What would you do if you woke up this morning and found that your company’s sensitive health records were stolen? In the wake of a devastating data breach that resulted in the theft of nearly 10 million healthcare records, CIOs need to ask themselves if they want to risk both their jobs and the security of those affected by such a catastrophe. This situation only proves that compliant electronic record storage systems aren’t enough to keep records secure, and that security as a whole must be improved.
The hacker responsible, aptly called TheDarkOverlord, posted the sale on a site called TheRealDeal, a black market site that can only be accessed by crawling through the gutters of the Internet through the Tor web browser. Included in the haul of stolen data were names, addresses, dates of birth, and Social Security numbers, which give hackers the ability to steal identities or access patients’ financial assets. The hacker claims that the databases were from Missouri, Georgia, and an unnamed southern/midwestern state. Many of the records stolen were from the major healthcare service provider, Blue Cross Blue Shield, with some criminals hoping to buy health records specific to that company.
Below are the asking prices for the data. TheDarkOverlord’s attempt to sell the data is due to a failed extortion attempt, and more leaks are threatened to come unless the victims pay up:
- $100,000: 48,000 records from a Farmington, MO hospital
- $400,000: 397,000 records from an Atlanta, GA hospital
- $200,000: 210,000 records from an unnamed central/midwest United States hospital
- $485,000: 9.3 million health records from “a large insurance healthcare organization”
Inside the Hack
The Daily Dot had the opportunity to speak with the TheDarkOverlord, who claimed that his attack used an exploit of his own design, and one, which he tells the Daily Dot, he has no intention of giving up. It is a little-known zero-day vulnerability that was found within Microsoft’s Remote Desktop Protocol (RDP) of the insurance provider’s infrastructure. In one case, once inside, he found unencrypted credentials stored in plain text format, including passwords and usernames for administration. The hacker was then able to connect to the victim organization’s computer and interact with their network, accessing files through their electronic record storage unit and freely browsing through the hacked database.
Compliance Isn’t Enough
Clearly, keeping passwords and usernames stored in plain text format in an unencrypted file format wasn’t the best choice. Perhaps if the companies affected had practiced better credential security, this wouldn’t have happened. Keep in mind that compliance laws don’t necessarily require that files be encrypted, but you’d think that they would. At least HIPAA expects there to be security measures put into place to keep sensitive data like this safe. This is one of the reasons why it’s important to keep compliance in mind, but not to forget about security and its best practices. Be sure that security is a state of mind within your company culture, not an afterthought.
Additionally, ransomware continues to be a top concern, especially for the healthcare industry. In attempts to go digital, hospitals and other healthcare institutions have turned to the cloud, despite the fact that they haven’t invested heavily in security solutions for this sensitive data. Unlike banking credentials, healthcare records and personally identifiable information, like your Social Security number, can’t easily be changed. This is why it’s so devastating when hackers pull these kinds of stunts. Ransomware could potentially force a hospital, which holds important medical records, to start from scratch, which is unacceptable when people’s lives are on the line. More often than not, the hospital is forced to pay the ransom, which can be crippling if done at the wrong time.
What You Can Do
The general best practice for dealing with potential cyber security issues is a twofold approach: 1) Implement preventative technology solutions, and 2) Educate your users on how to avoid potential issues.
- Preventative security solutions: In theory, it’s best to keep ransomware and other dangerous threats as far away from your business’s network as possible. This includes implementing enterprise-level firewalls/antivirus solutions to keep threats out, as well as an anti-spam solution to keep malicious messages out of inboxes, and most importantly, keeping all your systems up to date. Furthermore, it’s imperative that you keep business continuity practices in top form by taking regular backups and performing risk assessments. The HHS has outlined some helpful practices that can be found here.
- Employee education: Teach your end-users how to identify spam messages, suspicious email attachments, phone phishing scams, and the like. Reinforce that password security is of critical importance, and never store credentials locally where a hacker can potentially access them. Remember, the more people who have access to sensitive data, the more likely it is that this data can be compromised. Allow access to data for only those who need it. Security isn’t just the responsibility of the CIO, it’s up to everyone to be up to speed on the latest threats, and how to handle them.
Ultimately, it takes both a preventative approach with thorough security solutions and compliant file storage practices to ensure that your enterprise’s data isn’t stolen by a hacker due to an undiscovered or unprecedented vulnerability in your mission-critical software. How will your organization hold up to an attempted intrusion?