[BreachExchange] A Tale of 2 Health Data Breaches: Persistent Challenges

Destry Winant destry at riskbasedsecurity.com
Thu Jun 18 10:25:37 EDT 2020


Two recently reported health data breaches illustrate persistent
security challenges - defending against ransomware attacks as well as
unauthorized access to email - that sometimes can expose years' worth
of data.

On June 8, Rangely District Hospital in Eagle Crest Drive, Colorado,
reported an April ransomware attack prevented it from accessing
patient files in a legacy Meditech database. Proprietary software that
the hospital uses to view those files was infected by the ransomware,
preventing the hospital from accessing some of the medical records
that were entered in the database between August 2012 and August 2017.

The other recent breach was reported on June 12 by Miami,
Florida-based Cano Health, which operates primary care centers and
pharmacies in Florida that specialize in care for older adults. Cano
Health says on April 13, it learned that three employee email accounts
were "accessed by an unknown perpetrator, and that messages from these
accounts may have been forwarded to an outside email account without
its knowledge."

Cano Health's investigation "was unable to determine an exact date,
but it believes the unauthorized access may have occurred between May
18, 2018 and April 13, 2020."

As of Monday, the Rangely District Hospital and Cano Health incidents
were not yet posted on the Department of Health and Human Services'
HIPAA Breach Reporting Tool website, which lists health data breaches
affecting 500 or more individuals.

To help protect legacy information systems, security experts advise
healthcare organizations to ensure decommissioned systems are included
in their security risk management programs. And to improve detection
of email breaches, they recommend deploying behavioral analytics

Hospital Incident Details

In its statement, RDH says it did not pay any ransom. "The hospital
has been able to recover many files from backups and other sources
that were not impacted by the ransomware. There is no indication that
any files with personal health information were exported or viewed by
any unauthorized person as a result of the incident," the hospital

"However, some electronic records are unavailable or have not been
recovered," RDH says. In addition to not being able to view legacy
Meditech patient files, RDH says it lost access to certain records for
patients who received home health services between June 2019 and April
9, 2020.

RDH says it's continuing to work on options to restore access to files
in a previous Meditech database that RDH stopped using in August 2017.

The hospital says a forensics analysis determined that a foreign
threat actor first gained access on April 2 and then launched the
ransomware in RDH's network on April 9.

The investigation determined that the ransomware incident apparently
did not result in viewing or exporting of files containing any
patients' health information. RDH has not identified the hackers, but
has reported the incident to local and federal law enforcement

"Retired, legacy systems normally have limited access and are no
longer considered a critical application. Therefore, the tendency is
to 'let your guard down'."
—Tom Walsh, tw-Security

RDH is offering affected individuals one year of free identity theft
protection services.

The hospital says it has taken immediate steps to enhance its
security, including making changes to how its network may be remotely
accessed and promptly implementing password changes on all its
authorized user accounts. It has also purchased cybersecurity
monitoring services.

Cano Health Breach Details

In its statement, Cano Health says that when it learned on April 13
that three employee email accounts were accessed without
authorization, it secured the accounts and launched an investigation.

The information in the compromised email accounts included patient
names, dates of birth, contact information, healthcare information,
insurance information, Social Security numbers, government
identification numbers and/or financial account numbers, Cano Health

Although Cano Health cannot confirm that any emails were
inappropriately accessed, it says it's notifying all potentially
affected individuals.

The organization says it's cooperating with a law enforcement
officials and working to identify ways to strengthen data security.
It's offering free credit monitoring services to those impacted, but
it did not indicate for how long.

Common Challenges

Keeping legacy information systems secure from ransomware attacks, as
in the RDH breach, and other intrusions is an ongoing challenge, says
Tom Walsh, president of consulting firm tw-Security.

"Retired legacy systems normally have limited access and are no longer
considered a critical application," Walsh says. "Therefore, the
tendency sometimes, is to 'let your guard down,' especially when it
comes to backups, because the data isn't changing."

Former healthcare CIO David Finn, executive vice president at security
and privacy consultancy CynergisTek, offers a similar assessment.

"Organizations that archive data from legacy systems that are being
replaced frequently lose sight of the risks surrounding that data," he
says. "I hate to say it, but the old adage, 'out of sight, out of
mind' can be a dangerous enemy. The data is still protected under law
and should have the same level of protection as any 'active' protected
health information," Finn says.

A risk assessment should also be part of de-commissioning systems or
moving data to other retrieval processes, he stresses.

"Too often, legacy systems and old proprietary software is overlooked.
In some cases, the applications won't run on new operating systems or
support updated utilities on those operating systems. More frequently,
no updates or patches are being released for those legacy systems or
end-of-life software," he says.

Because security patches may not be available for legacy systems, IT
departments should protect these systems by implementing compensating
controls, such as network segmentation, additional firewalls or access
control lists on network ports to which legacy systems are connected,
Walsh advises.

Catching Email Breaches

Finn says email breaches, such as the Cano Health incident, often go
undetected for extended periods of time.

"Having monitoring tools implies you have people being alerted and
acting on that information."
—David Finn, CynergisTek

"This is particularly difficult if someone is using stolen credentials
from an authorized user," he says. "You will not likely ever stop this
completely - and if it looks like a legitimate user, security is not
going to alert to this unless the account is doing things that this
user has never done or shouldn't be doing."

Finn suggests that user behavior analytics can be helpful in detecting
unusual email activity. "Having monitoring tools, though, implies you
have people being alerted and acting on that information," he

A lack of sufficient audit logging capabilities in an email system can
also lead to delays in breach detection, Walsh notes.

"Organizations may find this out the hard way - when they are
investigating a breach," he says. "Audit logging may record
transactions, such as when a user logged in, when an email was
received, sent, or deleted but not when emails in a particular folder
- for example Inbox - may have been viewed. "

To help prevent email breaches, IT teams should periodically review
Outlook rules, "especially for accounts belonging to workforce members
highly targeted by phishing attacks," Walsh says. "Some phishing
attacks are programmed to change Outlook rules to auto forward
messages to external email accounts set up by criminals."

In addition, entities should require multifactor authentication for
email, he says.

More information about the BreachExchange mailing list