Sometimes following the news lets you find things like security incident investigations with interesting details.  But, these cases were different than most.  Even better than that, we learned how a fish tank help hackers!  There were just too many parts of these stories that got my attention to pass them up.  When something occurs and the investigation uncovers way more to the story than you normally see we should all learn from them.

HIPAA For MSPs by David Sims Security Incident Investigations Find More Than Expected
00:00:00 00:00:00

Today’s topic

Security Incident Investigations Find More Than Expected

New Wall of Shame Feature

The notorious “Wall of Shame” maintained by OCR has gotten some major updates.  Yes, it is supposed to be called the breach portal or something like that but the dreaded Wall of Shame moniker will likely be here to stay at least for a while longer.  The updates make it much easier to see more details about the cases and find examples and statuses of many of them.  The addition of a bit of commentary on how the cases were closed may become my new research library.

Another very interesting option is to be able to select how many open investigations are going on from these breach reports.  When I ran the list it returned 354 open cases.  That includes just the breaches over 500 patients that have been reported.  It doesn’t include any of the complaints or other reasons for investigations.  No wonder these things take years to close.

HHS and OCR have said the changes are intended to make it easier for consumers to see how their providers are doing protecting their information. It is likely going to be used way more by people like me that average consumers.  Also, will likely be the reason the name remains the same.  We now have it embedded directly into one of our pages.

Security incident investigations finds hacker

Two cases of a ransomware investigation finding ransomware attack were ok BUT a hacker had been in there a while and no one noticed.  First, we got the details about the case in PA:  Women’s Health Group of Pennsylvania Notifies 300,000 Patients of Ransomware Attack.  In this case, they were hit with ransomware in May 2017.  They went through the appropriate steps to investigate the case and determine if anything was exfiltrated or someone had infiltrated the network to launch the ransomware.

Good news, ransomware was not a major threat.  Bad news, they had been hacked for months by someone who had nothing to do with the ransomware.  Forensics tracked this hack back to January.  Luckily it was only a few months in this case.  The next one can’t say the same.

Peachtree Neurological Clinic in Atlanta, GA got hit with a ransomware event in May 2017, also.  They too did the proper investigation steps and found the ransomware attack was not a breach of PHI.  However, just like the Women’s group in PA, the forensics team found a much bigger issue.  They had “unauthorized individuals” that had been accessing their systems since back in Feb 2016!  Fifteen months of access to their network means a lot of things could have happened that haven’t been uncovered yet.  When they sit around there for that long they are there for a reason.

In both of these cases, the ransomware event wasn’t the thing that caused the breach but it was the reason they found the breach and stopped it.  You have to wonder just how long these infiltrations would have continued if there wasn’t an investigation triggered by the ransomware incidents.  While many people see those investigations as a waste of time, it is clear that we are learning from them each time.  Sometimes, they are even finding much more serious concerns than had been on the radar for the organizations.

Remember, if you are hit with ransomware it isn’t just a wipe and reload thing anymore.  Documentation and investigations are required and certainly worth the process of the exercise in many of these cases.

Insider issues sending people to jail

Oregon curiosity killed the cat

Charges filed in St. Charles data breach local DA accuses Dawnielle Vaca of computer crime.

The former St. Charles Health System employee who inappropriately viewed the medical records of 2,459 patients is facing criminal charges that carry a maximum penalty of two years in jail.

The records, accessed between Oct. 8, 2014, and Jan. 16, included patients’ diagnoses, their physicians’ names, medical histories, medications and treatment information. They also included names, addresses, birthdates and health insurance information.

investigation did not find any evidence that patients were harmed financially. Vaca was not attempting to commit fraud, financial crimes or damage St. Charles’ computer system, he said. If she had been, Hummel said the charges would have been felonies.

WVU Medical Bank Fraud

Forty-one-year-old Angela Roberts admitted using someone else’s personal information to commit bank fraud in June 2016 in Berkeley County, West Virginia. She faces up to five years in prison and a $250,000 fine.

Another Anthem Breach

  • Anthem agreed to a proposed $115 million deal to settle a class action
  • LaunchPoint Ventures LLC of IN is a BA who does some sort of case management for them
  • 18,000 Medicare patients in 21 states
  • Info emailed to employee’s personal email account in July 2016
  • LP learned about employee involved in IT theft April 12
    • Forensics involved
  • May 28 other “non-Anthem” data involved???
  • June 14 they notified Anthem
  • LaunchPoint has terminated the employee, hired a forensic expert to investigate, and is working with law enforcement.
  • The employee has been incarcerated and is under investigation by law enforcement for matters unrelated to the emailed Anthem file.
    • Maybe ID theft? Ya think?
  • LaunchPoint is reinforcing existing policies and protocols and is evaluating additional safeguards to prevent any similar incidents from occurring in the future.
    LaunchPoint response to the incident.

File this under…. umm, fishing?

Security Incident InvestigationsOther times you are completely surprised by the findings of security incident investigations.  That was certainly the case when I saw this story.  A casino was hacked using a fish tank as the access point.  This is a perfect example of how many different access points there are to networks now that all devices are getting connected.  A fish tank!  Really?  Yes, it was helpful to the fish but the people making and installing those devices don’t worry about your security.  Clearly.

That means that you have to be the one asking the questions, they just know how to take care of really cool looking fish after all, not network security!  If you aren’t asking about all those cool devices that are being connected to your network, you should start sooner rather than later.  The times they are a changin’ when a fish tank is used by a hacker to access a network.

As the IoT proliferates in all of our networks they will certainly need to be included in security incident investigations to make certain that we are keeping them secure.  Based on what some of the vendors are doing we likely have a long way to go before that will change.

There are certainly a lot of news stories out there but it definitely got my attention when security incident investigations find more than expected twice in a short amount of time.  Then, add in the casino story and I had to do a security incident investigations weird things kind of episode.  I am certain that none of these folks ever dreamed they would be the source of such stories but here they are in the news.  security incident investigations turn up things that many of us can’t even imagine.  Keep that in mind the next time someone says that you need to investigate something that has occurred.  You never know where it may lead you.