Phishing attacks strike again. Last week, Nemadji Research Corp., which does patient eligibility and billing services work for the Los Angeles County Department of Health Services, discovered that they’d been breached by a phishing attack. The attack enabled the criminals to gain access to the medical records of nearly 15,000 patients.
According to Nemadji, on March 28, 2019, Nemadji identified unusual activity in an employee’s email account. They then contracted a security expert to determine what systems and data may have been compromised. That investigation concluded that the attacker behind the phishing attack gained access to an employee’s email account for several hours on March 28, 2019. While almost all of the information in the email account was encrypted at the time of the incident, the encryption keys or similar variations were included in the email account.
The investigation found that the personal information present within the email account varied by patient, but could have included: first and last names and one or more of the following data elements: address, admission/discharge date, claim number, aid category, date of birth, Social Security number, diagnosis code, group name, group number, insurance information, medical record number, other encounter identifier, patient account number, Medicaid/Medicare/other identification number, and subscriber name.
Nemadji encourages those possibly impacted to remain vigilant against identity theft and fraud and to review account statements, credit reports, and explanation of benefits forms for suspicious activity. The company provided information here for potential victims.
I expect these breaches to continue. While some surveys show attacks against healthcare organizations are growing more sophisticated, the most simple of phishing attacks continue to work. In its inaugural CAPP Conference Survey, healthcare security services provider CynergisTek found that culture was listed as the top barrier to retaining cybersecurity professionals, higher than both compensation and training. That hints to. Abig disconnect between where these firms are when it comes to security and where they need to be.
The survey was administered in May to attendees of the company’s inaugural CAPP Community Conference: Cybersecurity 2019. The conference focused on important issues in healthcare security and privacy, such as data breaches and associated risks, state privacy laws, privacy and security culture, and medical device security.
While healthcare profiles are suffering the most basic of breaches and falling victim to ransomware attacks, they seem most concerned about other risks. These include those from the internet of things (IoT), medical devices, third-party vendors, and program development/management. However, the data also pinpointed some of the barriers or disconnects within the organization to solve these issues, like executive leadership buy-in.
According to the survey, the biggest concerns among healthcare respondents include:
- Third-party risk is the threat that concerns 40% of respondents the most.
- Of the emerging threat areas (5G, AI, IoT, and supply chain) discussed, over 50% responded that they were the most concerned about IoT.
- Nearly one-third of respondents reported that medical device security is one of the top five risks facing healthcare according, to the Health Industry Cybersecurity Practices, however most reported not having an effective strategy in place to assess the risks posed by medical devices. Twenty-six percent said they don’t have any process in place at all.
- Almost half of the organizations reported to have conducted an incident response exercise only one time, or to have never done one at all.
- 54% of those surveyed said the biggest barrier to meeting privacy and security challenges was due to lack of adequate resources (tools, money, or people), and only 13% was due to senior management buy-in. However, in a follow-up question, 40% responded that they didn’t know if their boards were more or less involved with cybersecurity and privacy programs than they previously had been.
In a separate report, Healthcare Cyber Heists in 2019, survey responses from 20 industry CISOs indicate how attackers have evolved over the past year.
That survey found, not surprisingly, that the majority of respondents believe they’ve incurred an increase in cyberattacks this year; targeted by ransomware attacks, and nearly half said that they’ve encountered attacks where the primary motivation was destruction of data. Interestingly, one-third (33%) of surveyed healthcare organizations said they’ve encountered instances of island hopping on their enterprises over the past year and said they’ve encountered counter incident response over the past year.
There’s a lot at stake when it comes to healthcare security. With rising healthcare costs, more organizations are looking for ways to innovate with technology and improve customer care while managing costs. Of course, to do so, the industry is going to have to solve their cybersecurity challenge.