Broward Breach Highlights Healthcare Supply-Chain Problems – Threatpost
Newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
More than 1.3 million patient records were stolen in the just-disclosed breach, which occurred back in October.
This week’s announcement by Florida’s Broward Health System that the most intimate medical data of 1,357,879 of its patients was breached in the fall should serve as a warning that the healthcare software supply chain will be a juicy target for cybercriminals as we head into 2022, researchers warn.
The attackers breached the Broward Health network by compromising a third-party provider on Oct. 15, according to the organization’s disclosure, accessing: patient names; dates of birth; addresses; phone numbers; financial or bank information; Social-Security numbers; insurance information and account numbers; medical information including history, treatment and diagnosis; driver’s license numbers; and email addresses.
In response, Broward Health said that it has improved security and is offering victims a free two-year subscription for identity theft monitoring, adding the company has found “no indication that your personal information has been used to commit fraud.” Of course, this kind of information can have a long tail when it comes to cybercrime activity.
Broward Health didn’t disclose the specific number of impacted patients in its statement but was obligated to provide the Maine Attorney General’s office with the staggering 1.3 million-plus figure.
As startling as the number of impacted Broward patients may seem, Ron Bradley, vice president of Shared Assessments calls this breach, “just a drop in the proverbial bucket related to healthcare losses in 2021.”
Healthcare IT did the math and was able to find at least 40 million compromised patient records in 2021 reported to the U.S. federal government alone. To boot, numerous attacks to medical systems made healthcare the costliest industry for breaches to occur – the average cost-of-breach spiked to $9.23 million last year, up from $7.13 million in 2020.
Unpatched and legacy systems, overwhelmed staff, an ocean of connected devices and a litany of third-party software providers leave healthcare organizations vulnerable to attack, with the latter vector likely to be more exploited in 2022.
Even the simplest apps used in a healthcare setting can result in patient data exposure: Kaspersky found last month that 30 percent of healthcare providers reported instances where employees compromised patient data during remote consultations, often simply because the apps used for telehealth like FaceTime, Facebook Messenger, WhatsApp, Zoom and others weren’t built with patient privacy in mind.
“According to Broward Health, the breach occurred from a third-party service provider authorized to access Broward Health systems,” Bradley added. “While HIPAA and HITECH regulations have effectively added many layers of protection to the data-security onion, the fact remains, healthcare is still a soft target with high-value rewards.”
That means in addition to managing a pandemic, the healthcare industry needs to take a hard look at its software supply chain, Tim Erlin, vice president of product management and strategy with Tripwire explained in an email to Threatpost.
“While it may not be practical for you to audit all of your suppliers directly, you can ask them what standards they comply with and how their audited against those standards,” Erlin explained. “Best practices from NIST and the Center for Internet Security provide a solid foundation for most organizations.”
Erlin added this is a task that should be done regularly.
“It’s important to ask this question at least annually, as circumstances change,” Erlin advised. “This is a vital step to help safeguard the integrity of your organizations digital assets and protect against similar threats.”
The accelerating shift to the cloud is making healthcare data even more complex to secure, according to Adir Gruss, vice president of technical solutions at Laminar.
“The biggest challenge impeding data-security teams today is that as more and more organizations move toward the cloud they have lost track of where sensitive data resides,” Gruss said. “You simply cannot protect what you don’t know about.”
Gruss advises teams to get a handle on their cloud data, including supply-chain access, and added, “with that knowledge, data-protection teams can move from gatekeepers to enablers.”
Regarding Broward Health, David Strauss, co-founder and CTO of Pantheon told Threatpost that the fact that the October breach didn’t impact patient care is good news. But preventing what he sees as inevitable follow-on attacks should be a top priority.
In general, IT security teams across the healthcare sector should take a hard look at the software supply chain, he added.
“As more organizations increase reliance on external services, IT administrators must consider the impacts of a security breach happening on either side, including how to notice a breach in the first place and prevent it from spreading,” Strauss explained. “Isolating infrastructure in different roles — patient healthcare systems, billing systems, public websites, intranets — can help a bad problem from becoming a worse one.”
Password Reset: On-Demand Event: Fortify 2022 with a password-security strategy built for today’s threats. This Threatpost Security Roundtable, built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. Register & stream this FREE session today – sponsored by Specops Software.
Share this article:
In a display of 2FA’s fallibility, unauthorized transactions approved without users’ authentication bled 483 accounts of funds.
Cisco issued a critical fix for a flaw in its Cisco RCM for Cisco StarOS Software that could give attackers RCE on the application with root-level privileges.
UPDATE: SolarWinds has fixed a Serv-U bug discovered when attackers used the Log4j flaw to try to log in to the file-sharing software.
Anonymous on January 6, 2022
This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
1.8M+ attacks, against half of all corporate networks, are attempting to exploit #Log4Shell, including with a new r… https://t.co/dDky1faadm
1 month ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.
