated the impacted email accounts," the spokeswoman says.
To help prevent similar data security incidents in the future, OIWK changed all employee account passwords and secured the affected accounts, she says.
"Our preventative measures are through the implementation of additional technical safeguards such as increased firewalls, dual-factor access, and also includes reviewing company policies and procedures, training and providing education to employees on how to report any suspicious activity, and providing credit monitoring services to those impacted," she says. "We revamped our entire infrastructure to prevent data security incidents in the future."
Medical Center 'Outage'
Meanwhile, on Tuesday, Capital Region Medical Center, based in Jefferson City, Missouri, was still dealing with "a systemwide network outage" that has been affecting its phone and computer systems since Friday.
CRMC on its Facebook page says it is working to remedy the situation as soon as possible. Patients commenting on CRMC's Facebook posting noted that some scheduled appointments were being kept while other visits and procedures were being postponed.
ISMG was not immediately able to contact CRMC for comment.
The CRMC IT systems and phone outage is one of many similar incidents affecting healthcare sector entities in the U.S. and elsewhere in recent days and weeks.
They include Dublin, Ireland-based Coombe Women and Infants University Hospital, which on Tuesday appeared to still be dealing with a confirmed cyberattack that struck late last week, resulting in the hospital having its IT systems "locked down" on a precautionary basis as it worked with Ireland's Health Services Executive, the country's healthcare system, to resolve the issue.
The larger HSE network also suffered a ransomware attack in May that caused more widespread IT outages for several months across the country's healthcare system.
A recent PricewaterhouseCoopers report that analyzed that incident listed a number of security shortcomings contributing to the attack.
The report also said the HSE attack began on March 18 from a malware infection on an HSE workstation as the result of a user clicking and opening a malicious Microsoft Excel file that was attached to a phishing email sent to the user on March 16 (see: Report Dissects Conti Ransomware Attack on Ireland's HSE).
Phishing scams, social engineering schemes and business email compromise attempts have been at the heart of many large health data breaches, including other ransomware incidents involving healthcare entities, in 2021.
As of Tuesday, some 136 major health data breaches affecting 4.7 million individuals have been added to the Department of Health and Human Services' HIPAA Breach Reporting Tool website so far in 2021.
The largest phishing incident posted on the HHS website so far in 2021 was reported on Jan. 8 by New York-based American Anesthesiology. It affected nearly 1.3 million individuals (see: Healthcare Phishing Incidents Lead to Big Breaches).
To prevent falling victim to phishing and similar scams that can lead to major breaches, training remains critical, and well as taking an enterprise risk management approach that implements the National Institute of Standards and Technology's cybersecurity framework, says regulatory attorney Rachel Rose.
"The black market value of PHI is a premium and it can be repackaged to make more money," she says.
Other investments that organizations can make to help mitigate the risk of phishing attacks include controls such as email server configuration settings and multifactor authentication, Moore says.
"There are also several types of anti-phishing tools including browser plug-ins and software solutions that monitor email for malicious links and malware. Also, solutions like endpoint detection and response can allow security professionals to identify attacks early and limit their impact."
Looking ahead to next year, other factors contributing to the growing threats and risks faced by healthcare sector entities include the ongoing pandemic, says regulatory attorney Paul Hales of Hales Law Group.
"Criminals ramped up ransomware attacks to exploit healthcare providers under siege from the COVID-19 pandemic. The attacks will grow in number and sophistication," he says.
"The pandemic is a perfect privacy and security storm. It suddenly made remote work the new reality. PHI maintained, transmitted and received by home-based workers created unforeseen HIPAA breach risks," he says.
Moore says other alarming threats include recent reports indicating that cybercriminals are engaged in the purchase of zero-day vulnerabilities to make their attacks even more likely to succeed.
Also, as health data application programming interfaces continue to roll out, it is likely that they too will become a focus of attacks, he says. "Machine learning and artificial intelligence-driven solutions are becoming more common in healthcare. There is some concern that these solutions also may become the target of attacks."
Rose says another disturbing threat is cybercriminals potentially targeting electronic health records, which can lead to adverse patient outcomes and death.