Baptist Medical Center Pwned…. 1.24 Million Patients Data Is In The Wild

Baptist Medical Center has suffered a malware attack, which involved the exfiltration of data affecting more than 1.24 million patients from two Texas hospitals, according to a statement from Baptist Medical Center:

On April 20, 2022, it was discovered that certain systems within our network may have been infected with malicious code as a result of potentially unauthorized activity. In response to this incident, user access was immediately suspended to impacted information technology applications, extensive cybersecurity protection protocols were executed, and steps were quickly taken to restrict further unauthorized activity. In parallel, an investigation of the incident was immediately launched, and a national forensic firm was engaged to assist with investigation and remediation efforts. Although the investigation is ongoing, it has been determined that an unauthorized third party was able to access certain systems that contained personal information and remove some data from the network between March 31, 2022 and April 24, 2022. As a result of this review, it appears that your personal information may have been involved.

Clearly this isn’t a trivial event given the large number of people who were affected.

I have two comments on this. The first is from Saryu Nayyar, CEO and Founder of Gurucul:

     “Here is yet another example of a security lapse involving a third party. All network access should be monitored continuously in order to detect unauthorized access by malicious insiders, third party contractors, and cybercriminals. Insider threats can quickly become external threats as we’ve seen in this case. Organizations need to re-evaluate their threat detection, investigation and response (TDIR) programs to enhance insider risk and threat initiatives. The most effective defense is an advanced set of behavioral analytics, to baseline and monitor for unusual user behaviors and catch bad actors in real-time before data is exfiltrated.”

The second comment is from Artur Kane, VP of Product for GoodAccess:

     “Hospitals are a tempting target for financially oriented cyberattacks, as the records of malware and ransomware incidents from the past couple of years show. There are three main reasons why cyber criminals like to pick them:

  • First, they have a lot of data to steal. Healthcare institutions contain enormous troves of patients’ personal data, which provides hackers with plenty of loot to sell, if not exploit directly. 
  • Second, hospitals are more likely to pay a high ransom. Healthcare institutions often have large budgets that are required to sustain the large number of highly qualified staff in their employment and cover the upkeep of hi-tech medical equipment. But when a ransomware attack encrypts their sensitive information, hospitals face the threat of a data leak and, worse still, they can no longer provide treatment, which directly threatens human lives. Under such circumstances, healthcare institutions are pushed to comply with the ransom demands to allow them to resume providing medical services.
  • Third, hospitals often lack defenses. Hospitals are similar to banks in how much sensitive data they curate, but they don’t have information protection so deeply rooted in their pedigree. Their purpose is to provide health care, not guard someone’s assets. This could be why their IT is often understaffed and their vast infrastructures often contain vulnerabilities or run-on legacy systems, offering exploitable points of entry for potential attackers. Some of their medical equipment can also harbor malware without it being detected, such as an MRI scanner that runs on Windows but doesn’t even have an antivirus. Their priority is uptime, not security.

However, healthcare institutions can still significantly reduce the risk of an attack by implementing a few security measures:

  • The first is regular and thorough backup of all sensitive data. This is an absolute no-brainer. The likelihood of attacks on healthcare institutions borders on the inevitable and having the ability to recover lost data can save millions of dollars in ransom or damages.
  • Next is adopting a zero-trust network access (ZTNA) policy, which on its own brings several benefits. Under ZTNA, users have to use strong authentication, typically reinforced by multiple identity factors (multi-factor authentication). This makes it much harder for attackers to exploit stolen access credentials. In addition, proper ZTNA keeps logs on all access attempts by users, which can be a helpful resource for tracing the progress of the breach during post-compromise analysis and patching up vulnerabilities thus discovered.

ZTNA operates on the least-privilege principle, which means that users can only access those systems they require for their work, but no others. This approach segments the network, confining the attacker only to a pool of systems to exploit, but denying them free rein of the network, causing difficulty escalating the attack further.

  • Lastly, healthcare institutions need real-time end-to-end network-centric threat detection. Even with the latest patches and vulnerability updates in place, compromise is likely, and hospitals need to invest in solutions that can detect threat activity in network traffic, such as NDR (network detection and response). Given the exorbitant cost of damage that hospitals suffer as a result of malware and ransomware attacks, the investment pays for itself rapidly.”

Things really need to improve as these events keep happening and it is my perception that little is being done until after the event happens. That needs to change or else I suspect that events like this will become more frequent and more severe.

Leave a Reply