A Tale of 2 Health Data Breaches: Persistent ChallengesProtecting Legacy Systems, Email Proves Difficult for Many
Two recently reported health data breaches illustrate persistent security challenges - defending against ransomware attacks as well as unauthorized access to email - that sometimes can expose years' worth of data.
On June 8, Rangely District Hospital in Eagle Crest Drive, Colorado, reported an April ransomware attack prevented it from accessing patient files in a legacy Meditech database. Proprietary software that the hospital uses to view those files was infected by the ransomware, preventing the hospital from accessing some of the medical records that were entered in the database between August 2012 and August 2017.
The other recent breach was reported on June 12 by Miami, Florida-based Cano Health, which operates primary care centers and pharmacies in Florida that specialize in care for older adults. Cano Health says on April 13, it learned that three employee email accounts were "accessed by an unknown perpetrator, and that messages from these accounts may have been forwarded to an outside email account without its knowledge."
Cano Health's investigation "was unable to determine an exact date, but it believes the unauthorized access may have occurred between May 18, 2018 and April 13, 2020."
As of Monday, the Rangely District Hospital and Cano Health incidents were not yet posted on the Department of Health and Human Services' HIPAA Breach Reporting Tool website, which lists health data breaches affecting 500 or more individuals.
To help protect legacy information systems, security experts advise healthcare organizations to ensure decommissioned systems are included in their security risk management programs. And to improve detection of email breaches, they recommend deploying behavioral analytics tools.
Hospital Incident Details
In its statement, RDH says it did not pay any ransom. "The hospital has been able to recover many files from backups and other sources that were not impacted by the ransomware. There is no indication that any files with personal health information were exported or viewed by any unauthorized person as a result of the incident," the hospital states.
"However, some electronic records are unavailable or have not been recovered," RDH says. In addition to not being able to view legacy Meditech patient files, RDH says it lost access to certain records for patients who received home health services between June 2019 and April 9, 2020.
RDH says it's continuing to work on options to restore access to files in a previous Meditech database that RDH stopped using in August 2017.
The hospital says a forensics analysis determined that a foreign threat actor first gained access on April 2 and then launched the ransomware in RDH's network on April 9.
The investigation determined that the ransomware incident apparently did not result in viewing or exporting of files containing any patients' health information. RDH has not identified the hackers, but has reported the incident to local and federal law enforcement officials.
"Retired, legacy systems normally have limited access and are no longer considered a critical application. Therefore, the tendency is to 'let your guard down'."
—Tom Walsh, tw-Security
RDH is offering affected individuals one year of free identity theft protection services.
The hospital says it has taken immediate steps to enhance its security, including making changes to how its network may be remotely accessed and promptly implementing password changes on all its authorized user accounts. It has also purchased cybersecurity monitoring services.
Cano Health Breach Details
In its statement, Cano Health says that when it learned on April 13 that three employee email accounts were accessed without authorization, it secured the accounts and launched an investigation.
The information in the compromised email accounts included patient names, dates of birth, contact information, healthcare information, insurance information, Social Security numbers, government identification numbers and/or financial account numbers, Cano Health says.
Although Cano Health cannot confirm that any emails were inappropriately accessed, it says it's notifying all potentially affected individuals.
The organization says it's cooperating with a law enforcement officials and working to identify ways to strengthen data security. It's offering free credit monitoring services to those impacted, but it did not indicate for how long.
Keeping legacy information systems secure from ransomware attacks, as in the RDH breach, and other intrusions is an ongoing challenge, says Tom Walsh, president of consulting firm tw-Security.
"Retired legacy systems normally have limited access and are no longer considered a critical application," Walsh says. "Therefore, the tendency sometimes, is to 'let your guard down,' especially when it comes to backups, because the data isn't changing."
Former healthcare CIO David Finn, executive vice president at security and privacy consultancy CynergisTek, offers a similar assessment.
"Organizations that archive data from legacy systems that are being replaced frequently lose sight of the risks surrounding that data," he says. "I hate to say it, but the old adage, 'out of sight, out of mind' can be a dangerous enemy. The data is still protected under law and should have the same level of protection as any 'active' protected health information," Finn says.
A risk assessment should also be part of de-commissioning systems or moving data to other retrieval processes, he stresses.
"Too often, legacy systems and old proprietary software is overlooked. In some cases, the applications won't run on new operating systems or support updated utilities on those operating systems. More frequently, no updates or patches are being released for those legacy systems or end-of-life software," he says.
Because security patches may not be available for legacy systems, IT departments should protect these systems by implementing compensating controls, such as network segmentation, additional firewalls or access control lists on network ports to which legacy systems are connected, Walsh advises.
Catching Email Breaches
Finn says email breaches, such as the Cano Health incident, often go undetected for extended periods of time.
"Having monitoring tools implies you have people being alerted and acting on that information."
—David Finn, CynergisTek
"This is particularly difficult if someone is using stolen credentials from an authorized user," he says. "You will not likely ever stop this completely - and if it looks like a legitimate user, security is not going to alert to this unless the account is doing things that this user has never done or shouldn't be doing."
Finn suggests that user behavior analytics can be helpful in detecting unusual email activity. "Having monitoring tools, though, implies you have people being alerted and acting on that information," he cautions.
A lack of sufficient audit logging capabilities in an email system can also lead to delays in breach detection, Walsh notes.
"Organizations may find this out the hard way - when they are investigating a breach," he says. "Audit logging may record transactions, such as when a user logged in, when an email was received, sent, or deleted but not when emails in a particular folder - for example Inbox - may have been viewed. "
To help prevent email breaches, IT teams should periodically review Outlook rules, "especially for accounts belonging to workforce members highly targeted by phishing attacks," Walsh says. "Some phishing attacks are programmed to change Outlook rules to auto forward messages to external email accounts set up by criminals."
In addition, entities should require multifactor authentication for email, he says.