Massive Breach Hits Diagnostic Lab in Healthcare

Yet another massive breach has impacted the health care industry this June with Quest Diagnostic’s disclosure that 11.9 million customers may have their personal identifiable information (PII) access in yet another high profile cyber breached. This data was contained in systems managed by the American Medical Collection Agency (AMCA) of New York, a billing collector and apparent business associated of Quest Diagnostics.

On May 14, 2019, AMCA notified Quest Diagnostics of “potential unauthorized activity” on AMCA’s web payment page. It appears that between August 1, 2018 and March 30, 2019 an unauthorized user had access to the AMCA system that contained confidential PII on Quest Diagnostics patients. This likely included financial information (credit cards, bank account information) as well as other personal information such as medical records, personal identity, and social security numbers.

Early evidence seemed to indicate that attackers gained access to the AMCA website and then ran a “man in the middle” attack. This enabled the attackers to access payment and other personal information entered by website visitors. It does not appear that the laboratory test results internal to Quest were accessed, but the attackers did get any medical information that was entered through the AMCA website. AMCA was primarily part of a collection process used by Quest to track down customers, also involving a company called Optum360 that processes payments.

Note that Quest Diagnostics, like many other health care institutions, was also breached earlier in 2016. Late in 2016 Quest disclosed that a data breach impacted about 34,000 medical records. These include PII to include dates of birth, lab results, and names. At that time, the cyber attackers utilized an improperly secured mobile application to gain access to the breached medical records.

Quest diagnostics has certainly not been alone. Last year, in 2018, hackers breached the network at Laboratory Corporation of America (LabCorp), one of the largest clinical laboratories in the United States. Pursuant to the detection of “unauthorized activity” on the Labcorp networks, their internal networks were temporarily shut down while they investigated the breach.

The number of successful cyber attacks on the health care industry is growing every year, either in records breached, number of institutions breached that year, growth in ransomware and other key metrics. The data on major data breaches, specifically those impacting more than 500 patients, is available in the HHS OCR data base which is accessible for anyone to see here: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf. This portal lists the number of major breaches which can be sorted to identify breaches caused by “Hacking/IT Incidents.”

Central to this theme is that both Quest, AMCA, and Labcorp likely have many best-in-class security controls installed. They no doubt have very strong cyber security teams, and these teams likely utilize industry best practices to reduce and minimize cyber breach. Quest, AMCA, and Labcorp are faced with the problem that faces all commercial institutions and governments today. Most of the legacy strategies and best practices used to day depend on keeping attackers out by vigorously defending a perimeter. There is attention focused on the internal networks, and certainly hospitals have been aggressive in implementing network segmentation to protect medical devices, but this is still not enough.

We know today that it is highly probable that sophisticated cyber attackers will get into health care networks. At some point, they will get past the all of the IDS/IPS systems, the next generation firewalls, network segmentation, and endpoint detection and response capabilities. All it takes is one (1) successful breach to result in a potentially disastrous breach.

New technology sets must be deployed to reduce the attacker’s dwell time within the network to the absolute minimum. These new technologies must be placed in play to counter the latest attacker tactics and techniques.

You don’t need to outrun the tiger, you just need to outrun the next target of opportunity for them. Said differently, you don’t need to stop every perimeter breach (you cannot do this anyway) but you do need to stop their progress within the kill chain before they can exfiltrate your data. Consider that Quest’s business associate, AMCA, likely had these attackers, per the reports released, within their networks for eight months or more before they were detected. Deception Technology can help, perhaps very substantially, reduce dwell times such as these.

New to best practice for health care as a rapidly emerging technology set, Deception Technology has exceptional efficacy in finding and helping you stop these attackers. Deception Technology has been deployed over the past few years by first movers in hospitals, physician practice groups, surgical centers, long term care facilities, diagnostic laboratories, MRI/CT centers, other key parts of the extended health care ecosystem. Deception works particularly well to help protect the sea of internet of things (IoT) and medical devices which are pervasive within health care networks. When a cyber attacker touches just one of the camouflaged deception decoys within your diagnostic lab network, Deception Technology delivers a highly accurate and certain alert for your health care security operations team. The cyber attackers are decisively identified and then can be stopped.

In summary, highly responsible and capable firms like Labcorp, AMCA and Quest and many other health care institutions will continue to be the targets of cyber attackers. It is certain that cyberattackers will penetrate every health care network at some point. The question becomes, “how will you rapidly detect them and shut them down?” At almost every move or turn they make, Acalvio ShadowPlex can be in their path. Once they touch a deception decoy ShadowPlex will identify them at extreme certainty, and then generate alerts of the highest integrity and importance for your SOC team.

To find out more about ShadowPlex, please review our resource page here:
https://www.acalvio.com/resources-and-documents/ or contact us for a free trial. We’d be delighted to share more about our technology and how it can help secure health care networks.