A Tale of 3 Breaches: Incident Response ChallengesRecent Healthcare Incidents Spotlight Problems That May Worsen Amid COVID-19 Crisis
Three recently disclosed health data security incidents - including the discovery of a large email hack that happened nearly a year ago - serve as reminders of the ongoing incident response challenges facing healthcare organizations.
A 2019 email hacking incident that affected 112,000 individuals was disclosed last week by Dearborn, Michigan-based Beaumont Health. Also recently reported were: a February ransomware attack on Wilmington, Del.-based substance abuse treatment provider Brandywine Counseling and Community Services that affected clinical records of an undisclosed number of patients, and a phishing scam impacting more than 27,000 patients and employees of Wisconsin-based Advocate Aurora Health.
The COVID-19 crisis is likely to make it even more difficult for healthcare organizations to respond to security incidents, some observers say.
”As long as COVID-19 drives IT activities in supporting remote workers and setting up patient triage tents with access to technology infrastructure, IT may have difficulty monitoring network activity for anomalous events unless a security operations center is in place to monitor around the clock, along with centralized log event management that can automate detection of and alerting on activities of concern,” notes Keith Fricke, principal consultant at tw-Security.
In an April 17 statement, Beaumont Health says that on March 29, after an extensive forensic investigation and comprehensive manual document review, it discovered that one or more employee email accounts accessed by an unauthorized third-party between May 23 and June 3, 2019, contained information about thousands of individuals.
”Our investigation was unable to determine definitively if any information was actually acquired by the unauthorized third party, and Beaumont has no knowledge of any inappropriate or misuse of any data,” the statement says.
”Beaumont’s electronic medical record system was not impacted by this incident and remains secure. However, out of an abundance of caution, we are issuing notices to anyone whose information may have been contained in the accessed accounts.”
The accessed email accounts contained patient information that included name, date of birth, diagnosis, diagnosis code, procedure, treatment location, treatment type, prescription information, Beaumont patient account number, and Beaumont medical record number, the statement notes. In addition, a limited number of individuals’ Social Security numbers, financial account information, health insurance information, and driver's license or state identification numbers were also contained in the exposed email accounts.
Beaumont did not immediately respond to an Information Security Media Group request for additional information about the incident, including an explanation of the lag in discovering the breach.
The Beaumont email hack was posted Tuesday on the Department of Health and Human Services’ HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.
Beaumont notes in its statement that it has taken steps “to improve internal procedures to identify and remediate future threats in order to minimize the risk of a similar incident in the future, including implementing additional technical safeguards and providing additional training and education to Beaumont employees on identification and handling of malicious emails.”
Brandywine Counseling Attack
Meanwhile,Brandywine Counseling and Community Services, which provides mental health and substance addiction services, is dealing with the aftermath of a recent ransomware attack that exposed some patients’ sensitive information.
In an April 10 statement, Brandywine Counseling said that on Feb. 10, it discovered that some of its servers were infected with ransomware.
”We immediately took steps to secure our network, contacted law enforcement, began an investigation, and an experienced computer forensic firm was hired to assist,” Brandywine Counseling says in its statement.
”During the investigation, we determined that during the incident, a limited amount of personal information was acquired from our systems, which included some clients’ names, addresses, dates of birth, and/or limited clinical information, such as provider names, diagnosis, prescriptions, and/or treatment information,” the statement says. “In some instances, clients’ health insurance information, Social Security numbers and/or driver’s license numbers were also included.”
Brandywine Counseling did not immediately respond to ISMG’s request for additional information about the incident, including the type of ransomware attack, whether the entity paid a ransom, and the number of individuals affected.
As of Tuesday, the Brandywine Counseling breach was not yet on the HHS breach reporting website.
Advocate Aurora Health Incident
Among recent breaches posted on the HHS website is a hacking/IT incident reported on April 16 by Advocate Aurora Health as involving email and a network server and impacting more than 27,000 individuals.
In an April 17 statement, the Wisconsin-based provider says that on or about Jan. 1, 2020, an unauthorized individual used an email phishing campaign to gain access to the email credentials of several employees at Aurora Medical Center - Bay Area.
”Advocate Aurora learned of this intrusion on or about Jan. 9, 2020, and promptly initiated an internal investigation,” the statement notes. The intruder may have accessed without authorization the emails of certain employees from Jan. 1-9.
Advocate Aurora’s review of these email accounts determined that the personal and/or health information of certain Aurora Medical Center - Bay Area patients may have been included in accessible email messages.
The intruder apparently accessed a human resources system.
Information exposed as a result of the email access includes patient name; marital status; date of birth; street address, email address and phone number; dates of admission, discharge or treatment information; Social Security number; medical record number; health insurance account numbers; medical device numbers; driver’s license number; passport number; bank or financial account numbers and full face photographs.
”As of this date, Advocate Aurora is not aware of any improper use of any of the patient information,” the organization states.
Advocate Aurora says it launched an internal investigation and notified federal and state law enforcement about the incident. It says it’s also taken steps to enhance information security, including changing the credentials for affected Aurora Medical Center - Bay Area employee accounts. Plus, it has made other technical system enhancements, including adding email filtering software to help the workforce identify potential phishing emails, the statement notes.
Incident Response Challenges
Clyde Hewitt, executive adviser at security consulting firm CynergisTek, says the healthcare sector’s incident response challenges will grow during the COVID-19 response.
”The vast majority of incident response plans developed prior to COVID-19 were never envisioned to be performed with a remote workforce,” he notes.
”The expectation of rapid communications that occurs in a command center has been disrupted. Conference bridges have replaced massively parallel conversations, so reaction times are extended. Access to controls now requires VPN access and speed limitations that come with home internet connections. The supporting vendor community is also constrained by a remote workforce and stretched because of the increased pace of attacks. All of this is a recipe for delayed detection, delayed response - which leads to more widespread damage - and ultimately delayed reporting.”
Battling Email Breaches
Fricke says healthcare organizations can potentially speed up detection of email-related breaches by taking several key steps.
For example, IT staff should checking email client rules when users submit trouble tickets to the help desk. “Some criminal activities involving compromise of email accounts may include altering email rules, such as auto forwarding messages to an external account,” he notes.
Another critical step, he says, is to require employees to use multi-factor authentication to access email.
It’s also important to avoid underestimating the importance of strong security for cloud-based email systems.
“The general perception was that a cloud email platform was safe provided you routinely changed your simple password,” he says. “In reality, the exponential rise in phishing emails caused the house of cards to fall. One click and entire mailboxes were exposed to hackers.”
Fricke of tw-Security offers other suggestions.
“It is really important for organizations to conduct internal phishing campaigns to test the susceptibility of the workforce to phishing attacks and provide the necessary follow up training,” he says.
And now that more ransomware attacks involve exfiltrating data, he says, it’s important to use SSL inspection on some outbound communications to “help detect covert channels that may be used by criminals to exfiltrate data.”