A data breach impacting nearly 4 million people was reported by an Arizona-based healthcare organization earlier this month. Despite the seemingly massive scale, the attack is only the second largest this year, with those dubious honors going to a breach from an as yet anonymous insurance provider that impacted 9.3 million people earlier in June.
In the case of the Arizona incident, healthcare records were not the target of the hackers penetrating the Banner Health Facility, but rather they were likely motivated initially by payment information. By initially targeting the “point of sale” infrastructure used in cafeterias and gift shops, they set their sights on the payment transaction systems used for snacks and beverages to access credit card information. With that initial phase of the attack accomplished, the perpetrators pivoted elsewhere on the facility’s network, eventually gain access to the servers and hardware that house sensitive patient data.
Where credit card information is the goal, these sorts of attacks are common or even expected in industries like retail and fast food that see high transaction volumes, but demonstrate the dangers of interconnected networks. By identifying the weakest point within the, the hackers can exploit any vulnerability they can find to get a foot in the door, then continue exploring once inside.
This approach, known as “lateral movement”, allows attackers to spread more comprehensively about a network, gaining access to additional devices as well as the data they may guard. Not only are the perpetrators able to infiltrate further into the network, but they can also leave behind paths for reentry should they be caught and forced out. This can be especially dangerous if IT managers believe a threat to be thwarted only to find a reoccurrence shortly down the line, and it can be difficult to know when a system is fully compromised.
In the case of an e-commerce or brick and mortal retail location, payment information is ultimately the most sensitive on file, but at healthcare facilities it’s merely another type of high value target when compared to healthcare records, meaning extra precautions are important. Due to the nature of the interconnected network, this Banner Health event allowed the thieves to affect facilities and patients in seven states in the Western US, including Alaska, Arizona, California, Colorado, Nebraska, Nevada, and Wyoming.
The breach notice, required by HIPAA, states that unusual activity was detected on the healthcare provider’s network, and further investigation revealed the malicious behavior. While the beginning of the inquiry revealed the activity regarding payment information, further investigation uncovered that electronic patient health information records may have been compromised as well. The fields at risk were broad as they were comprehensive, including the patient’s names, claims data, social security numbers, and information around their health insurance.
As the level of sophistication in cyber attacks increases, it’s important for IT Managers and those involved in risk mitigation to have a clear understanding interconnected networks and how access by one route may still expose patient health records, even if they were stored out of reach of the initial point of entry.
Fill In The Form Below for industry news, and information about our services, events, webinars and more.