A hacker with the ominous nickname “thedarkoverlord” appears to have stolen more than 650,000 medical records from three separate healthcare institution databases, and has made them available for sale on the darknet online marketplace TheRealDeal.
In an interview with DeepDotWeb, the hacker referred to the three affected institutions as health organizations located in Farmington, Mo., the Central or Midwestern U.S., and Georgia, respectively. Thedarkoverlord is reportedly offering the databases, or portions of them, for prices ranging from 151 bitcoins (nearly $100,000) to 607 bitcoins (nearly $400,000).
In a separate report from Motherboard, thedarkoverlord claimed to have already sold $100,000 in records belonging to the Georgia facility, and may be extorting the institutions for money in order to prevent further distribution. However, a message the hacker left with DeepDotWeb makes the leaking of the documents already sound more like a fait accompli: “Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer. There is a lot more to come,” the message read.
In his encrypted conversation with DeepDotWeb, the hacker said he obtained the ill-gotten, unencrypted plaintext data via an active exploit in the Remote Desktop Protocol (RDP) that gives users a graphical interface to help them connect to other computers across their network.
Thedarkoverlord said that the Mo.-based facility's data (48,000 patient records in total) was retrieved from a Microsoft Access database located within the organization's internal network, while the Midwestern database (210,000 patients) was pulled from a “severely misconfigured network,” and the Georgian database (397,000 patients) was stolen from “an accessible internal network.” In all three instances, the data was protected with what the hacker described as “readily available plaintext usernames and passwords.”
“Securing identity information is one of the core tenets of security and even more critical for privileged users, as they have the keys to the kingdom,” said Amit Saha, COO at data access governance software firm Saviynt, in an email interview with SCMagazine.com. Unfortunately, “It seems that the hackers exploited the credentials of the Electronic Health Record (EHR) system, available in plaintext in all three cases.”
Dean Sysman, co-founder and CTO of IT security company Cymmetria, said the attacker may have started by stealing a single individual user's RDP credentials via a spear phishing scam and then used those credentials along with the exploit to remotely access even more machines on the network, moving laterally through the system until reaching the key databases. “Pretty soon [he'd] be able to get to everyone on the network, said Sysman, in an interview with SCMagazine.com.
In an email interview with SCmagazine.com, Kennet Westby, president and co-founder of IT audit and compliance firm Coalfire, criticized health-care organizations for maintaining databases with weak controls that are “completely inadequate for protecting the sensitive information their patients trust them with. If an organization hasn't implemented encrypted devices, they should be held accountable because the impact is too huge.”
This latest incident continues cybercriminals' disturbing onslaught against healthcare providers in 2016, including a recent spate of ransomware attacks. Right now, the three affected institutions are likely kicking their crisis management campaigns into high gear. “This includes understanding and limiting the exposure, placing immediate countermeasures and proactively communicating the data loss to the regulatory authorities for further forensic analysis and also to affected individuals,” said Saha.
“What they should probably do at this point is try and realize what are the different areas of the organization that are compromised and try to segment them,” added Sysman, in order to “protect the parts of the network that haven't been affected yet.”
Westby also offered his take on how companies might want to interact with the perpetrator: “If the hacker presents an offer and can confirm that he has valuable data, management should actively make sure there is visibility all the way to the board level in order to make a decision on whether or not to engage with him/her. These organizations have a responsibility to protect their patients. Sometimes the best short-term solution is to pay the ransom if there is an adequate case for it.”
Of course, such actions would merely mitigate what already may be severe damage – raising the question as to when the healthcare industry will be ready to take more proactive and serious measures in its fight against cybercrime.
“We are past the tipping point, and somebody needs to be held accountable,” said Westby. “There is a civil responsibility. It is completely unacceptable for this data to be breached, let alone at the extent to which we are seeing. These organizations are using unsophisticated techniques that should've been addressed years ago.”
“Automated security management has been an afterthought for healthcare organizations. Current security precautions have been mostly driven through mandates, which haven't proven effective to address newer threats and advanced attacks,” added Saha. “It is unfortunate that organizations fail to deploy preventive security controls such as maintaining strict access control over EHR systems, enforcing segregation of duty rules, [analyzing] end-user activity for malicious intent, timely removal of inappropriate access, etc.”