The U.S. healthcare industry is currently engaged in a cyber war against a widely dispersed set of adversaries, which include hordes of financially-motivated hackers and organized cybercriminal groups, hacktivists, and nation-state-sponsored threat actors. Ransomware has become an epidemic, and while there are signs that attacks are leveling off or decreasing, the healthcare industry has yet to see such a dip, now being the most targeted sector.
One trend that has emerged is an increase in extortion-only attacks. Rather than breaching networks, exfiltrating data, and then encrypting files, ransomware is not used. Sensitive data is stolen and demands are issued for its safe return and to prevent the sale or publication of the data, with the file encryption element of the attack abandoned as it is time-consuming and noisy. One attack that has made the headlines – the cyberattack on the Australian health insurer, Medibank Private Ltd – confirms the global nature of the current cyber war, which healthcare organizations around the world are struggling to win. The attack stands out due to the scale of the data theft and the callousness of the perpetrators.
The Medibank Cyberattack
Medibank Private Ltd. is the largest private health insurer in Australia, covering around one in six Australians. On October 13, 2022, Medibank detected suspicious activity within its network. The unauthorized access was terminated, and initially, Medibank CEO David Koczkar issued a statement saying no evidence was found that customer data was accessed. Medibank was then contacted on October 17, 2022, by the threat actor behind the attack seeking payment to prevent the release of stolen data. Threats were issued to publish the stolen data, starting with a sample of the data of some of the most prominent customers, including politicians, actors, activists, social media personalities, and people with “very interesting diagnoses.” Medibank confirmed data theft had occurred on October 20.
Access to the network was gained, sensitive data was stolen, and a ransom demand was issued to prevent the publication and sale of the stolen data of 9.7 million current and former customers. The ransom demand was $9.7m, or $1 for each of the affected individuals. The attack has been attributed to an unnamed Russian cybercriminal group, with reports suggesting REvil was behind the attack. REvil’s data leak site redirects to the site where the Medibank data is being published. REvil was one of the most prolific cybercriminal groups in operation; however, following the arrests of several alleged key members of the group, Russia’s federal security services (FSB) said REvil no longer exists. Whether this attack signals the rebirth of REvil, or if it was conducted by an affiliated group has yet to be confirmed. The Australian Federal Police (AFP) claims to know which group is behind the attack.
Medibank said the threat actor infiltrated its systems using “high-level credentials,” which had the necessary clearance to access large amounts of data, and that multi-factor authentication was protecting those accounts. How those credentials were stolen and MFA was bypassed has not been made public.
The Hackers Show No Mercy
Medibank said it received council from cybersecurity experts regarding paying the ransom, and the consensus was that if the ransom was paid, there was only a limited chance that the stolen data would be returned, that all copies would be deleted, and that there would be no sale or misuse of the data. The decision was then made not to pay the ransom, the implications of which were felt last week when the threat actor started to publish samples of the stolen data, initially posting two lists of data each containing around 100 records.
One was referred to as a “naughty list” which included the data of individuals who had claimed for treatment for drug addiction and mental health issues, and a “good list” that included claims for more generic hospital procedures. That was followed by the publication of another file that included details of around 300 individuals who had claimed for healthcare services related to the termination of pregnancies, then another file was published containing the details of 240 customers who had claimed for alcoholism-related treatments. The information of more than 480,000 customers has now been leaked. Medibank is standing by its initial decision not to make payment.
Medibank has reported to the Australian Stock Exchange that it is expecting a financial hit of around $25m to $35m, not including any regulatory fines or litigation. In terms of the latter, there could well be several lawsuits filed. Lawyers around the country are currently assessing the potential for suing Medibank over the data breach and are assessing the harm that has come from the exposure of highly sensitive data. The breach mitigation and legal costs will have to be covered by Medibank, as chief financial officer, Mark Rogers, confirmed that there was no cyber insurance policy in place due to the excessive cost.
Lessons US Healthcare Organizations Can Learn from the Medibank Cyberattack
The Medibank cyberattack is horrific – for Medibank and especially the 9.7 million affected individuals, and the repercussions will be felt for a long time to come. The situation is still evolving, but there are already lessons to be learned from this hugely damaging cyberattack.
