As the healthcare industry continues to provide life-saving services with the most advanced technologies, cyber threat actors continue to look for opportunities to exploit the vulnerabilities that are associated with these changes. Organizations that lack network protection may find themselves the victim of healthcare data breaches.
In our webinar, Medicus IT (your healthcare IT solutions specialists) invited IT healthcare experts to review and discuss an actual cyber-attack. Tim Hebert, CRO at Medicus IT, Steve Losefsky, COO at Medicus IT, Gary Salman, CEO at Black Talon Security, and Brian Heun, Partner at KMRD Partners, broke down the details of the case, explored the reality of recent healthcare data breaches, identified the issues, and highlighted the key lessons learned from the incident.
The black market value of medical records stands at $250 on average, and patient medical records can sell for $1,000 on the dark web. Why are healthcare records so valuable? Healthcare records contain ample amounts of sensitive data or personally identifiable information that cannot be easily changed.
When a person’s credit card gets stolen, it simply gets canceled and replaced, preventing any further risk. With healthcare information, different forms of personal information can be taken and there are multiple uses for this data. For example, it can be used to create false identities, commit healthcare fraud, illegally purchase prescriptions, get access to medical equipment, or create tax fraud. The many options make healthcare data valuable to cybercriminals and data breaches in healthcare more prevalent than most organizations realize.
Top 5 HPH Victim Sectors Impacted by Ransomware Globally 2021
Source: Health and Human Services Department
It’s easy to assume that cyber criminals will only go after the big hospitals that have large databases of patient records and plenty of money to pay a ransom. However, the reality is that smaller organizations are being hit too. Hackers don’t hunt for specific victims. They are essentially casting a wide net and scouring for any opportunity to find any kind of healthcare organization with vulnerabilities in their network. If they stumble upon a healthcare entity, regardless of size, that has their network exposed incorrectly, they’re going to target them and hit them.
Gary Salman, CEO at Black Talon Security says, “When we see them going after these entities, we see them as an accidental hit. When they realize it’s a healthcare entity they’ve come across, the alarms go off in those hacking groups because they realize the payout. They understand the healthcare laws in the US, and they know almost all healthcare entities that are victims of these attacks will pay the ransom.”
The victim is identified as a multi-provider healthcare facility and surgical center with 75 workstations and 12 servers, an onsite EMR software, onsite email server, and 44,000 patient records.
The entry point of the breach was during business hours. In many cases, there are alerts that go off at the managed service provider or IT company. In other cases, there are no indicators. It depends on the quality of the managed service provider and the tools that they’ve deployed in the environment.
In this case, Medicus IT had tools that alerted end users. Medicus IT helped to quickly minimize the damage. Forensics was brought in to analyze the crime scene – similar to a detective or FBI agent arriving at a crime scene to gather evidence as quickly as possible. Because the victim is a healthcare entity and there are stringent state and federal laws that need to be followed, it is necessary to check first if patient data was accessed or stolen.
It was determined that the healthcare entity was hit by a group known as Hello Kitty who was enforcing a triple threat extortion. Its methodologies include encryption of the data, stealing the data, posting data on the dark web, and sending the link back to the victim (if the healthcare entity refuses to pay). By sending the link, the hackers are showing evidence that they have the medical records and are ready to share them publicly.
A user had their account compromised (most likely an employee may have fallen victim to a phishing email), which means literally punching their username and password to the network. Without the necessary technology to block the hackers, the system became vulnerable to attack.
Thankfully, the company had recoverable backups available which helped facilitate recovery. However, like any other healthcare entity, they had to pay the ransom to destroy stolen data and prevent it from being published.
Initial:
Ongoing:
Lessons Learned:
The right healthcare managed services provider can strengthen your health IT operations and security with a scalable strategic plan to help your practice successfully and safely navigate the future. Contact us today to ensure you are protected.