Healthcare Industry Struck Again – St. Mary’s Hacked
Source: Healthcare IT News
I don’t usually do this, but I’ll start of this post, with a quote from Health Care IT News:
Think healthcare is not a target for cyberattacks? Think again. Following a pattern of increasing attack frequency, one Indiana-based hospital is the newest target, after hackers swiped the personal data of thousands.
So, you look over the part of the sensationalism associated with this article, you know, the “Think healthcare is not a target for cyberattacks” portion, it really makes you wonder about that state of security in the healthcare industry. Why is the healthcare industry being struck again and again?
Having come from that field of work, I know the answer, in fact, I can 99% guarantee you, that I know the cause of the recent hacking of St. Mary’s Medical Center. Not because I have insider knowledge into the incident that occurred, but because I know the industry, I know where the weaknesses are, and I know that nobody is doing anything to combat these problems.
I’m not a betting man, but I would be willing to take a wager, that I know exactly what happened with this incident, here we go:
Hackers/Crackers/Attackers probably got St. Mary’s Medical Center on their radar from another hacked hospital/healthcare organization. Probably by scouring email from the attacked organization. I would wager that St. Mary’s did nothing to provoke the attack.
Once attackers got St. Mary’s Medical Center’s domain name, maybe a doctor or staff member’s name and email address; a little bit of simple recon occurred, scouring for more doctors and more administrator’s names and email addresses. Also, a little bit of scouting probably occurred on the website, with bad guys looking for VPN services, remote email, or something similar, that they could log into with the proper credentials.
Once a decent list of names and emails were collected, that is when the phishing attempts began. Maybe a phishing email about how to reset your password, or a phishing email offering a raise, and you need to enter your email information. They don’t need many submissions, they only need a couple, and with that, they can leverage more and more information.
Once they have working credentials for a user or two, the attacker is then able to leverage an attack into the infrastructure, by sending out emails, as a “trusted source”, requesting user’s visit a page to dish up their credentials; which leads to an avalanche effect, where they are able to gain more and more credentials.
Next revelation, will be a little bit shocking to most, but the Personal Health Information (PHI) data that was stolen, was most likely a “secondary” target of the breach. From my experience, I have seen that attackers are motivated by more substantial, quicker, and easier ways of getting money, rather than selling PHI data. What I believe the primary goal of the attackers, was to see if they could access the doctor’s HR files, and be able to modify the doctor’s direct deposit information, to a known bank account, where the attackers could take the money and run. PHI will provide some potential money for the attackers, however, the primary source could come from the doctor’s paychecks.
So, there you have it. There is my guess on what occurred at St. Mary’s. We may see, in the upcoming months what really happened, but that is my bet on what happened.
The only other option, is that St. Mary’s could hire some big name company to help them access the damage, and they could flip it around, to say it was a nation-state actor, who was trying to get there hands on super-secret formularies for a new breakthrough cure-all drug, that St. Mary’s, a 585 bed hospital bed is producing; but in the end, we all know that would be a lie.