Cybersecurity must be a board-level issue
Even with considerable investment in cybersecurity, defenses can be breached. The security posture of Medibank at the time of the attack is unclear, but one issue that has come to light is the lack of board involvement in cybersecurity at Medibank. Medibank chairman, Mike Wilkins, confirmed there were no cybersecurity or IT experts on the board, something that is all too common at healthcare organizations. Given the high risk of a cyberattack and its potential implications, board-level oversight of cybersecurity is essential. According to Deloitte, which has been called in to investigate the security breach, “Boards have now started looking at cyber risk as an enterprise-wide risk management issue, rather than a pure IT security issue, owing to its firmwide implications… Cybersecurity oversight has now become the most important topic for the Board after strategic planning.”
Hope for the Best, But Plan for the Worst
It is often only when a cyberattack occurs that cybersecurity gets the investment it needs, yet it should come as no surprise to any healthcare organization about the high risk of an attack occurring, given the frequency with that they are now being reported. Koczkar has stated that Medibank had planned for such an attack and was able to immediately implement its cyber response strategy for exactly this type of event; however, while an incident response plan had been implemented, shareholders have been voicing concerns about Medibank’s level of preparedness for such an attack, not just in terms of incident response, but the measures that had been implemented to prevent such a breach. Healthcare organizations can hope for the best, but they need to assume that a cyberattack is inevitable and ensure appropriate defenses are in place. It is also vital to not just develop and implement a breach response plan, but to practice the incident response with tabletop exercises, involving all teams involved in the response.
The Importance of Transparent Communication with Customers and Shareholders
The decision of whether or not to pay the ransom is not straightforward, and while there are very good reasons for not paying a ransom, there are repercussions for any decision, as this attack has shown. Medibank clearly stated the reasons why the ransom was not paid, and it was clearly communicated that their decision was in line with the recommendations of the Australian government.
Medibank appears to have opted for a strategy of damage limitation to protect the company’s reputation by downplaying the seriousness of the breach, and that approach has backfired. The CEO first issued a statement that no evidence of data theft had been found, then issued another statement that the attack appeared to be a precursor to a ransomware attack, before finally admitting that data theft had occurred.
Shareholders have been demanding answers with share prices falling sharply, forcing three halts on trading. Many are furious about the management of the breach and the level of transparency of Medibank post-breach, with little information or reassurances provided. Transparency and clear communication with shareholders and customers can go a long way toward protecting a company’s reputation after a data breach, especially one where the perpetrators have been telling shareholders to sell all their shares.
Zero-Trust and Phishing Resistant Multi-factor Authentication
It is currently unclear how credentials were obtained and MFA bypassed, but phishing is a reasonable assumption. While it is important to protect all accounts with multi-factor authentication, especially accounts with high levels of privileges, not all forms of MFA provide the same level of protection. Healthcare organizations should follow the advice of CISA and implement phishing-resistant MFA. A change of mindset is also required for security, shifting from traditional perimeter defenses to zero-trust, with the latter assuming that a network has already been breached, with controls implemented to validate all stages of digital interactions to limit the potential for lateral movement.
The Importance of Cyber Insurance
Medibank will face a huge financial hit from the attack, the initial estimates of which appear to be very low. While the average cost of a healthcare data breach is now $10,1 million, according to the IBM Security 2022 Cost of a Data Breach Report, the cost of mega data breaches of 1 million to 10 million records was calculated to be $49 million, and $180 million for breaches of 10M-20M records. Bloomberg Intelligence suggests the breach cost could rise as high as $450 million if customers sue for damages. Cyber insurance is unlikely to pay all breach-related costs, but the failure to have any cyber insurance policy is a serious risk, and that decision could prove to be incredibly costly.
Greater Protection for Highly Sensitive Data
The nature of the data published by the attacker is shocking. In the United States, disclosure of the details of individuals who have had a legal abortion could cause incredible harm and potentially put women at risk of criminal charges. These data types, along with other highly sensitive information such as substance disorder treatment information, data of domestic violence victims, and patients with stigmatized diseases such as HIV, should be subject to far more stringent protections, as far as is possible, due to the harm that can be caused if that information is exposed. In the Medibank attack, patient data in all of those categories was obtained and published.
The Australia Cyber Security Minister, Clare O’Neil, said that the damage caused by the Medibank cyberattack is “potentially irreparable”. It may be too late for Medibank, but as more information about the attack and response comes to light, the lessons learned will be invaluable to healthcare organizations around the world and may help them prevent similar incidents and manage successful attacks better to reduce the damage caused.
Editor-in-Chief, HIPAA Journal
The post Editorial: Lessons for American Healthcare Providers from the Australian Medibank Health Record Breach appeared first on HIPAA Journal.