In last month’s training, we reported that the Colonial Pipeline attack had been due to a phishing attack. After the company released corrected information, we found out that wasn’t the case. What had actually happened was that the company was using a VPN device to allow employees to access the company’s network from home. One of the accounts was for an employee who was no longer working for the company but the VPN account remained open. This meant that no one was monitoring for unused accounts and eventually, the attackers found it. This type of attack is harder to detect because it uses legitimate accounts to access data. Unless someone was watching for these accounts to be connecting, it would have looked like any other employee connecting.
This is one reason that HIPAA regulations require that any employee of a medical practice have their accounts disabled and then deleted once they no longer work for the practice. This prevents several points of attack:
All accounts for employees that no longer work for a practice should be disabled and later deleted. This included EMR access, remote access, workstation logins, website access, and email access.
Here is an example that cost one entity over $200,000.
The City of New Haven, Connecticut paid a penalty of $202,400 financial to the Department of Health and Human Services’ Office for Civil Rights due to a former employee misusing her login access.
The city health department had terminated an employee on July 27, 2016 during her probationary period. On the same day, the former employee returned to the heath department offices and locked herself in her old office. While she was there, she logged into her computer with her username and password and then copied the health records of 498 patients onto a USB drive. The investigation also found that the former employee had shared her username and password with an intern who continued to use them to access PHI.
This single incident could have been avoided but in the end it would cost the city of New Haven $202,000. This was due them not disabling the former employee’s account.
However, this isn’t limited to just accounts. Unnecessary software installed on a computer can also be a way for attackers to gain access. Sometimes we install software for a specific purpose and use it once. We forget about it and it stays on our computer. Later, a vulnerability, or bug, may be found in that software that we forgot that an attacker can use to compromise our computer. This is an extremely common way for hackers to gain access to a practice. It is critical to only install the least amount of programs that you need for your work. One thing we often see is browser extensions for price comparison, looking for e-coupons, etc installed on computers in practices. These extensions collect data from the computer they are installed on and send this for marketing purposes. Usually, a lot of thought isn’t put into making these apps safe and many contain security bugs that allow an attacker to completely take over your computer. Here is a good article that explains some of the basics:
Chrome extensions are vulnerable: Advantage, bad guys(Techrepublic.com)
The lesson here is don’t install unnecessary software on any device in a practice. If you do need to install something, remove it after you have finished using it. Disable any unneeded accounts on your computers and devices and later, delete them entirely.