Clinic Discovers Lengthy Intrusion Post-Ransomware AttackLessons to Learn When an Attack Uncovers Earlier Breaches
An Atlanta-based neurological practice is the latest healthcare organization to recover from a ransomware attack, only to discover it was the victim of a significant earlier intrusion that lasted more than a year.
See Also: The Global State of Online Digital Trust
While Peachtree Neurological says it was able to recover its data and functionality of its EMR using backups and without paying a ransom to extortionists, an investigation into the incident revealed that the clinic's systems had been accessed without its knowledge or authorization by unknown parties for about 15 months prior to the ransomware attack being discovered.
Peachtree Neurological says "subsequent scans" of its computer system after the ransomware attack indicated no additional signs of the malware, and the clinic says its investigation does not show any indication that the ransomware exfiltrated any data from its system. This incident also did not impair clinic's ability to provide care to its patients, Peachtree Neurological says.
However, through its investigation of this incident, Peachtree Neurological "discovered that its computer system previously had been accessed without its knowledge by unauthorized individuals not affiliated with PNC between February 2016 and May 2017."
The clinic says it is not able to confirm which, if any, files or patient information were accessed, but the incident potentially compromised Peachtree Neurological's electronic medical record system containing patient names, addresses, telephone numbers, Social Security numbers, dates of birth, driver's license numbers, treatment or procedure information, prescription information, and/or healthcare insurance information.
The breach was reported on July 7 to the Department of Health and Human Services as a "hacking/IT incident" on a network server affecting 176,295 individuals according to HHS' Office for Civil Rights' HIPAA Breach Reporting Tool, commonly called the "wall of shame". That federal website lists reports to OCR of major health data breaches affecting 500 or more individuals.
David Cole, an attorney representing Peachtree Neurological, says the clinic has since filed a revised breach report with OCR that includes an updated figure for the number of individuals affected by the hacking incident, 183,505. The clinic has not definitively determined whether the ransomware attack and the longer-term intrusion into its systems are related. "The hackers could've left a parting gift - ransomware," Cole says. "But the forensics couldn't confirm that."
Since the ransomware incident and the discovery of the intrusion, Peachtree Neurological has implemented a more robust firewall, a virtual private network, and offered its workforce additional training, Cole says.
Kate Borten, president of privacy and security consulting firm The Marblehead Group, says that the recent ransomware attack and longer-term intrusion into Peachtree Neurological's systems could very well be related. "Attacks can be subtle and hard to detect. Also, malware can be dormant until it is triggered by a preset time or a specific event," she says.
Michael Leigh, director for security defense operations at consulting firm NCC Group, says that when hacking incidents go undetected, as appears to be the case at Peachtree Neurological, "obviously, a threat actor being in an organization such a lengthy time poses risk, but risk varies from company to company and varies on what the threat actor compromised."
However, not all targeted assets are of value, and some breaches pose very little risk to an organization, whereas others could be critical, he adds. "The key is the longer they are in an organizations network with a foothold the more time they have to breach a critical asset and therefore all breaches should be taken seriously, which it looks like PNC did."
The Peachtree Neurological breach is the latest incident involving a healthcare entity recovering from a ransomware attack only to discover during its investigation that it was a victim of an earlier hacking attack.
On July 18, Women's Health Care Group of PA, an obstetrician/gynecology practice based in Oaks, Penn., issued a statement saying that the clinic discovered in May that a server and workstation located at one of its offices had been "infected by a virus designed to block access to system files."
While WHCGPA - like Peachtree Neurological - said it was able to restore its data and systems without paying a ransom using backups, forensic analysis into the WHCGPA ransomware incident indicated that the attack might have begun as early as January, WHCGPA says.
WHCGPA reported the case on July 15 to OCR as a "hacking/IT incident" impacting 300,000 individuals, according to the "wall of shame" website. The WHCGPA incident is currently the second largest breach reported to OCR so far in 2017.
WHCGPA says in its statement that the incident was also reported to the FBI. The clinic declined ISMG's request for comment and details about the incident.
Leigh notes that there are a number of reasons why earlier attacks are detected post-ransomware. "The most straightforward one is that ransomware is by its nature revealing that a compromise occurred. Previous attacks were designed to be stealthy," he says. "After an organization learns that it has been breached, it's going to do a thorough investigation. Since these investigations are costly, they aren't to be performed unless there is a reason."
Mac McMillan, president of security consultancy CynergisTek, says investigations after a security event are critical in terms of learning what happened in a given incident, but also for potentially identifying older issues.
"The forensic process often takes a significant amount of time to complete when sifting through audit trails involving thousands of logs looking for instances of unauthorized access that may have occurred over a long period of time," he says. "This is not a trivial process and must be done thoroughly."
Another reason why an earlier attack can go undetected is the organization's intrusion detection capabilities, Leigh adds. "Most organizations who do monitor have a hard time deciphering the signal from the noise, which results in their staff becoming inundated with events and alerts. Keep in mind as organizations become more complex and grow in size the attack surface follows a similar trajectory, which creates a more complex environment to monitor."
Lessons to Learn
The discovery of any breach or cyberattack at any covered entity or business associate should send off red flags concerning its security, Borten says.
"There should be lessons learned when an organization experiences an attack," she says. "An organization may discover it needs to modify its alert settings, follow up with new action steps in responding to certain alerts, and/or use more sophisticated tools to identify and thwart future attacks."
Rebecca Herold, president of Simbus, a privacy and cloud security services firm, and CEO of The Privacy Professor consultancy, warns that even when entities suffer ransomware attacks but promptly restore data using backups, there is no sure-proof guarantee that patient data wasn't viewed or exfiltrated before being encrypted by the malware.
"That is an important point. If cybercrooks had access to files to encrypt them, then they certainly could have copied the clear text files prior to encryption, and they may have stored them elsewhere to use at another time, to sell to other crooks, etc.," she says.
"This is why is it always best to keep sensitive data and personal data encrypted in storage; if the data is already strongly encrypted, and crooks then encrypt it using ransomware, then you can be almost certain that they have not been able to actually view it or use it in other malicious ways," she says.
"If you don't keep your data encrypted and then ransomware hits it, you must assume that the crooks could have made a copy of it prior to encrypting it."
McMillan says that while investigations into security incidents such as ransomware attacks often lead to the discovery of other incidents, entities should strive to be more proactive - not reactive - in terms of regular, effective monitoring for problems.
"Waiting for an incident to find other incidents is a very risky way to run a business, it's like waiting for your engine to seize to check your oil," he says. "I hope I'm not riding with you."