How undetected phishing creates a risk for a data breach
Prime Valley Healthcare, Inc., is a not-for-profit, medium-sized, healthcare system resulting from the 2013 integration of two healthcare systems.
Today, Prime Valley includes 36 hospitals, 550 patient care sites, 4500 beds, more than 5,300 active physicians, and 30,000 employees. In the past two years, annual revenue increased by $700 million and operating income more than doubled to $500 million.
In recent years, healthcare reform in the United States has focused on controlling rapidly rising health costs and increasing financial access to healthcare.
Healthcare delivery has not been touched to the same degree by the revolution that has been digitally transforming nearly every other aspect of society, although there has been a recent increase in telehealth practices during the Covid-19 pandemic.
One impediment to the greater use of communications and information technology is the absence of national standards for the capture, storage, communication, processing, and presentation of health information. Another is concern over privacy and confidentiality of patient medical records (patient health information), and data security issues.
Meghan Compton, the CISO at Prime Valley Healthcare, Inc., was looking over the morning IT infrastructure risk assessment reports when a call came in from Alex, a member of her security team. Alex has been keeping an eye on Dr. Froth’s online account. He is a new physician that just joined the physicians’ network at Prime Valley. Dr. Froth’s risk score has been increasing over the past month including multiple logins on his account from different offices and there has been activity from Europe at odd hours of the day.
While the security team has been monitoring Dr. Thomas Froth’s risk score, they find another risk score increasing, this time for the Head of Mergers&Acquisitions, Roy Smith. It is the same IP address that was linked to Dr. Froth that is also linked to Roy Smith’s account.
It seems that Prime Valley has joined the unfortunate trend of breaches caused by an undetected phishing attack.
Because of the increasing risk assessment, Prime Valley has had to notify the President and CEO and implement a threat investigation. Pressure is mounting on Meghan’s team to identify exactly what has happened and ensure that patient data hasn’t been breached.
One week later Alex found something. Alex presents some key findings from his analysis to Meghan using IBM QRadar Advisor with Watson. He tracked the attack back to legacy software that was used by the physician network. The attackers were in the physician network 3 months before Prime Valley Healthcare, Inc. finalized the acquisition. The attackers got into the physician network through a Facebook message.
The M&A team must have been in such haste that they overlooked making sure the network was secure before connecting accounts into Prime Valley’s corporate network. Using IBM X-Force Exchange to perform a threat intelligence investigation, the Threat Hunter on Meghan’s team identified a pattern from the Balkans with responsibility for other attacks on the US health system.
What Is Cybersecurity?
Too many events. Too many false alarms. Too many systems to track threats from root to damage. And not enough expertise to manage all this data and keep a team ahead of the enemy. The reality is that analysts need an assist from artificial intelligence (AI).
AI and machine learning make it easier and faster to find the root cause and chain of events comprising advanced persistent threats and insidious insider activity.
Cyber attacks continue to advance in scale and complexity. At the same time, IT budgets are thin, and security talent is simply outstripped by demand. The modern security operations center (SOC), whether on-site or virtual, needs to deploy a combination of technologies and people to close the gap between attacks and remediation.
With the right process you can get clear visibility into enterprise-wide infrastructure activities, coupled with the ability to respond dynamically to help protect against advanced, persistent, and opportunistic threats, whether they come from outside or inside the organization.