Hospital Corporation of America (HCA) recently suffered a healthcare industry record-breaking breach impacting 11 million records. If we look at the U.S. Department of Health and Human Services Office for Civil Rights website, this breach holds the number one spot, based on the number of individuals impacted in the past 24 months.
HCA believes that no clinical information, such as treatment, diagnosis, condition, payment information, credit card or account numbers, or other sensitive data like passwords, driver’s licenses, or social security numbers, have been leaked. HCA states that despite the significant data breach, their day-to-day operations at their facilities remain unaffected. Once the comprehensive assessment of the breach concludes, it will trigger a substantial financial impact.
A third-party system compromise seems to be the source of the breach, as HCA disclosed that the stolen data came from an external storage location for an anonymous software system. The marketing team uses this system to automate the formatting of email messages.
According to Databreaches, the hacker contacted HCA on July 4th to extort money with a deadline of July 10th. The attackers provided a sample to prove the breach on a hacking forum. On July 5th, DataBreaches.net saw the data for sale on a darknet.
Pay Or Not Pay
This situation places HCA in a challenging situation and the recommendation is never to pay.
David Finn, VP at The College of Healthcare Information Management Executives (CHIME), agrees and said “I don’t think there is any Security leader or any law enforcement agency that recommends the paying of ransom. It does not assure you get your data and everything goes back the way it was (these are basically “bad” people, why would they keep their words) and with the “reverse ransom” we’ve been seeing they get your money, money from the victims and then they still do what they want. Paying ransom just enforces to the bad guys that crime does pay. Paying likely makes it worse for you and certainly for the rest of the sector”.
If your organization contemplates paying a ransom, formulate a strategy to acquire and disburse cryptocurrency since Bitcoin is typically the preferred form of ransom payment.
Keep in mind that a third party usually handles this process. Your choice of a specific party might depend on the preferences of insurance carriers, legal counsel, external contracted incident response teams, and law enforcement. Exercise caution when paying a ransomware demand, as payment does not guarantee an immediate return to normal operations.
Rethink Third-Party System Risk
Over the past few weeks, numerous organizations, including the recent victim of the MoveIT third-party breach, have felt the impact of third-party breaches. This situation raises the question, will more guidelines and requirements exist for third-party systems?
In the case of the HCA breach, I’m confident that many CIOs and CMOs view these marketing software solutions as low risk, often not prioritizing these systems among the top-tier ones that require stronger governance. However, every organization faces a significant challenge in managing and providing robust oversight with a large inventory of third-party systems. It is time to rethink the strategy.
Read the full article here
