Published on: September 17, 2014
By: Joy Rios, Managing Partner at Practice Transformation
Follow Joy on Twitter @HealthInfoSec

A total of 112 incidents of cyber threats were reported in the past month, according to the August HITRUST briefing.

In partnership with the U.S. Department of Health and Human Services (HHS) and the Federal Bureau of Investigation, HITRUST Cyber Threat Intelligence and Incident Coordination Center (C3) addressed the cyber threats that most relate to healthcare. Included in their summary was an update on the Community Health Systems data breach that affected 4.5 million people that also received significant media coverage in the past week.

Because of this particular breach, HHS experienced a massive uptick in recent inquiries from healthcare organizations. To address concerns the industry and security professional’s concerns, they invited Mike Rosanova of the FBI to shed light onto the procedures that take place when cyber attacks such as these occur.

“It’s not that easy, unfortunately, to take something at a fairly high classification level and get it into a usable context. With respect to this [Community Health Systems] incident, we did everything we could do to get the info to you to answer to your executives and boards,” said Rosanova.

He continued, “We could do a better job of being aware of what may break and get advisories our sooner. We need to look inward as well, to get you the information you need to allow you to do your job.”

Roy Mellinger, Chief Information Security Officer for WellPoint, affirmed that the FBI has made drastic improvements on how they disseminate information to the health sector in the last two or three years. Although the banking and financial industries have been in the cyber security business for a lot longer, Mellinger pointed out that healthcare has a much larger footprint for exposure do data breaches. Whereas banking has a one-to-one relationship with its customers, healthcare has about one-to-nine, when you account for all the payers, pharmacies, diagnostics, labs, and other facilities that access patient health information.

“It’s an interesting time to be a healthcare CIO or the person responsible for security,” said Mellinger.

In an effort to offer more protection to the health sector, the FBI partnered with HHS in July to begin the process of sharing intelligence and it expects to build strong bridges for sharing information.

“We’re realizing it’s a partnership and information needs to go both ways,” said Rosanova.

Rosanova expressed two areas where health care organizations and executives can contribute:

  • Report any suspicious activity or anomalies on your IT networks to the FBI field offices
  • Help identify organizations and individuals within the health sector to be cleared for Top Secret security clearance

With more organizations and individuals with security clearance, the FBI would be able to disseminate security threat information more quickly.

HITRUST representative Dan Ferraro explained they are strengthening efforts to address IT vulnerabilities in the form of:

  • Tracking threat actors and targets
  • Building significant key word search databases that continue to scour looking opportunities and threats
  • Putting more security analysts in the field
  • Working with HHS, DHS & FBY to publish alerts when they are confident of the information

Ferraro explained that the fastest way to communicate information to security officers is through the HITRUST portal. There is a daily intelligence summary where emerging threat reports and incidents of concern (IOC) are posted to communicate vulnerabilities that may relate to the health sector.

Of the 112 cyber threats included in the brief this month, the following are highlights of the incidents most relevant to healthcare:

    Community Health Systems:

  • Data breach that affected 4.5 million people did not include medical, clinical or financial information. It did include full names, addresses, phone numbers, and social security numbers.
  • Breach happened between April – June, 2014 and is strongly suspected to be part of the Heart Bleed cyber attack, for which there are now security patches.
  • Remote Access Credential Compromise Breaches POS Provider

  • Cybercriminals gained remote access to the system of a U.S.-based third-party point of service (POS) system provider – Information Systems & Supplies (ISS)
  • LogMeIn account credentials were compromised
  • If there are patient-facing POS devices in doctor’s offices, they could be compromised as well
  • Subcontractor for Employee Wellness Plan Breach

  • Attacker breached the database of StayWell Health Management, a subcontractor in charge of an employee wellness program offered by U.S.-based electric and natural gas utility Dominion
  • Affected 1,700 Dominion employee, dating back to 2012
  • Onsite Health Diagnostics, a subcontractor of Dominion, had a spreadsheet with allegedly encrypted passwords compromised
  • OHD was associated with 2 other recent breaches. HITRUST is unsure if OHD was attacked on several partnerships at the same time, or if they were attacked repeatedly.
  • The spreadsheet were available on from March 2012 – January 22, 2014 from a network folder. Access to this folder has been restricted, the spreadsheets have been removed, and several steps have been taken to ensure this doesn’t happen again.
  • Unix-based Web Server Malware Discovered

  • Malware was recently used to target Pharmacy related websites.
  • Once connected, the malware installed any one of eight unique plugins, each with different purposes (ex. to extract information, install software, perform malicious attacks, etc.)
  • Pharmacies are a possible target as a stepping point to a healthcare system. Once a pharmacy is detected, other touch points and vulnerabilities in healthcare can be identified for the purpose of conducting identity theft or medical fraud.

For more information, visit the HITRUST Monthly Cyber Threat Briefing slides.