At a glance.
- Attack on medical network impacts hospitals across the US.
- Data breach at US state of Colorado Department of Higher Education.
Ransomware hits Prospect Medical Holdings.
Prospect Medical Holdings, a major US hospital network that operates sixteen hospitals in the states of California, Connecticut, Pennsylvania, and Rhode Island, has suffered a cyberattack that led to widespread network outages. AP News reports that many of the facilities run by Prospect remained closed on Friday as they work with security experts to recover their systems, a process that could take weeks. A Prospect spokesperson stated that upon learning of the attack the network “took our systems offline to protect them and launched an investigation with the help of third-party cybersecurity specialists. While our investigation continues, we are focused on addressing the pressing needs of our patients as we work diligently to return to normal operations as quickly as possible.”
Local news outlets say the Federal Bureau of Investigation (FBI) is working with many of the hospitals directly to respond to the incident. The FBI told the Record they are unable to share details about the attack as the investigation continues, and while the incident bears the qualities of a ransomware attack, no ransomware group has yet claimed responsibility. Eric Goldstein, executive assistant director for cybersecurity for the Cybersecurity and Infrastructure Security Agency, said the agency is "working in close coordination with our federal and private sector partners... and stands ready to provide any assistance needed."
Dmitry Dontov, Founder and CEO of Spin.AI, regrets that ransomware attacks against medical organizations are growing in frequency and severity. “Ransomware attacks, like the one against Prospect Medical Holdings, are unfortunately becoming increasingly common. While we don’t know yet know all the specifics of the attack, they commonly target cloud assets and data. These SaaS applications generate a large amount of SaaS data – and with the rise of SaaS applications usage during the pandemic – ransomware gangs are targeting this data at rates never before seen. We will very likely see more of these types of attacks, especially those targeting SaaS data and applications, in coming months. Organizations looking to mitigate this type of threat should be proactively assessing their ransomware readiness and ensuring they have hardened their security posture with ransomware detection and response. Detecting ransomware before or during an attack, instead of after the attack, ensures fast incident response and limited impact on SaaS data. Downtime is an inevitable part of any ransomware attack. After the attack it’s too late, and it can take an average of one month to recover the data, with most organizations never fully recovering all of it.”
Colorado Department of Education seeks to cope with data breach.
On Friday the Colorado Department of Higher Education (CDHE) published a “Notice of Data Incident” on its website disclosing it suffered a massive data breach as the result of a ransomware attack that occurred in June. The notification reads, "CDHE took steps to secure the network and have been working with third-party specialists to conduct a thorough investigation into this incident. CDHE also worked to restore systems and return to normal operations." Bleeping Computer explains that the attackers had access to CDHE’s systems between June 11th and June 19th, exfiltrating student and teacher data spanning thirteen years between 2004 and 2020.
The CDHE says it cannot disclose exactly how many individuals were impacted, but as the Denver Post notes, the attack likely affects anyone who attended a public high school, college or university in the state during the thirteen-year period. The compromised data include full names, Social Security numbers, dates of birth, proof of street addresses (statements/bills), images of government IDs, and for some individuals, police reports or complaints regarding identity theft. CDHE says it will notify those potentially impacted by mail or email, and the department plans to improve its cybersecurity protections going forward.
Kevin Kirkwood, Deputy CISO at LogRhythm, suggests a way in which universities might be able to learn from this experience. "Following a ransomware attack in June, the Colorado Department of Higher Education (CDHE) has revealed a significant data breach that has affected students, former students and educators. The breach involved unauthorized access to the Department’s systems spanning a 13-year period from 2004 to 2020. The stolen data includes sensitive information such as full names, social security numbers, dates of birth, addresses, photocopies of government IDs, and in certain cases, police reports or complaints related to identity theft," Kirkwood wrote. "Ransomware attacks, though unfortunate, provide essential learning opportunities for higher education institutions to review incident response procedures and bolster their security posture. To proactively defend against such threats, investing in cybersecurity solutions that detect malicious behavior and enable network infrastructure to block access attempts is the first step. Moreover, prioritizing elements like authentication and access controls, detection and response capabilities, and real-time monitoring is crucial in safeguarding higher education systems and preventing the confidentiality of personally identifiable information (PII)."
(Added, 3:45 PM ET, August 7th, 2023.) Emily Phelps, Director at Cyware, commented on the way holding a great deal of data exposes universities to risk. “Higher education institutions handle vast amounts of valuable data from a diverse user base but lack the resources and technology to effectively defend against cyber-attacks, making them attractive targets for cybercriminals. Practicing strong security hygiene, implementing regular cybersecurity awareness training, and maintaining a robust incident response plan can help mitigate the risks. Collaboration, public-private partnerships, and increased threat intelligence sharing across public entities can lead to more robust, comprehensive defenses, improving resilience and protecting both the organizations and their people.”
(Added, 6:30 PM ET, August 7th, 2023.) Carol Volk, EVP at BullWall, sees containment and incident response as the place where schools should place their limited resources. “Thirteen years of data scooped up in a single breach. There are so many available ways to protect against both the breach and the exfiltration of data. We do not know what defenses the CDHE had in place, but it is imperative that Institutions implement the full scope of defenses, as the abuse of data they hold can harm generations of students. Yes, schools are doing their best to stand up the best preventative security tools they can, but there will never be budget or resources to stay ahead of the attackers. Ensuring tools are in place to contain an active attack is where education should focus next.”