Careers Contact Us Portal
Careers Contact Us Portal
Careers Contact Us Portal

Dissecting the Anatomy of a Healthcare Breach: Lessons Learned

Dissecting the Anatomy of a Healthcare Breach: Lessons Learned

Security breaches impact health systems clinically as well as in IT. Cyberattacks can be as devastating as natural disasters, including tornadoes or hurricanes, and potentially endanger patient lives. CloudWave recently held a webinar outlining the anatomy of a healthcare breach, where we evaluated recent occurrences and discussed what safeguards healthcare organizations can take to mitigate risks and get back up and running faster should one hit their organization.

While much has been reported in the media about the Ascension Health, Change Healthcare, and  Synnovis breaches, the webinar examined the aftermath and what lessons hospitals should learn by implementing some basic, key tactics.

Ascension Health Breach Details

Ascension Health suffered a breach when an employee clicked what they thought was a credible link. The breach caused EHRs in 142 locations to be down for more than five weeks.

Even though Ascension had tested downtime procedures, clinicians were strained by paper charting and, unable to access electronic records, relied on patients to disclose all their medications. A failure to mention one of those medications could have serious health consequences. Lab results were not viewable. These challenges prompted a local union to distribute an online petition to healthcare staff—stating its concerns about the challenges created by the cyberattack.

The petition demanded that additional safety precautions be implemented for the well-being of both staff members and patients. It included a request for regular training sessions for staff members to improve their knowledge and skills in navigating the challenges due to the cyberattack.

An important point underscored here is the organization’s responsibility to look beyond the IT impact and understand the clinical aspect. Patients, families, and staff are more important than getting systems back up – they should all be kept informed.

Lessons learned in the Ascension breach:

  • Consider patients and staff first in incident response plans
  • Have processes in place for communication, including internal communication and staff support during downtime and external communication with patients and families
  • Plan for 6-8 weeks of downtime
  • Evaluate staff training for phishing
  • Test your organization’s readiness
Change Healthcare External Breach

In the case of Change Healthcare, a ransomware group remotely accessed a Citrix portal that enables remote access to desktops using compromised credentials. The portal did not have multifactor authentication in place.

It took up to a month to bring the systems back online, with related costs reaching nearly $1 billion, including the $22 million ransom paid to lessen the impact of stolen data. Even so, Axios reports that up to one in three Americans may have compromised personal information from this breach, with reports of some data appearing on the dark web.

Lessons learned from the Change Healthcare attack include:

  • Ensure multifactor authentication is in place
  • Update software: is patch management software doing what it needs to and being updated?
  • Training, training, and more training
  • Evaluate the supply chain and third parties. Know the security and incident response protocols for critical vendors.
  • Conduct cybersecurity tabletop simulations that go beyond IT. Include participants from the rapid response, clinical, and C-suite/executive teams.

Once again, patients should be the key priority. Leading and supporting staff is also critical, addressing their fears and uncertainty. Furthermore, organizations must proactively address patient families’ concerns. These groups are the focus over IT systems.

Synnovis Attack

The ransomware attack on London-based Synnovis, a lab company that manages blood tests for several major hospitals, saw the Russian group Qilin access its network. The attack impacted the delivery of blood transfusions for several major hospitals in London, prompting thousands of operations and appointments to be postponed at multiple hospitals. According to Britain’s National Health Service, some data had been published online. As this breach recently occurred, the full impact is still being determined.

This incident offers the following lessons:

  • Plan for supply chain attacks
  • Identify how to keep operations up during an attack on your third parties

Collectively, these events raise several questions that healthcare organizations should be prepared to answer:

  • Do you have the appropriate training for clinical staff to continue quality care?
  • Do you have a plan to divert patients and minimize the impact?
  • Do you have backup vendors for some critical clinical functions?
  • What staff procedures are in place to reduce the strain and burden on staff?
  • How long are you prepared to have your EHR down?
  • Have you tested staff communications/procedures?
  • Can you order supplies during downtime?
  • What can you do now to have these safety precautions in place prior to a breach?
  • Do you have a robust backup/recovery plan in place to speed up time to recovery?
  • Does your incident response include systems other than EHRs, like labs, typically handled by other departments?
  • Have you identified critical systems and have a plan in place if those go down?
  • How would you mitigate an attack like this from your third-party vendors?
Summary

Data breaches in healthcare are on the rise and can create lasting impacts. They can also provide lessons to guide organizations in evaluating their cybersecurity programs. When doing this, aim to make small, incremental improvements, including adding training where there are gaps. Practice processes often to help teams develop muscle memory when the time comes instead of relying on documentation.

To explore this critical subject in more detail, we invite you to listen to the on-demand webinar, “Anatomy of a Healthcare Breach and Lessons Learned,” provided to our CloudWave Cybersecurity Insider Program members. Join now and access the recorded webinar, “An In-Depth Look at the Latest Cyber Exploits: From the Attacker’s Perspective,” for an expanded look at this topic.

Not a member? Register now for live monthly educational webinars, on-demand training sessions, threat intelligence alerts, and more. If you have any additional questions about cybersecurity breaches and mitigating their impact or want to discuss your cybersecurity strategy with one of our experts, please email customersfirst@gocloudwave.com.

Johnathan Buice – MBA MIS, CISSP Senior Security Architect, CloudWave