Tag Archives: Healthcare

Covid-19 Does NOT Mean No Ransomware

Three separate ransomware stories – all against healthcare organizations, even though SOME hackers SAID they weren’t going to hack healthcare. Of course, what makes you think you can trust folks who break the law for a living.

#1 – Largest Private Hospital Company in Europe Hit By Ransomware

Fresenius, is Europe’s largest hospital operator and a major provider of dialysis equipment and services. The company said that the hack has “limited some of its operations but that patient care continues”

You can’t expect them to say anything different, but the part of its operations that are limited are likely those that use computers. Which is pretty much everything.

They have four business units – kidney patient care, operating hospitals, pharmaceutical provider and facilities management. I am sure that none of those depend on those ransomed computers.

Fresenius employs nearly 300,000 people.

To make matters worse, the particular malware, SNAKE, targets Internet of Things devices. None of those in your average hospital.

SNAKE is one of the family of ransomware 2.0 hacks that threaten to publish your private data if you don’t pay up – so backups are not a complete defense from these attacks. Credit: Brian Krebs

#2 and #3 – Two other Ransomware 2.0 attacks went after plastic surgery clinics.

One was Dr. Kristin Tarber’s clinic in Bellevue, Washington.

There the hackers published patient medical histories.

The other is in Nashville, TN and attacked the Nashville Plastic Surgery Institute D/B/A Maxwell Aesthetics. There the hackers stole patient history data, health insurance info, surgery info an other information.

I haven’t seen the stolen/published data from these hacks, but in other plastic surgery hacks, they have published photos of plastic surgery of body parts that are not usually exposed, if you get what I mean.

The challenge for the healthcare industry is that the insurance companies and government reimbursements are really reducing margins.

Until the folks that control their reimbursements decide that getting shutdown for weeks or operating off paper charts with no visibility to patient history is a not a good thing, expect there to be a lot more breaches.

For the hackers, this is very lucrative. I would not be surprised if this is a revenue stream for North Korea.

I definitely feel for the healthcare providers. They want to do the right thing, but they don’t have the money.

This year the Department of Defense, which has had its own problems with hackers, decided that security is not optional and will actually reimburse defense contractors for the costs of implementing security.

The healthcare industry hasn’t gotten there yet. Hopefully it will. Otherwise, expect your medical information to be available for sale on the web. Credit: SC Magazine

Facebooktwitterredditlinkedinmailby feather

Two Hospitals Learn They Had Been Hacked When FBI Visited

Recently, the FBI has been knocking on businesses doors.

First we heard about Scottrade.  In October the FBI came visiting Scottrade.  Hi.  How ya doin’?  Oh, by the way, we found files on 4.6 million of your customers on the dark web.  Have a nice day.

In September it was Owensboro Health in Kentucky.  The FBI visited them and said that they found their data on the web.  AFTER the FBI visit, Owensboro, now called OH Muhlenberg after a merger, found keystroke loggers on some of their computers.  They think they may have been there since 2012.  The computers with the keystroke loggers were used to enter patient financial data and health information.  Information potentially taken includes name, address, phone number, birth date, social security number, drivers license number, health plan information, diagnoses, treatment, bank account numbers, credit card information and other data.  In other words, anything and everything.

This is an example of what can happen if you don’t do cyber due diligence.  Owensboro bought Muhlenberg and got a free, full blown data breach at no extra charge.

In December, Maine General announced that they too had been visited by their friends at the FBI to tell them that they had been breached.  This breach seems a little less worrisome in that no financial data was taken – or at least they don’t think so.

The good news is that the FBI is telling businesses that they are finding their data on the web.  The bad news is that the FBI is telling businesses that they are finding ….

At that point, the cat is kind of out of the bag.

After the shock wears off, the CEO gets to call up his Chief Information Security Officer and tells him or her to bring his documented and tested incident response plan over cuz we need to use it.  Like now.  What?  You don’t have a Chief Information Security Officer?  Or an Incident Response Plan?  And that means that it has not been tested.  Oh-Oh!

Needless to say, this is NOT the way the CEO wanted to spend his or her day.  Or the next few years as he or she deals with regulators and lawsuits.  Not much fun at all.

The time to plan is before the FBI pays you a visit.

Information for this post came from Data Breach Today.Facebooktwitterredditlinkedinmailby feather