Malware Attacks: A Tale of Two Healthcare IncidentsTime for Detection, Mitigation Can Vary Widely Depending on Circumstances
Two recently disclosed malware attacks in the healthcare sector illustrate that detection and mitigation of such attacks can be rapid, or it can take many months.
The bigger of the two incidents - impacting nearly 539,000 patients - was a malware attack on LifeBridge Health that occurred in September 2016 but was not discovered until 18 months later, the Baltimore, Maryland-based physician practice reports.
The other incident was a May 17 ransomware attack on Allied Physicians of Michiana, a specialty practice based in South Bend, Indiana, which says it was able to swiftly mitigate the situation without major disruptions to patient care. The organization, however, has declined to say whether it paid a ransom or used back-ups to quickly restore its systems.
Security experts say that while many healthcare organizations are making progress in detecting and mitigating malware attacks, there's still lots of work to be done. That includes implementing more robust authentication, improving monitoring and analysis of network activity and patching and updating software.
LifeBridge Health Incident
LifeBridge, which has about 1,700 physicians, says malware was discovered in March on a server that hosts electronic medical records of its Potomac Physicians practice and the shared registration and billing system for some other LifeBridge Health providers.
Following the discovery, LifeBridge says it took "immediate action, including engaging a national forensic firm." The investigation revealed that an unauthorized person accessed the server in September 2016.
"While we do not believe that the information was misused in any way, out of an abundance of caution, we decided to notify more than 500,000 patients," LifeBridge says, adding that it also is offering those affected one year of free credit monitoring and identity protection services.
The information potentially accessed may include patients' names, addresses, dates of birth, diagnoses, medications, clinical and treatment information, insurance information, and in some instances Social Security numbers, LifeBridge says.
A LifeBridge spokeswoman tells Information Security Media Group that so far the investigation has not determined the type of malware used in the attack. There was also no demand for ransom.
The LifeBridge breach, which was added on Wednesday to the Department of Health and Humn Service's "wall of shame" website listing major breaches, is the second largest breach added to the tally so far this year.
Stronger Authentication Needed
To help prevent breaches, LifeBridge says it has "enhanced the complexity of its password requirements and the security of its system."
But many security experts say healthcare entities should consider more robust authentication methods than the use of passwords, especially for privileged users.
"Many organizations would be better served reducing the number of elevated privileges they have on the network and systems rather than simply improving password complexity, which is not foolproof," says Mac McMillan, CEO of security consultancy CynergisTek.
"Consider eliminating persistent privileges completely with vaulting," he says. "Issue one time, short-duration privileges when required with proper audit and tracking. Also consider multifactor authentication; don't just rely on passwords especially for remote connectivity and critical apps."
To shorten the time to detect malware attacks and other breaches, McMillan suggests healthcare entities "improve enterprise hygiene, deploy detection capabilities and engage a full time MSSP [managed security services provider] to monitor their network and enhance analysis, reporting and response."
Allied Physicians Incident
In the other malware incident, Allied Physicians a multispecialty practice with about 50 clinicians serving north central Indiana, reports that it has recovered quickly from an attack involving a variant of SamSam ransomware.
"Steps were immediately to shut down the network and protect personal and protected health information," the practice says in a statement. "In conjunction with internal staff, its incident responder, outside counsel and other professionals, the company was able to restore its data in a secure format without any significant disruptions to patients."
The practice adds that the incident has been "successfully contained at this time. Additional forensic activity is continuing to confirm that personal information and PHI was not compromised in the incident, the statement notes.
An Allied Physicians spokeswoman declined to comment to ISMG on whether the practice paid a ransom or restored its data using backup systems. "We were lucky," she said.
While cyberattacks involving malware remain a big threat to healthcare entities, some security experts say that many organizations appear to be making progress in terms of preparedness.
"There are more tools now available to flag potential breaches, and they are becoming more affordable, and so more covered entities are using them," notes Rebecca Herold, president of Simbus, a privacy and cloud security services firm, and CEO of The Privacy Professor consultancy.
"Awareness is building for ransomware, because it is such a public, and costly, type of breach; in both money, lost confidence, and brand damage. So, given the large amount of public relations related to ransomware, it is being addressed more than other types of malware and security vulnerabilities.
McMillan says that although healthcare organizations are still frequent targets for ransomware attacks, "the frequency of successful exploitation has seemed to diminish some."
He offers a possible explanation for the progress: "I do believe a lot of our healthcare entities are getting better at managing cyber events, particularly those brought on by malware or indiscriminate internet attacks. Enough have been affected that all healthcare organizations know it is something that they must prepare for."
Tom Walsh, president of the consultancy tw-Security, advises healthcare entities to implement important steps to help prevent becoming victims of SamSam and other ransomware.
"Keep systems patched and up to date. Replace old network equipment," he says. Also, entities should provide their workforce with training and awareness, as well as conduct social engineering tests to help staff members learn how to recognize phishing campaigns. "People cause the ransomware to spread - so start there," he says.
Herold also suggests several key actions should be taken by all organizations to reduce their risk of attacks involving malware. That includes:
- Limiting the amount of PHI collected, included limiting where it is stored, from where it can be accessed, and to whom it is shared;
- Preventing unsecured devices, apps and systems -as well as personally owned devices - from being connected to the healthcare systems and networks;
- Keeping policies and associated procedures addressing malware and ransomware updated to reflect the latest methods and threats.
Faster to Detect?
Because ransomware attacks usually involve attackers demanding a ransom to "unlock" a system, those incidents are sometimes easier to detect sooner than situations involving stealthier malware.
But that's not always the case. "Most ransomware does initiate soon. However, there are more instances of ransomware infiltrating a system, and then waiting, while also harvesting data and credentials, etc., before being launched and locking everyone out," Herold notes. "CISOs and other information security pros need to expect that the ransomware of today will not be as complex as it will most surely evolve to in the coming months and years."
Federal regulators have been warning healthcare sector entities to be prepared to deal with potential cyberattacks, including those involving SamSam ransomware.
For instance, in March, the Department of Health and Human Services Healthcare Cybersecurity and Communications Integration Center issued an alert on SamSam malware (see HHS Warned of SamSam Ransomware Attacks).
As of the March 30 alert, HHS said there were at least eight separate cyberattacks on healthcare and government organizations utilizing a SamSam variant.
"The more people are aware of the risks, the more eyes you will have watching for potential threats, giving the CISOs a valuable tool for security protection," Herold says.