Peter A Clarke

The health sector is a regular target of cyber criminals.  It is also a sector which is notorious for having poor cyber security practices.  That is a terrible confluence.

Data breach today reports that 3 recent health data breaches have affected 1.4 million individuals. The three entities were:

• East Tennessee Children’s Hospital (“ETCH”)
• Partnership HealthPlan of California (“PHC”), and
• Acuity International’s Comprehensive Health Services .

ETCH and PHC were attacked in in March, involving various IT system disruptions, suggesting possible ransomware attacks. ETCH’s reportto Maine’s attorney general claimed the attack  affected nearly 423,000 individuals.  PHC reported its breach affected nearly 855,000 individuals. Acuity International’s breach affected nearly 123,000 individuals

The ETCH breach affected data may include name, contact information, date of birth, medical record number, medical history information and Social Security number.  The PHC breach involve unauthorized access to names, Social Security number, date of birth, driver’s license number, tribal ID number, medical record number, health insurance information, member portal username and password, email address, and medical information including treatment, diagnosis and prescriptions.

Other recent health related cyber incidents around the world include:

• Greenland’s health IT service has been crippled since 9 May by a cyber attack which has forced doctors to resort to using pen and paper;
• in Ottawa a regional health service has been attacked with Names, contact information, dates of birth, health card numbers, recent visits to the hospital and diagnosis among the information compromised in the breach.  Interestingly the data breached included data kept for over a decade.  That is an interesting practice.
• South African retail pharmacy company Dis – Chem was the subject of a cyber attack
• according to the British Medical Journal hundreds of organisations in Great Britain have breached patient data sharing agreements, including GlaxoSmithKline and Imperial College London. 

Given the breadth and depth of the attacks it is relevant to have regard to a very recent Joint Cybersecurity advisory prepared by cyber security authorities of the United States of America, Canada, New Zealand and the United Kingdom titled “Weak Security Controls and Practices Routinely Exploited for Initial Access”. 

The report sheets home much of the blame on poor security configuration of computer systems,  misconfigured or simply left unsecured, and hackers exploit weak controls and other poor cyber hygiene practices “to gain initial access or as part of other tactics to compromise a victims’ system.”

Some of the techniques used by hackers include:

• Exploitation of a public-facing application.
• Exploitation of external remote services such as VPNs, and other methods of accessing the internal network from external locations.
• Phishing
• Leveraging trusted relationships.
• Abuse of compromised credentials.

The Report further notes that these attacks often occur where multi-factor authentication (MFA) is not been enforced, there are mistakes in access control lists, software has not been updated, there are weak passwords, and misconfigured services exposed to the internet.

The advisory describes best practices to defend systems from these common attacks as being:

• Control access.
• Harden credentials.
• Establish centralized log management.
• Use anti-virus.
• Employ detection tools.
• Operate services exposed on internet-accessible hosts with secure configurations.
• Keep software updated.