Breach Notification , Business Continuity Management / Disaster Recovery , Critical Infrastructure Security
Tennessee Pediatric Hospital Responding to Cyber Incident
Other Healthcare Entities Reporting Breaches Tied to Their Own Recent AttacksEast Tennessee Children's Hospital is among the latest healthcare entities dealing with a cyber incident disrupting some patient services. Meanwhile, a Missouri medical center and a Colorado cardiology practice have each reported that patients' protected health information was compromised in their own recent security events.
See Also: Gartner Guide for Digital Forensics and Incident Response
In a statement posted on its website Monday, East Tennessee Children’s Hospital, based in Knoxville, Tennessee, said it had been the victim of "an information technology security issue" that occurred Sunday evening.
The hospital's Facebook page indicates that since the incident occurred, a variety of services, including urgent care X-ray procedures and the organization's access to email, have been affected.
"Maintaining the safety and security of our patients and their care is our top priority. We are still able to care for our patients," the hospital's statement says. "Our cyber forensics teams and outside agencies are doing everything possible to minimize any disruption. The response is active and still ongoing. We apologize for any inconvenience, and ask for your patience as we address this issue."
East Tennessee Children's Hospital did not immediately respond to Information Security Media Group's request for more details about the incident, including whether it involved ransomware.
Several other healthcare entities, including South Denver Cardiology Associates PC in Littleton, Colorado, and Capital Region Medical Center in Jefferson City, Missouri, which both experienced their own cyber incidents in recent months, are now reporting them as PHI breaches.
South Denver Cardiology Associates Breach
SDCA reported to the Department of Health and Human Services' Office for Civil Rights on March 4 that a hacking incident discovered in January had affected the PHI of nearly 288,000 individuals.
In a breach notice, SDCA says that on Jan. 4, 2022, it identified "unusual activity" within its computer network. "We immediately initiated our incident response process, which included taking steps to secure the network and shutting off select computer systems," SDCA says.
The practice's investigation determined that an unauthorized person had accessed SDCA's network between Jan. 2 and Jan. 5, and, during that time, had accessed certain files stored on its systems potentially containing patient information.
SCDA says the potentially compromised information includes names, dates of birth, Social Security numbers and/or driver's license numbers, patient account numbers, health insurance information and clinical information, such as physician names, dates and types of service and diagnoses.
SDCA says there was no impact to the contents of patient medical records and no unauthorized access to the practice's patient portal. The medical practice is offering complementary credit and identity monitoring services to affected individuals.
Troy Stockman, CEO of SCDA, tells ISMG that upon discovery of the incident, the practice took its internet-facing systems and applications offline while experts worked to contain the situation. SCDA was still able to care for patients despite some of the practice's operations being offline for a few days, he says. The incident is still under investigation, and he declined to say whether it might have involved ransomware or other malware.
Capital Region Medical Center Incident
CRMC, in a statement posted on its website, says it is in the process of notifying an undisclosed number of individuals that their information was potentially compromised in a security incident involving "a system-wide network outage" that the entity experienced in December affecting its phones and computers (see: Entities Dealing with Email Breach, IT Systems/Phone Outages).
CRMC says its investigation into the incident concluded that personal and health information relating to some patients was contained in files accessible to an unauthorized third party, including name, date of birth, full mailing address, medical information and health insurance information. For some individuals, Social Security numbers, driver's license numbers and financial account information was included.
While CRMC says there is no evidence of fraud or identity theft as a result of this incident, it is offering affected individuals 12 months of credit and identity monitoring.
"CRMC continues to evaluate its security practices, and to help prevent something like this from happening again, CRMC will continue to identify opportunities to implement additional cybersecurity measures," the statement says.
CRMC did not immediately respond to ISMG's request for additional details about the incident, including the number of individuals affected.
As of Wednesday, the CRMC incident did not yet appear on HHS OCR's HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.
Evolving Threat Landscape
The incidents at East Tennessee Children's Hospital, Capital Region Medical Center and South Denver Cardiology Associates are reminders of the serious cyberthreats facing the healthcare and other industries, including international criminal organizations and sophisticated nation-states, says Jon Moore, chief risk officer at privacy and security consultancy Clearwater.
"They are not static in their approach. Instead, they are continually learning and adapting, changing their strategy to account for the defensive measures deployed against them," he says. A recent example of this adaptation is the basic ransomware attack escalating to double- and now triple-extortion attacks, he says.
"What this means for healthcare organizations is that the defenses you put in place to defend against yesterday's attack are very likely not enough to stop today's," Moore says. He says it is important for entities to align their baseline controls with best practices, such as those recommended by the Healthcare and Public Health Coordinating Council's Health Industry Cybersecurity Practices guidance and the National Institute of Standards and Technology Cybersecurity Framework.
"However, merely having resilient and adaptive cybersecurity programs when faced with attackers such as this will continue to place healthcare organizations in the role of victims," Moore says.
"Organizations need to go beyond developing programs that have the properties of resilience and adaption and adopt programs that include the property of antifragility. Only then will we be better able to deal with the dynamic threat environment."
An antifragility approach includes elements such as conducting regular training exercises to better prepare the organization to respond to attacks, taking a more risk-averse approach with an organization's most critical systems and applying a portion of the security budget to explore new or emerging solutions that offer a "big potential upside" if they are effective, according to Moore.
Bigger Picture
Former National Security Agency Deputy Cmdr. Tim Kosiba, CEO of bracket f, a wholly owned subsidiary of cloud security firm Redacted, says healthcare organizations must also consider the big-picture global assessment of the threats facing the sector, especially in light of the Russia-Ukraine war.
"It's a prudent assumption that Russia could resort to some sort of cyberattack on the Western world, to include the U.S. and Europe," he says. In particular, the Russian Conti ransomware cybercriminal gang has previously attacked healthcare sector organizations in the U.S. and Europe, including Ireland's Health Service Executive in May 2021, he notes.
"This is definitely a time to maintain your resilience. Certainly, hospitals and healthcare organizations are targets because they are often lacking in cybersecurity," he says.
In fact, HHS' Health Sector Cybersecurity Coordination Center on March 10 issued an updated warning for the healthcare sector based on a recent alert released by the Cybersecurity and Infrastructure Security Agency concerning the Conti ransomware group.
"Conti cyber threat actors remain active and reported Conti ransomware attacks against U.S. and international organizations have risen to more than 1,000" HC3 says. "Notable attack vectors include Trickbot and Cobalt Strike."