A Modern Villain | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

A Modern Villain

May 19, 2017
by John Nye, vice president, cybersecurity strategy, CynergisTek
| Reprints
The threat that The Dark Overlord and the rest of the criminal world poses to modern healthcare organizations is as real as it gets

When one considers fiction about hackers, it is easy to see a typical villain lurking in the basement, threatening people and companies, and generally acting menacing. The Dark Overlord (TDO), for instance, has a name and mode of operating that sounds like something straight out of modern-day cyber thriller. TDO as one example has been getting a lot of press lately, mostly because TDO is stealing information people want to keep hidden and then, unlike other hackers, being very vocal about it. Recently this mysterious figure (or figures) even took yet-to-be-released episodes of a favorite show on Netflix and released them on the dark web.

Why Healthcare?

The previously mentioned antics had little to do with healthcare, except the patients and workers that wanted to watch “Orange is the New Black.” However, there is an impact from even this one incident that should have healthcare IT professionals paying attention. For one, this shows that TDO is not nearly as worried about making money as they are about calling out poor security practices and embarrassing their victims in the most public way they can.

The biggest and most obvious reason that healthcare IT professionals should pay attention are the most recent activities for which TDO is gaining recognition. Why? Because in mid-2016 TDO stole around 180,000 individual patient health records from several small healthcare providers. Almost immediately TDO contacted the hospitals and demanded a ransom if they wanted to protect their files. Because none of the affected organizations were willing to be extorted in this manner, TDO released these records to the public earlier this month.

Extortion for Data is the New Kidnapping


Components of Strong Cybersecurity Program - A Closer Look at Endpoint Security Best Practices

Endpoint protection remains a core security challenge for many healthcare organizations and it is more important than ever for healthcare organizations to actively manage their full range of...

No surprise, attackers are using extortion for financial gain and notoriety, and, unfortunately, the tactics seem to be working. Ransomware, which is just automated extortion, is on the rise year over year. Just this last weekend there was a major ransomware outbreak called WannaCry, which you can read more about here, here and here. If you look at the latest Internet Security Threat Report (ISTR) from Symantec, you will see that ransomware attacks increased 36% in 2016 in addition to the average ransom increasing from $294 in 2015 to $1,077 in 2016.

We see from the above statistics that ransomware infections are increasing at the same time as demands to decrypt the data are rising too. TDO has just taken this to a new level and is using a slightly different approach. Both attacks have similar results: a breach, public awareness of the offense, and a significant loss to the victim. The loss an organization suffers can come in the form of a monetary fine from a regulatory body (such as the Office for Civil Rights) for having a breach, loss of time and operational abilities, and reputational damage after the breach is identified and publicized.

What Can Healthcare Do?

These attacks are only possible because of human mistakes and poor security controls. If an organization wants to better protect themselves from extortion-based attacks, they need to do several things. All of the actions that will help mitigate the threat of these types of attacks are in the Center for Internet Security (CIS) top 20 critical controls. When an organization maintains a strong information security program and implements controls uniformly, they can markedly reduce the attacker's ability to be successful.

But, what about the human factor? People are the vector that most of these attacks use to gain control of an organization's sensitive data. Typically, ransomware or attacks like those carried out by TDO are initiated through social engineering. Meaning that someone in your organization fell for a scam, clicked a link, downloaded a file, or carried out some other insecure action that allowed the malicious code or attacker to access the target data. These issues are just further evidence that the current models of user awareness training are not as effective as they need to be.

Awareness Training

Implementing awareness training is a big job, bigger than any one organization. Fortunately, there are several consortiums out there working to improve the situation. SANS Institute has its Securing the Human program available, and it is widely regarded as the industry leading solution. The SANS program includes all the training, tools, and extensive guidance needed to support security awareness programs.

OWASP (the Open-Source Web Application Project) has started work on their user awareness training project as well as several projects for developers and security professionals. On the OWASP project portal there are several applicable projects such as the OWASP Security Shepard program for IT pros, and the OWASP Top 10 project that is key to awareness training for developers and web administrators.

In Conclusion

Despite the seemingly farcical nature of the recent actions of TDO, the threat this entity and the rest of the criminal world poses to modern healthcare organizations is as real as it gets. Ensuring that users are aware of risks and know how to act in a secure manner will take your organization a long way toward being safer. Also, making sure the necessary controls (CIS Top 20) are assessed and implemented will take security to an even greater level. Finally, it’s crucial to have a plan in case of an extortion demand, and have offline backups and a recovery plan in place so these criminals can’t easily take advantage of you and your organization.

John Nye has spent nearly a decade in information security which includes time with the U.S. Army, CSG International, Peter Kiewit and Sons, First Data Corp, and KPMG LLP before joining CynergisTek. John has been working exclusively as a professional penetration tester for the last four years and has presented at numerous local conferences for developers and other IT professionals.

The Health IT Summits gather 250+ healthcare leaders in cities across the U.S. to present important new insights, collaborate on ideas, and to have a little fun - Find a Summit Near You!


