This week’s announcement by Florida’s Broward Health System that the most intimate medical data of 1,357,879 of its patients was breached in the fall should serve as a warning that the healthcare software supply chain will be a juicy target for cybercriminals as we head into 2022, researchers warn.
The attackers breached the Broward Health network by compromising a third-party provider on Oct. 15, according to the organization’s disclosure, accessing: patient names; dates of birth; addresses; phone numbers; financial or bank information; Social-Security numbers; insurance information and account numbers; medical information including history, treatment and diagnosis; driver’s license numbers; and email addresses.
In response, Broward Health said that it has improved security and is offering victims a free two-year subscription for identity theft monitoring, adding the company has found “no indication that your personal information has been used to commit fraud.” Of course, this kind of information can have a long tail when it comes to cybercrime activity.
Broward Health didn’t disclose the specific number of impacted patients in its statement but was obligated to provide the Maine Attorney General’s office with the staggering 1.3 million-plus figure.
As startling as the number of impacted Broward patients may seem, Ron Bradley, vice president of Shared Assessments calls this breach, “just a drop in the proverbial bucket related to healthcare losses in 2021.”
Healthcare IT did the math and was able to find at least 40 million compromised patient records in 2021 reported to the U.S. federal government alone. To boot, numerous attacks to medical systems made healthcare the costliest industry for breaches to occur – the average cost-of-breach spiked to $9.23 million last year, up from $7.13 million in 2020.
Unpatched and legacy systems, overwhelmed staff, an ocean of connected devices and a litany of third-party software providers leave healthcare organizations vulnerable to attack, with the latter vector likely to be more exploited in 2022.
Even the simplest apps used in a healthcare setting can result in patient data exposure: Kaspersky found last month that 30 percent of healthcare providers reported instances where employees compromised patient data during remote consultations, often simply because the apps used for telehealth like FaceTime, Facebook Messenger, WhatsApp, Zoom and others weren’t built with patient privacy in mind.
Shoring Up the Healthcare Supply Chain
“According to Broward Health, the breach occurred from a third-party service provider authorized to access Broward Health systems,” Bradley added. “While HIPAA and HITECH regulations have effectively added many layers of protection to the data-security onion, the fact remains, healthcare is still a soft target with high-value rewards.”
That means in addition to managing a pandemic, the healthcare industry needs to take a hard look at its software supply chain, Tim Erlin, vice president of product management and strategy with Tripwire explained in an email to Threatpost.
“While it may not be practical for you to audit all of your suppliers directly, you can ask them what standards they comply with and how their audited against those standards,” Erlin explained. “Best practices from NIST and the Center for Internet Security provide a solid foundation for most organizations.”
Erlin added this is a task that should be done regularly.
“It’s important to ask this question at least annually, as circumstances change,” Erlin advised. “This is a vital step to help safeguard the integrity of your organizations digital assets and protect against similar threats.”
The accelerating shift to the cloud is making healthcare data even more complex to secure, according to Adir Gruss, vice president of technical solutions at Laminar.
“The biggest challenge impeding data-security teams today is that as more and more organizations move toward the cloud they have lost track of where sensitive data resides,” Gruss said. “You simply cannot protect what you don’t know about.”
Gruss advises teams to get a handle on their cloud data, including supply-chain access, and added, “with that knowledge, data-protection teams can move from gatekeepers to enablers.”
Regarding Broward Health, David Strauss, co-founder and CTO of Pantheon told Threatpost that the fact that the October breach didn’t impact patient care is good news. But preventing what he sees as inevitable follow-on attacks should be a top priority.
In general, IT security teams across the healthcare sector should take a hard look at the software supply chain, he added.
“As more organizations increase reliance on external services, IT administrators must consider the impacts of a security breach happening on either side, including how to notice a breach in the first place and prevent it from spreading,” Strauss explained. “Isolating infrastructure in different roles — patient healthcare systems, billing systems, public websites, intranets — can help a bad problem from becoming a worse one.”
Password Reset: On-Demand Event: Fortify 2022 with a password-security strategy built for today’s threats. This Threatpost Security Roundtable, built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. Register & stream this FREE session today – sponsored by Specops Software.