Malware Leads to Health Data BreachPatients at University of Washington Medicine Affected
UW Medicine operates or owns four hospitals and medical centers in Washington state, as well as several outpatient clinics and physician practices and a medical school.
Security experts say the incident highlights the need for healthcare organizations to stay vigilant in guarding against malware. That includes educating their workforces about the risks of phishing attacks, keeping anti-malware software updated and protecting device endpoints.
If the details of the breach are confirmed by the Department of Health and Human Services' Office for Civil Rights, the UW Medicine case would be one of the five largest 2013 incidents so far.
The breach occurred in early October when a UW Medicine employee opened an e-mail attachment containing the malicious software, says a Nov. 27 statement posted on UW Medicine's website. "The malware took control of the computer, which had patient data stored on it," the notice states.
Based on the results of an internal investigation, UW Medicine says it believes that patient information was not sought or targeted. "However, the malware accessed the data files of roughly 90,000 Harborview Medical Center and University of Washington Medical Center patients," the notice states.
The healthcare provider says affected patient data may have included: names, medical record numbers, addresses, phone numbers, Social Security numbers or Medicare numbers, dates of birth, dates of service, and charge amounts for services received.
"UW Medicine staff discovered this incident the following day and immediately took measures to prevent any further malicious activity," the statement says.
UW Medicine notified the FBI about the incident. It also alerted affected patients that they may be contacted by the FBI as part of its investigation.
In the wake of the incident, UW Medicine says it's implemented "a review, training and outreach effort."
Affected patients are receiving direct mail correspondence from UW Medicine, and security vendor ID Experts is managing a call center on behalf of the healthcare provider.
UW Medicine did not reply to a request from Information Security Media Group for comment.
As of Dec. 3, there have been about 120 major breaches affecting a total of 5.7 million individuals confirmed in 2013, according to the HHS Office for Civil Rights' "wall of shame" website, which does not yet include the University of Washington incident. A total of 720 breaches affecting 27.8 million have been added to the list since September 2009, when OCR began keeping tally of major breaches (see Breach Trend: Fewer Business Associates).
The largest breaches in 2013 posted on the OCR site are:
- A breach involving the theft of four unencrypted desktop computers from an office of Advocate Medical Group, a Chicago-area physician group practice. That breach, which the federal tally lists as affecting more than 4 million individuals, and has resulted in a class action lawsuit.
- A breach at AHMC Healthcare involving two unencrypted laptop computers stolen from the company's administrative offices in California. That breach impacted 729,000 individuals.
- An incident at Texas Health Harris Methodist Hospital Fort Worth involving decades-old microfiche medical records that were slated for destruction, but were instead found intact in a public dumpster in a park. The breach affected 277,000 patients.
- A case at the Indiana Family and Social Services Administration impacting 188,000 clients whose personal information was inadvertently disclosed in mailings to other clients, apparently as a result of a computer programming error by a business associate.
Under the Radar
While malware or hacking are relatively uncommon causes of large breaches that have been reported to federal authorities, some security experts believe the problem is more prevalent than many people realize.
"Malicious software plays a huge role in healthcare data breaches; the scary part is that the healthcare industry often doesn't detect them for long periods of time," says David Kennedy, founder and principal at security consulting firm TrustedSec LLC.
Kennedy says the UW Medicine incident sounds like a typical phishing attack, where unsuspecting users open infected files.
"E-mails with malicious software are an extremely common practice right now, and it's very easy to target individuals in making things look believable. This is another case of how successful these types of attacks can be," he says.
"As an attacker, typically I can send an e-mail to a few individuals, hack their computers and stay under the radar for several months or even years in order to gain sensitive information. This is an alarming trend as most of the healthcare industry is behind the curve by several years when it comes to protecting information and security."
Steps to Take
Experts urge organizations to be aggressive in guarding against malware. That includes implementing workforce awareness programs and taking other steps to protect data.
"Although users have learned to be more leery of malware, they can still be tricked into downloading e-mail attachments and clicking links to malicious websites," notes independent security consultant Brian Evans. "Be sure to provide continuing user awareness and training that includes guarding against, detecting and reporting malware," he says.
"Organizations can encourage employees to practice good computer security at home as well. Policies forbidding work on home computers or personal devices are not enforceable. Malware problem areas include mobile devices whose protection is typically not adequate and thus can introduce malware when connecting to the corporate network," Evans says. "Organizations should offer protection for their employees' home computers and personal devices as a means to reduce this malware risk. "
Kennedy, the consultant, says healthcare organizations also need to protect endpoints, ensuring that there are adequate controls in place. "In most cases, malware can do anything from extract all personal information from the computer to completely hacking other systems and using the compromised machine as a pivot to the rest of the internal networks."
Also, Kennedy urges organizations to "work on additional controls in protecting against browser and e-mail exploitation. A free Microsoft tool, called the Enhanced Mitigation and Experience Toolkit should be deployed as a corporate standard for any healthcare organization. Additionally, work on multiple layers of defense."
Similarly, Evans says organizations can reduce their malware risks by deploying layered defenses at the host, network perimeter and application levels. "Some of the fundamental steps organizations can take to better protect against malware include hardening operating systems, segmenting their networks, patching vulnerabilities promptly, filtering content for malware, deploying monitoring solutions and bolstering staff to increase malware analysis," he says.
"Gains can also be made by reducing the tendency to reuse weak passwords across multiple sites and devices."
Unfortunately, however, "even a layered defense can't eliminate all malware risks," Evans stresses. "So, organizations should continually enhance their security incident response and forensic capabilities as well."