Health First Data Breach Exposes Information of 42K Patients

November 15, 2018
by Rajiv Leventhal, Managing Editor
| Reprints

A data breach at Florida-based Health First exposed the personal information of some 42,000 patients, according to various industry media reports this week.

The website DataBreaches.net reported that in early October, the healthcare provider Health First notified the Department of Health & Human Services (HHS) of a breach that affected 42,000 patients.  The breach actually occurred earlier in the year, however, between February and May 2018, according to the report, which received a statement from the organization’s senior vice president, consumer and retail services.

The Health First executive noted that “a small number of our employees were the victims of a phishing scam which compromised some of our customers’ information. The criminals were able to gain access of these employees’ email accounts for a limited period of time.”

Health First officials also told Florida Today this week that the data breach “was fairly low-level, though it could have included some customers' Social Security numbers. Mostly it appears to have involved information such as addresses and birth dates. No medical information was compromised,” according to this report.

Phishing attacks continue to plague the healthcare industry; the single largest breach this year was a hacking incident affecting 1.4 million patient records that involved UnityPoint Health, an Iowa-based health system. That said, cybersecurity professionals are still looking for more advanced ways to get out in front of these attacks, as healthcare has traditionally lagged behind other industries in in phishing resiliency.

More From Healthcare Informatics


Components of Strong Cybersecurity Program - A Closer Look at Endpoint Security Best Practices

Tuesday, December 18, 2018 | 1:00 p.m. ET, 12:00 p.m. CT

Endpoint protection remains a core security challenge for many healthcare organizations and it is more important than ever for healthcare organizations to actively manage their full range of endpoints.

Attend this session to learn why it's more important than ever for healthcare organizations to actively manage their full range of endpoints, endpoint security best practices, and how your endpoint management strategy may need to evolve over time.

Related Insights For: Cybersecurity


4.4M Patient Records Breached in Q3 2018, Protenus Finds

November 7, 2018
by Rajiv Leventhal, Managing Editor
| Reprints

There were 117 disclosed health data breaches in the third quarter of 2018, leading to 4.4 million patient records breached, according to the Q3 Protenus Breach Barometer report.

Published by Protenus, a cybersecurity software company that issues a Breach Barometer report each month, the most recent data shows that although the number of incidents disclosed in Q3 decreased somewhat from Q2, the number of breached records increased from Q2 to Q3. Also, the number of affected patient records has continued to climb each quarter in 2018—from 1.13 million in Q1 to 3.14 million in Q2 to 4.4 million in Q3.

In Q3, the report noted that the single largest breach was a hacking incident affecting 1.4 million patient records that involved UnityPoint Health, an Iowa-based health system. Hackers used phishing techniques, “official-looking emails”, to gain access to the organization’s email system and capture employees’ passwords. This new incident follows one that took place at the same organization in April when 16,400 patient records were breached as a result of another phishing attack.

For incidents disclosed to HHS (the Department of Health & Human Services) or the media, insiders were responsible for 23 percent of the total number of breaches in Q3 2018 (27 incidents). Details were disclosed for 21 of those incidents, affecting 680,117 patient records (15 percent of total breached patient records). For this analysis, insider incidents are characterized as either insider-error or insider-wrongdoing. The former includes accidents and other incidents without malicious intent that could be considered “human error.” 

There were 19 publicly disclosed incidents that involved insider-error between July and September 2018. Details were disclosed for 16 of these incidents, affecting 389,428 patient records. In contrast, eight incidents involved insider-wrongdoing, with data disclosed for five of these incidents.

Notably, when comparing each quarter in 2018, there has been a drastic increase in the number of breached patient records as a result of insider-wrongdoing. In Q1 2018, there were about 4,600 affected patient records, in Q2 2018 there were just over 70,000 affected patient records, and in Q3 there were more than 290,000 affected patient records tied to insider-wrongdoing.

What’s more, the report found that hacking continues to threaten healthcare organizations, with another increase in incidents and affected patient records in the third quarter of 2018. Between July and September, there were 60 hacking incidents—51 percent of all Q3 2018 publicly disclosed incidents. Details were disclosed for 52 of those incidents, which affected almost 3.7 million patient records. Eight of those reported incidents specifically mentioned ransomware or malware, ten incidents mentioned a phishing attack, and two incidents mentioned another form of ransomware or extortion. However, it’s important to note that the number of hacking incidents and affected patient records have dropped considerably when comparing each month between July and September 2018.

Meanwhile, of the 117 health data breaches for which data was disclosed, it took an average of 402 days to discover a breach from when the breach occurred. The median discovery time was 51 days, and the longest incident to be discovered in Q3 2018 was due to insider-wrongdoing at a Virginia-based healthcare organization. This specific incident occurred when an employee accessed thousands of medical records over the course of their 15-year employment.

See more on Cybersecurity

betebettipobetngsbahis bahis siteleringsbahis