[BreachExchange] Ransomware Attack Impacts 522, 000 Patients in Puerto Rico

[Destry Winant]

https://www.govinfosecurity.com/ransomware-attack-impacts-522000-patients-in-puerto-rico-a-12848

A Puerto Rico-based medical center and a related women and children's
hospital are victims of a recent ransomware attack impacting the data
of more than 522,000 individuals. The combined incident is currently
the largest health data breach reported to federal regulators this
year involving ransomware.

In a joint statement issued July 19, Bayamón Medical Center and Puerto
Rico Women and Children's Hospital, both part of the same organization
and based in Bayamon, Puerto Rico, say that on May 21 they discovered
that patient information was involved in "a blocking incident" that
affected the hospitals' computer network.

"From our research, the hospitals and their consultants understand
that the information of our patients was simply encrypted - blocked -
and there is currently no indication that the information itself has
been used by an unauthorized person. We will continue to monitor the
situation," the statement says.

The hospitals add they are also "strengthening our security protocols
and providing additional training to our employees to reduce the
likelihood of a similar event happening in the future."

The hospitals did not indicate whether they paid a ransom or
remediated the situation without paying the hackers.

Data Impacted

The type of information impacted, "to which the hospitals did not have
access for a short period of time," included clinical, demographic and
financial information such as patients' full name, and in some cases
Social Security numbers, date of birth and diagnosis, the statement
says.

"None of your data was lost as a result of the incident, and to date
there is no evidence to suggest that your information was extracted
from our network or that there has been some attempt to misuse your
information."

Bayamón Medical Center and Puerto Rico Women and Children's Hospital
did not immediately respond to an Information Security Media Group's
request for additional information about the incident.

Among Largest Breaches

The attacks on Bayamón Medical Center and Puerto Rico Women and
Children's Hospital were reported separately by each of the two
hospitals on July 19 to the U.S. Department of Health and Human
Services as hacking/IT incidents involving a network server, according
to HHS' HIPAA Breach Reporting Tool website.

Also commonly called the "wall of shame," the website lists reports of
major health data breaches impacting 500 or more individuals.

Bayamón Medical Center reported the incident as impacting nearly
422,500 individuals and Puerto Rico Women and Children's Hospital
reported the breach as affecting nearly 100,000 individuals.

To date, the incident reported alone by Bayamon Medical Center is the
largest breach involving ransomware posted on the federal tally so far
this year. The Bayamón incident report is also the fourth largest
health data breach of any type posted on the HHS website so far in
2019.

Other Attacks

Other major health data breaches reported so far to HHS this year as
involving ransomware attacks include an incident impacting 106,000
individuals reported in May by Indiana-based Talley Medical Surgical
Eyecare Associates (see 2 Medical Practices Among Latest Ransomware
Attack Victims).

But it's not only larger healthcare entities that have reported being
victims of ransomware attacks so far in 2019. A number of smaller
healthcare providers, including Connecticut-based non-profit
Southeastern Council on Alcoholism and Drug Dependence in May have
reported to HHS ransomware incidents impacting thousands of patients
(see 'Survivor' Lessons from Attack on Dental Practice).

Complex Problem

Some security experts predict that ransomware attacks on healthcare
sector entities will continue to surge.

"I don't see this abating any time soon," says former healthcare CIO,
David Finn, executive vice president at security consultancy,
CynergisTek.

"Unfortunately, like so much around security in healthcare, it will
likely get worse before it gets better."

Efforts to prevent falling victim to these attacks need to be
multifaceted, he says. "There are no silver bullets for security.
Everyone keeps looking for one but you can't fix it with technology
alone; you can't just expect that training people will solve it.
Systems and workflows are complex in healthcare, and so this will have
to be addressed holistically and systemically - this is not something
we do well in healthcare," he says.

"Ransomware is particularly complex because it frequently leverages
'social engineering' and the trust that is core to healthcare and then
is able to use those opportunities to deploy very targeted and
effective attacks," Finn says.

Susan Lucci, senior privacy and security consultant at tw-Security,
offers a similar perspective. "The most common way ransomware is
introduced to a system occurs when an unsuspecting employee clicks on
a link or opens an attachment that has been compromised," she notes.

"Although many organizations have taken proactive steps to alert their
workforce to this pervasive threat, it still occurs because the
attackers make their communications look authentic. The subject line
or content makes a compelling argument to believe the email is
legitimate. "

Evolving Threat

One evolving trend involving ransomware is that the attacks continue
to grow more sophisticated and can engage defenders in "cat-and-mouse
like activities," Finn notes.

"While malware has had the ability to detect sandboxes and virtual
machines for some time, we are now seeing attacks that can bypass some
firewalls and some anti-virus products," he notes.

"Since ransomware is now offered as-a-service, the operators are not
always technical, and more attacks are actually being outsourced in
this way," he says. "Often the infection vectors are difficult to
identify because the ransomware deletes all evidence of how it was
'dropped,' and some are using anti-forensic recovery techniques which
can make recovery from backup more difficult."

Steps to Take

Because preventing and defending against ransomware is becoming more
complicated, healthcare sector entities and their vendors need to step
up their strategies, Finn says.

"A very common ingress point is spoofed email, so one thing that can
solve a lot of problems is multi-factor authentication to email and
other systems," he says.

However, "we keep hearing that 'passwords are dead' but if you have
systems with them, they should be strong, they should be changed
regularly, not stored or transmitted in clear text. Given that medical
devices will likely be a significant vector for attack, changing
default passwords on devices and any system, frankly, that connects to
the hospital network is still critical."

In the meantime, entities need to ensure that their users are trained
- and frequently reminded - on ways to spot and avoid falling victim
to suspicious email and attachments containing malware, Lucci says.
Additionally users also need to be kept in the loop about evolving
threats, she says.

"One of the best ways to keep your workforce informed is to make it
real. Sharing current examples that have happened in healthcare is far
more valuable than just stating the issue along with the consequences.
It brings the situation into focus."