Fraud Management & Cybercrime , Governance , IT Risk Management
Healthcare Incident Points to Possible 'Altered' Patient Data(HealthInfoSec) • January 7, 2019Data integrity issues can arise in the wake of a ransomware attack. Case in point: A California podiatrist practice hit by ransomware reports that patient files were possibly "altered" or "corrupted."
See Also: Live Webinar | Sunset of Windows Server 2008: Migrate with Docker
In a notification statement, the Podiatric Offices of Bobby Yee, which has locations in Monterey and Salinas, reports that on Oct. 29, 2018, the practice was "the victim of a ransomware attack which resulted in the unauthorized alteration and potential corruption of their medical files, including patient personal information." The statement adds that "there is no evidence suggesting that personal or medical information was viewed or exfiltrated."
The attack was reported to federal regulators on Dec. 20 as a hacking/IT incident affecting 24,000 individuals and involving a desktop computer, laptop, and other portable electronic devices, according to an entry on the Department of Health and Human Services' HIPAA Breach Reporting Tool website.
Commonly called the "wall of shame," the federal website lists reports of health data breaches impacting 500 or more individuals.
—David Finn, CynergisTek
Attacks potentially impacting the integrity of patient data is "is the next 'big risk' issue," predicts former healthcare CIO David Finn, executive vice president at security consulting firm CynergisTek.
"In terms of risk, there is no doubt that data integrity represents a huge risk to patient safety," he says. "We've now moved from confidentiality and availability - which ... impact patient trust and caregiver trust - into the integrity arena and that really represents patient safety."
'Altered Information'
The Podiatric Offices of Bobby Yee's statement notes that the "altered information" may have included first name, last name, address, telephone number, age, gender, date of birth, Social Security number, health insurance policy number and patient medical records.
Once the practice became aware of the incident, it took steps to protect personal information and to determine the nature and scope of the issue, the statement notes. "If there is indeed any alteration or corruption of your personal information, we may need to reconfirm or reconstruct the information, including your medical information," the statement adds.
The practice did not immediately respond to an inquiry from Information Security Media Group requesting additional details about the incident.
Patient Data Integrity
It remains unclear whether the practice hit by ransomware is referring merely to its data being encrypted by hackers, as is common in ransomare attacks, or otherwise altered.
The data alteration reference "is very likely a nicer way of saying the data was encrypted and bricked for money," says Harold Byun, a vice president at application data protection firm Baffle. "In order for ransomware to be successful, it needs to affect multiple users and collect a ransom, which by nature, makes it an attack that is aimed at a widespread population of victims," he notes.
"It is possible that ransomware could be used to modify specific data types or databases, but that would be a much more targeted and advanced attack that would require prior knowledge of the system and application and would likely only be used in a scenario where the risk vs. reward was very large."
But attacks that impact data integrity can also be potentially caused by mistakes made by hackers, notes Ron Pelletier, a partner at Pondurance, LLC, a cybersecurity firm specializing in managed detection and response. "It's further important to perform the necessary forensics to drive clarity. For instance, it is entirely possible that encryption activity initiated by the bad actors was faulty, or otherwise the production data was already in the middle of a routine of some sort, which may inadvertently corrupt some of the datasets," he says.
"If the organization was able to gain a copy of the malware instance, they could reverse engineer it to determine the scope of its payload - [for example to] potentially hide files or steal credentials."
Integrity issues often get less attention than availability and confidentiality, Finn says.
"In terms of security, we are used to dealing with confidentiality, availability and integrity. We've gotten pretty good at availability. We're getting better at confidentiality - new regulations, including the General Data Protection Regulation [in the European Union] will help that," Finn says. "Unfortunately, we tend to think that all the systems, tools and 'built in' integrity checking are taking care of integrity, so it gets taken for granted."
Attacks impacting the accuracy and integrity of data can effect a range of healthcare systems and medical gear, "everything from safety limits on syringe pumps ...calibration settings on lab equipment or imaging machines, and just the critical patient data like allergies, dosages or diagnosis could alter care plans or treatments with grave effects," Finn notes.
Changed But Not Viewed?
Can data be altered or corrupted in ransomware and other cyberattacks without being viewed or exfiltrated, as the podiatry practice of Dr. Bobby Yee says happened at its organization?
"Yes, absolutely," says former healthcare CISO Mark Johnson, a shareholder at consultancy LBMC Information Security. "Viruses or malware in general do this all the time; they infect a file, and that changes the integrity of the file, i.e. the data of that file. The real question is, are there attacks going on that are designed to change the data, not just the operating system or application, and not just to exfiltrate the data?"
In theory, there are attacks with the capabilities to do this, he notes. "If you have enough access to encrypt the data, then you have enough access to change the data," he adds.
What's the Motivation?
While attacks aimed at tampering with data integrity are reason for concern, fortunately, such attacks in the healthcare sector appear to be rare, Johnson says.
"At this point it's hard to imagine an attack that's sole motivation is to change the data," he says. "Ransomware 'changes' the data by encrypting it, but it is blackmail or 'kidnapping' of your data. Attackers in ransomware assaults want to get paid - that's their motivation - so they tell you that the data is safe - unchanged - just taken 'away' from you until you pay."
Still, many attack victims in the healthcare sector "are looking to see if they can tell if the data was viewed or left the building, he adds "Few, if any, think about what the attacker did to the integrity of the data."
Johnson says healthcare organizations need to be on guard for potential attacks that impact data integrity. "Don't assume that the attacker's only motivation was to take your data," he says. "Assume that all of the data that they could have accessed has been altered."
Steps to Take
Healthcare entities can take a variety of steps to prevent and detect attacks that impact the integrity of data, Finn notes.
"I'd still like to see more encryption ... and multifactor authentication and better backup procedures," Finn says.
Other steps include validating computer software systems with vendors, implementing audit trails, running error detection software and establishing a vendor management security qualification program, Finn suggest.
"If you are developing your own software, you'll also want to adopt a development lifecycle that ensures data quality tasks are designed and built into the software from development through to system maintenance," he says.