[BreachExchange] An Ohio clinic is the latest in a long series of health care breaches

[Audrey McNeil]

http://www.theverge.com/2016/8/2/12355676/ohio-urology-clinic-hack-data-breach-healthcare

A hacker group called Pravvy Sector reportedly accessed and leaked a
massive 150GB data trove from the Central Ohio Urology Group on Twitter
today, Motherboard reports. It’s unclear how many patients were affected,
but the health care organization boasts that it has the "largest
concentration of experienced urologists in Ohio."

The dump contained financial spreadsheets, human resource documents, and
patient records. Within those records were patients’ names, addresses,
phone numbers, dates of birth, and treatments received, including sperm
count, semen analysis, and renal ultrasounds.

Little is known about how the group obtained this information, but medical
hacks of this kind have become distressingly common. So far in 2016, there
have been 49 hacking-related US medical data breaches affecting at least
500 people each. More than 2 million Americans were impacted, and these are
only the breaches that have been discovered and reported. Most attacks on
the health care sector typically rely on a simple spear phishing email. An
employee is often duped into clicking on a malicious link or attachment,
and from there, hackers maneuver through the compromised system.

PHISHING EMAILS ARE COMMON

There are bigger, more technical hacks, too. For instance, Anthem and
CareFirst BlueCross BlueShield were victims of massive attacks in 2015 that
relied on more sophisticated hacking and possibly the use of several zero
day exploits. Hackers could even gain entry to a health care network
through medical devices, but that's usually unlikely and unnecessary.
Generally, medical institutions handle a whole lot of sensitive information
and lack the money and resources to build out a full security team. Think
of a small hospital in rural America. Its regular IT administrator is
already dealing with general tech issues, let alone advanced security.
Thwarting hackers requires patched software, updated devices, and live
monitoring of networks. And to add to all that, there’s a shortage of
cybersecurity professionals.

The reality is that human employees are often the weakest link in security
infrastructure and phishing emails are easy to deploy in massive numbers.
The Central Ohio Urology Group isn’t the first attack or last attack.
Patients are more or less left to hope their health care provider takes
security seriously and will actually reports breaches if any are detected.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160802/d9ab858a/attachment.html>