Critical Infrastructure Security
Experts: Incidents Are Among Disturbing, Evolving Cyber Trends
A public health department in Washington state and a medical specialty practice in New Jersey are among the latest healthcare entities reporting major hacking incidents affecting tens of thousands of individuals’ sensitive health information.
See Also: Third Party Risk: Lessons on Log4j
Chelan Douglas Health District, or CDHD, an East Wenatchee, Washington-based county health department, reported to the Washington state attorney general’s office on March 15 a 2021 cybersecurity incident affecting nearly 109,000 individuals and involving the exfiltration of personally identifiable and protected health information from its systems.
Also, New Jersey Brain and Spine, a neurology practice based in Oradell, New Jersey, reported on March 10 to the U.S. Department of Health and Human Services a November 2021 ransomware incident affecting nearly 92,000 individuals.
Some experts note that these incidents are part of continuing, troubling cybersecurity trends that could evolve or worsen, especially in light of the Russia-Ukraine war and the latest warnings of potential cyberthreats to critical infrastructure sectors, including the healthcare and public health sector.
“Ransomware against a hospital is now considered terrorism, such that records theft and denial of service are emerging as preferred extortion tactics,” says Michael Hamilton, CISO of security firm Critical Insight.
“During this time of geopolitical instability, this may bounce back the other way, and ransomware events may increase. Healthcare entities might also be affected by the cascading effects of attacks against other critical infrastructure – for example, power, water, etc.,” says Hamilton, who was previously CISO of the city of Seattle.
“Third parties are now fully in scope as a vector for compromise, and this tactic has seen increasing use and will likely proliferate.”
Chelan Douglas Health District Breach
In its breach notification statement, CDHD, says it “recently” discovered an incident involving unauthorized access to its network between July 2 and July 4, 2021.
CDHD says that based on a comprehensive investigation and document review into the incident, it discovered on Feb. 12 that certain identifiable personal information had been “removed” from its network.
Affected information potentially includes individuals’ full names, Social Security numbers, dates of birth or death, driver’s license numbers, financial account information, medical information and health insurance policy information.
To date, CDHD says it is not aware of any reports of identity fraud or improper use of any information related to the incident. Nevertheless, it is offering affected individuals one year of complimentary identity and credit monitoring services.
An attorney representing CDHD tells Information Security Media Group that the incident did not involve ransomware. But he did not disclose any other details involving the unauthorized access incident.
“Chelan Douglas Health District is committed to maintaining the privacy of personal and protected health information in its possession and has taken many precautions to safeguard it,” the attorney says.
“Chelan Douglas Health District continually evaluates and modifies its practices and internal controls to enhance the security and privacy of personal and protected health information. Specifically, Chelan Douglas District has or is in the process of implementing endpoint monitoring and enhanced password requirements,” he says.
Public Health Targets
CDHD is among the latest entities in the public health sector to have disclosed major cyber incidents in recent months, in the U.S. and elsewhere.
For instance, a hacking incident involving data exfiltration reported in January by Fort Lauderdale, Florida-based Broward Health, a public hospital system, affected the personal information of more than 1.3 million individuals.
That incident, detected in October 2021, is the largest breach so far in 2022 posted on the HHS Office for Civil Rights HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.
Maryland’s Department of Health in December suffered a disruptive ransomware attack that was still affecting the department’s various IT systems and applications into the earlier weeks of the new year (see: Maryland Health Department Confirms Attack Was Ransomware). So far, the Maryland Health Department has not disclosed a PHI breach associated with the attack.
Also, Ireland’s Health Service Executive – the country’s public health system – suffered a devastating Conti ransomware attack last May, which disrupted IT systems and patient services for months. The cleanup cost of the attack has so far hit $48 million but could top $110 million, HSE says (see: Ransomware Attack: Ireland’s Cleanup Costs Hit $48 Million).
Public health departments and organizations “have the same difficulties deploying and managing adequate cybersecurity controls as healthcare writ large but compounded by the fact that they’re essentially the public sector,” Hamilton says.
“Often located in rural areas, the inability to compete for professional practitioners, thin budgets, and governance by boards comprised of citizens without experience in either health or security makes them low-hanging fruit for compromise,” he says.
“The fact that they provide services that are critical to life safety and cannot weather long periods of downtime and curate high-value regulated records make them the perfect target for theft and extortion in the minds of the threat actors.”
Keith Fricke, principal consultant at privacy and security consultancy tw-Security, offers a similar assessment.
“Public health systems can often store larger amounts of sensitive information than some small to medium-sized organizations,” he says. “Government departments can be behind in implementing security controls based on budget constraints or bureaucratic processes.”
New Jersey Brain and Spine Incident
In its breach notification statement, New Jersey Brain and Spine says that on Nov. 16, 2021, it discovered that it had been the victim of a cyberattack that resulted in the encryption of data stored on its network.
“Immediately after discovering the incident, NJBS took steps to secure and safely restore its systems and operations. … The forensics investigation revealed that this incident may have resulted in unauthorized access to patient information stored on NJBS’s systems,” the statement says.
The types of information stored on the affected systems includes: individual names, addresses, dates of birth, email addresses, telephone numbers, Social Security numbers, financial account information, debit or credit card information, driver’s license numbers or other ID numbers, and medical information, the practice says.
The practice says it is taking additional measures to protect PHI and PII. “Since the incident, NJBS has migrated to a third party-hosted, cloud-based platform to securely store patient data, implemented two-factor authentication, installed a new server and implemented ongoing monitoring response, which tracks user activity, services and ports and coordinates logging,” the practice’s statement says.
NJBS did not immediately respond to ISMG’s request for additional details about the incident.
As attacks on healthcare and public health sector entities continue to surge, experts recommend that those organizations closely follow recent guidance from federal and industry authorities – such as the Cybersecurity and Infrastructure Security Agency, the FBI, the HHS Health Sector Cybersecurity Coordination Center and the Health Information Sharing and Analysis Center – especially as they warn critical infrastructure entities of the heightened potential cyberthreats involving the Russia-Ukraine war.
“Review resilience controls and ensure that there are pathways to returning to operational status as quickly as possible following an incident, review backup strategies, etc.,” Hamilton says.
He also says organizations should conduct or contract an assessment of their security against recognized standards, develop a corrective action plan “and submit justification for funds to improve controls – with an emphasis on network and endpoint monitoring.”
Fricke says all healthcare sector entities, including public health organizations, should ensure they are following critical security best practices, including patching systems, scanning frequently for vulnerabilities, monitoring network and system activity, conducting periodic internal phishing campaigns and requiring multifactor authentication for remote access, email access and privileged account access.
“Criminals will likely expand the tactic of encrypting each file with a different encryption key,” Fricke says, “making recovery very slow.” He also says they will continue to go after backup platforms to disable or corrupt backed-up data.