On Wednesday, August 3, 2016, Banner Health announced the first potential mega breach of 2016. 3,700,000 patients were notified that their personal health information (PHI) might have been compromised by hackers. Patients’ names, dates of birth, addresses, dates of service and social security numbers were part of the potentially compromised data.
Per Banner Health’s press release, they learned that the cyberattacks might have started when hackers gained access to payment card data from cards used at various food and beverage outlets located in some Banner Health facilities. It is believed that this happened from June 23 until July 7, 2016.
Banner Health also stated that they realized on July 13, 2016, that the hackers might have gained access to PHI, so they then worked quickly to block the attack. They are offering one year of free credit monitoring to all individuals affected by this incident.
We recently sat down with Jeremy Molnar, CynergisTek’s VP of Technical Services, for his input on this incident, as well as other cyber attacks and how to prevent future attacks.
How common is it for food/non-clinical payment servers (POS systems) to be linked to patient data servers?
The systems may not communicate directly by design; however, a “link” may be available due to improper segmentation between the POS (and other devices involved with payment processing) and the other systems on the network, which include patient data servers. Segmentation, or restrictions, should be put in place to limit which systems can communicate with each other and where sensitive data can reside/flow. Unfortunately, it is fairly common to see this lack of segmentation, something generally referred to as a “flat network,” in the healthcare industry. This is usually explained as due to the higher administrative overhead and lack of resources, but it’s also likely due to an incorrect understanding of the associated risk. Look at the respective compliance requirements as an example. PCI expects an organization to define in scope assets, something accomplished largely with segmentation. The HIPAA Security Rule, on the other hand, makes no mention of segmentation.
How sophisticated is this type of attack?
There are not enough details available to determine the sophistication of the attack or attacks involved. That said, given the current descriptions, it is likely safe to assume that a lack of segmentation, as outlined in the previous question, played a part in what happened. While it’s possible that the attack(s) were sophisticated, the lack of segmentation means that the attack(s) did not need to be in order to be successful. Let’s say that an external web server is compromised, for example. Ideally, with appropriate segmentation, that compromise would stop there and would provide no further attack avenues into the network. Without restrictions, an attacker may be able to continue easily attacking other systems on the network until they find sensitive data. The point here is that the organization likely did not make it any harder for the attacker(s).
Have we seen attacks exploiting vulnerabilities or weak security in this way before?
Payment systems have been compromised before. Target (2013) and Home Depot (2014) are perfect examples. Healthcare systems have also been compromised before, including Anthem (2015), Premera (2015), UCLA (2015). Without knowing the specific details, there is no way to determine the similarities between the individual attacks. However, what is similar between these different attacks is weak or poorly implemented security practices. It could be a lack of patching, a lack of segmentation, a lack of network monitoring, or it could be a combination of all of those. It is important for an organization to conduct periodic risk analyses or risk assessments to identify these potential gaps so that they can be appropriately addressed.
We then asked Jeremy about preventative steps other systems should take to avoid this type of attack. His response:
There’s a few questions that should be asked to help determine appropriate preventative steps.
- For the initially compromised system, was the level of access from the Internet appropriate? It is not often that we see healthcare organizations provide a direct link to payment related systems from the Internet. In fact, they generally outsource that type of activity to third parties, which would provide no direct access to the organization’s internal network.
- If the access above was appropriate, how was the state of security for that system assessed and addressed? Does the system have strong patch and configuration processes in place to ensure timely application? Does the system get regularly scanned for vulnerabilities or have penetration tests conducted against it? Does the code used by the system get reviewed by peers and third parties regularly? It is important that Internet-facing systems have much more stringent requirements as they are the front lines.
- What type of access do the compromised systems need internally? This is the segmentation question and likely the most important. It is understood that attacks are going to happen and some of these attempts can and will be successful. Appropriate segmentation or restrictions should make it much harder for an attacker to make headway beyond an initial compromise. Ideally, this means the attack never makes it past the perimeter, but it also ensures that if it does, it is much harder for the attacker to move from system to system. The longer and harder it is for an attacker to make their way through the network, the more likely they are to make mistakes or trigger something that will clue us into the compromise which will hopefully allow us to respond and react before the compromise reaches sensitive data. Think of it this way, a runner may run 100m in 10 seconds. Introduce hurdles and that time may increase to 12 seconds for the same distance. The more hurdles or traps we can introduce, the better.
Developing and maintaining a proactive security program is becoming a business imperative. Click here to learn more about how CynergisTek can help with your program or email us at firstname.lastname@example.org.