By Ron Benvenisti. “The FBI has observed malicious actors targeting healthcare related systems, perhaps for the purpose of obtaining Protected Healthcare Information (PHI) and/or Personally Identifiable Information (PII),” the agency said in a recent “Flash” alert published last week by Overseas Security Advisory Council (OSAC). OSAC is a U.S. Government inter-agency website managed by the Bureau of Diplomatic Security, U.S. Department of State.
The alert says, “These actors have also been seen targeting multiple companies in the healthcare and medical device industry typically targeting
valuable intellectual property, such as medical device and equipment development data,” the one page document said.
The FBI and Department of Homeland Security often alert U.S. businesses timely information to prevent and identify cyber-attacks. Reports are only
issued to constituent businesses and not to the general public.
As a service to the community I am taking the liberty of passing on this information because our town has such a large number providers who may not be aware of this news.
Back in April the FBI warned that provider’s systems were lax compared with other business sectors, making it vulnerable to hackers accessing bank
accounts or obtaining prescriptions.
Although this “Flash” did not identify any specific victims targeted by hacker the agency remains mum on commenting on the specifics.
Last week, Community Health, which is the No. 2 U.S. publicly traded hospital operator, disclosed a malware attack where data was stolen
including patient names, addresses, birth dates and Social Security numbers.
Community Health has been reserved in describing exactly how its network was attacked.
It is believed that hackers entered the company’s computer system using through networking equipment that had not been patched to fix the “Heartbleed” Internet malware “bug”. This is the first known large-scale cyber-attack exploiting the vulnerability.
Apparently, as typical, the hack was used to first obtain employee credentials to access the company’s network. Using those credentials they
gained entry to a database containing Social Security numbers and other personal records. At that point the hackers were able to download the
records which can be used for identity theft.
Local healthcare providers including Hospitals, Community Healthcare Clinics, Labs and Doctor’s offices need to be vigilant in implementing HIPAA
compliant controls as well as verifying that all staff are trained in HIPAA requirements and that every hardware and software vendor they deal with
state such certifications in their contracts. If not, the provider itself will be accountable for possible fines, civil lawsuits and loss of insurance coverage.
A final deadline for the HIPAA Omnibus rule is quickly approaching in which healthcare organizations must make sure business associate agreements are revised and ready by Sept. 22 when business associates and subcontractors that work with covered entities now are accountable for privacy and security of personal health information.