Rehabilitation Center - (Attacker's) Mission Complete
by lg0p89
In general, people for the most part are healthy. pAt times, we have issues requiring surgery and later rehabilitation. Based on the injury, this could be a short or long journey. Regardless of the length of rehabilitation, the patient needs to provide certain data and information to the facility where the treatment will take place. This data is personal and confidential, and should be protected with all appropriate levels of security. Unfortunately, a rehabilitation center in the Michigan system was recently compromised.
This affected the Sacred Heart Rehabilitation Center. As noted, this is located in Michigan in Macomb County. The facility provides HIV/AIDS care. There are also substance abuse treatment services. They operate as a non-profit, beginning in 1967. As this is a non-profit, the last thing they needed was the expense of a compromise, incident response, and placing new controls and policies in place. That's only on the internal administrative side. There will be more issues with the U.S. Department of Health and Human Services, as this involved HIPAA data and information.
Attack
The tool the attackers used is too familiar. This unfortunately has a great Return on Equity (ROE), and ease of use, which makes it a favorite choice. This successful compromise shows the phishing attack is alive and well. The compromise was due to a simple, yet successful, phishing campaign. pThe estimated attack period was from April 5-7, 2018. From the forensic work already done, it appears as though one employee's email was compromised.
This significant, deep compromise is another example of what can go wrong when one employee's email is compromised. All it takes is the right person in the right position and department to click once.
Data Exfiltrated
The compromised employee's email account unfortunately contained the patients' information. This included the patients' full names, addresses, health insurance information, medical treatment information, medical diagnosis, and/or Social Security Number. This is just the right combination of data to make someone's life even more interesting. As the patients are exceptionally sick, they and their families did not need this stress. On the other side of the coin, the data and information is very valuable to the attackers, and could be sold in a lot, or divided into sections and sold to many persons.
Remediation
Once the administration learned of the issue on November 16, 2018, the rehabilitation center began an investigation, which is a great idea. The rehabilitation center contracted with third-parties to complete the cybersecurity forensic work. The Sacred Heart Rehabilitation Center notified the affected parties. The forensic work indicated the affected parties, thankfully, were limited. Letters were mailed to the affected parties on January 9, 2019. The patients whose Social Security Numbers were exposed were offered a credit monitoring service and identity theft restoration for a year, free of charge. The patients also have been given a best practices document to show them how to best defend their data. The rehabilitation center is also providing additional training for the staff.
Questions
The compromise itself brings up many issues. Since the successful attack and compromise took place in April, why did it take seven months for them to figure it out? If there was a Security Information and Event Management (SIEM) in place and being monitored, it seems as though this should not have taken nearly this long. Even if there was not a SIEM in place, which sounds odd, there should have still been a periodic log review. Surely the massive amount of data flowing to an odd IP address would have indicated something odd or unique was going on.
The credit monitoring sounds good to the consumer and patient, however, a year does not mean much. The data exfiltrated for the unfortunate patients is static for that point in time, and some of this is permanent. If the attackers were to attach a disclaimer onto the data as they sell it to the many people and organizations interested to wait one year and one week to do anything with it, the defensive measure would be an epic fail.