On Wednesday, August 3, 2016, Banner Health announced the first potential mega breach of 2016. 3,700,000 patients were notified that their personal health information (PHI) might have been compromised by hackers. Patients’ names, dates of birth, addresses, dates of service and social security numbers were part of the potentially compromised data.

Per Banner Health’s press release, they learned that the cyberattacks might have started when hackers gained access to payment card data from cards used at various food and beverage outlets located in some Banner Health facilities. It is believed that this happened from June 23 until July 7, 2016.

Banner Health also stated that they realized on July 13, 2016, that the hackers might have gained access to PHI, so they then worked quickly to block the attack. They are offering one year of free credit monitoring to all individuals affected by this incident.

We recently sat down with Jeremy Molnar, CynergisTek’s VP of Technical Services, for his input on this incident, as well as other cyber attacks and how to prevent future attacks.

How common is it for food/non-clinical payment servers (POS systems) to be linked to patient data servers?

The systems may not communicate directly by design; however, a “link” may be available due to improper segmentation between the POS (and other devices involved with payment processing) and the other systems on the network, which include patient data servers. Segmentation, or restrictions, should be put in place to limit which systems can communicate with each other and where sensitive data can reside/flow. Unfortunately, it is fairly common to see this lack of segmentation, something generally referred to as a “flat network,” in the healthcare industry. This is usually explained as due to the higher administrative overhead and lack of resources, but it’s also likely due to an incorrect understanding of the associated risk. Look at the respective compliance requirements as an example. PCI expects an organization to define in scope assets, something accomplished largely with segmentation. The HIPAA Security Rule, on the other hand, makes no mention of segmentation.

How sophisticated is this type of attack?

There are not enough details available to determine the sophistication of the attack or attacks involved. That said, given the current descriptions, it is likely safe to assume that a lack of segmentation, as outlined in the previous question, played a part in what happened. While it’s possible that the attack(s) were sophisticated, the lack of segmentation means that the attack(s) did not need to be in order to be successful. Let’s say that an external web server is compromised, for example. Ideally, with appropriate segmentation, that compromise would stop there and would provide no further attack avenues into the network. Without restrictions, an attacker may be able to continue easily attacking other systems on the network until they find sensitive data.  The point here is that the organization likely did not make it any harder for the attacker(s).

Have we seen attacks exploiting vulnerabilities or weak security in this way before?

Payment systems have been compromised before. Target (2013) and Home Depot (2014) are perfect examples. Healthcare systems have also been compromised before, including Anthem (2015), Premera (2015), UCLA (2015). Without knowing the specific details, there is no way to determine the similarities between the individual attacks. However, what is similar between these different attacks is weak or poorly implemented security practices. It could be a lack of patching, a lack of segmentation, a lack of network monitoring, or it could be a combination of all of those. It is important for an organization to conduct periodic risk analyses or risk assessments to identify these potential gaps so that they can be appropriately addressed.

We then asked Jeremy about preventative steps other systems should take to avoid this type of attack. His response:

There’s a few questions that should be asked to help determine appropriate preventative steps.

Developing and maintaining a proactive security program is becoming a business imperative. Click here to learn more about how CynergisTek can help with your program or email us at info@cynergistek.com.