Phishing, Ransomware Attacks Continue to Menace HealthcareArizona Cancer Center a Recent Victim of Major Phishing Attack
As the year winds down, phishing and ransomware attacks continue to plague the healthcare sector, as illustrated by recent breach reports.
For example, Cancer Treatment Centers of America at Western Regional Medical Center in Phoenix recently reported to federal regulators a phishing-related breach impacting nearly 42,000 individuals. In another recent breach tied to phishing, Georgia Spine and Orthopaedics of Atlanta reported an incident affecting 7,000 patients.
Among the healthcare organizations that have been victims of recent ransomware attacks are Des Plaines, Illinois-based Center for Vitreo-Retinal Diseases and Thundermist Health Center in Woonsocket, Rhode Island.
Ransomware and phishing attacks will continue to plague the healthcare sector as cybercriminals continue to refine their tactics, security experts say
Regarding phishing attacks, Kate Borten, president of privacy and security consulting firm, The Marblehead Group, notes: "The bad guys are improving their techniques and attacks are becoming more sophisticated. And people will always be the weakest link in our security chain protecting confidential information."
Meanwhile, ransomware attacks will persist because they're lucrative for cybercriminals, says Rebecca Herold, president of Simbus, a privacy and cloud security services firm, and CEO of The Privacy Professor consultancy.
"Cybercrooks are going to increase the ways in which they can use ransomware, or any other revenue-generating tool, to increase their money they are raking in," she says. "With more pathways being created through new types of technologies and endpoints, there will be more targets for ransomware attacks."
Ron Pelletier, founder of Pondurance, a cybersecurity services provider, offers a similar perspective: "As long as bad actors have an exploit path, they will continue to leverage ransomware."
CTCA, which has cancer treatment facilities in several states, says in a statement that the Arizona incident, discovered on Sept. 26, involved a phishing attack on an employee's email account resulting in potential unauthorized access to data for "a brief period" on May 2.
An investigation into the incident found that the employee provided network log-in credentials in response to a fraudulent email that appeared to come from a CTCA executive, the company reports.
"The investigation further confirmed that, within hours of the phishing attack, the employee's password had been changed at the direction of the CTCA information technology department, after which the compromised credentials could no longer be used to access the email account," the statement says.
Although CTCA says it's unable to determine whether the unauthorized user actually accessed any personal information, potentially compromised data includes patient names, addresses, dates of birth, email addresses, phone numbers and/or medical information, such as medical record numbers, treatment dates, physician names, cancer type and health insurance information.
For "a very small number" of patients the information also included Social Security numbers, the company states.
CTCA is offering 12 months of free credit monitoring and identity protection to patients whose Social Security numbers were exposed. And the company says it's providing "additional education" to its workforce in the wake of the attack.
In the other recent phishing incident, Georgia Spine and Orthopaedics of Atlanta reportes that an attacker gained access to an employee's email account, but that access was promptly terminated
"We also engaged outside technical and legal experts to investigate the incident thoroughly to determine the full nature and scope of the access, to ensure our information technology systems are truly secure and to identify - through a very tedious technical assessment and hand document review process - the exact emails that were actually accessed by the third party," the Georgia practice notes in a statement.
The analysis determined that the unauthorized access occurred on July 11, the practice says.
"Because of the way the email account was accessed, a desk copy of certain emails was potentially saved onto the computer of the unauthorized third party - likely unintentionally, but we had to assume that the third party retained a copy of that data," the statement says. "As such, we searched the emails to determine whether sensitive data was located within any of the emails that were potentially saved. Individual emails were then hand reviewed to obtain names and mailing addresses" for notification.
Richard Conti, information security specialist at the Children's Hospital of Philadelphia, says fighting against phishing attacks is a major challenge for many organizations.
"Having tools in place to filter out [phishing emails] ... and education within the enterprise makes a big difference" in fighting these social engineering attacks, he says in a recent interview with ISMG. "Teaching people to recognize some kind of phishing attack, and report it so that [the entity] can investigate and react quickly is important."
Borten notes that more healthcare organizations are supplementing their workforce training with repeated simulated phishing attacks
These simulations, she says, "are an excellent way to bring home the message to employees, including identifying who passed and who failed the test. ... Not only does this training and awareness help the organization, but it teaches people good security practices in their personal lives."
In one of the most recent reports of a ransomware attack, the Center for Vitreo-Retinal Diseases reported an incident that potentially exposed data for nearly 20,400 individuals on a network server.
"Many healthcare organizations ... have older legacy networks and systems that may be more vulnerable to such attacks. Hackers are aware of this vulnerability and will continue to try to exploit it, ultimately for financial gain."
—Vito Sardanopoli, consultant and former CISO
In a Nov. 16 statement, the center notes that on Sept. 18, it discovered that its servers had been impacted in a ransomware attack. "The investigation determined that an unknown, unauthorized third party may have gained access to our servers and could have viewed or accessed patient records, including names, addresses, phone numbers, dates of birth, insurance information, health information, and for Medicare patients, Social Security numbers," the statement says.
Also recently notifying patients of a ransomware attack was Thundermist Health Center. In a statement, the community health center says neither patient nor employee data was compromised in the Nov. 29 attack. But it launched its "emergency plan" and cancelled appointments "that could not be completed without access to our electronic medical record" system.
A Thundermist spokeswoman tells Information Security Media Group that it was able to use backups to mitigate the ransomware attack and regain use of its records system by Nov. 30.
Keeping backup data up to date - and offline - is critical to a quick recovery in case of a ransomware attack.
"End-user awareness and improved practices around backup and recovery are improving, which is helping to lower the risk of being exploited by a ransomware attack," says independent security consultant Vito Sardanopoli, a former healthcare CISO.
"However, many healthcare organizations, such as small to mid-sized hospitals and health systems, have older legacy networks and systems that may be more vulnerable to such attacks. Hackers are aware of this vulnerability and will continue to try to exploit it, ultimately for financial gain."