Healthcare Incident Points to Possible ‘Altered’ Patient Data

Data integrity issues can arise in the wake of a ransomware attack. Case in point: A California podiatrist practice hit by ransomware reports that patient files were possibly “altered” or “corrupted.”

In a notification statement, the Podiatric Offices of Bobby Yee, which has locations in Monterey and Salinas, reports that on Oct. 29, 2018, the practice was “the victim of a ransomware attack which resulted in the unauthorized alteration and potential corruption of their medical files, including patient personal information.” The statement adds that “there is no evidence suggesting that personal or medical information was viewed or exfiltrated.”

The attack was reported to federal regulators on Dec. 20 as a hacking/IT incident affecting 24,000 individuals and involving a desktop computer, laptop, and other portable electronic devices, according to an entry on the Department of Health and Human Services’ HIPAA Breach Reporting Tool website.

Changed But Not Viewed?

Can data be altered or corrupted in ransomware and other cyberattacks without being viewed or exfiltrated, as the podiatry practice of Dr. Bobby Yee says happened at its organization?

“Yes, absolutely,” says former healthcare CISO Mark Johnson, a shareholder at consultancy LBMC Information Security. “Viruses or malware in general do this all the time; they infect a file, and that changes the integrity of the file, i.e. the data of that file. The real question is, are there attacks going on that are designed to change the data, not just the operating system or application, and not just to exfiltrate the data?”

In theory, there are attacks with the capabilities to do this, he notes. “If you have enough access to encrypt the data, then you have enough access to change the data,” he adds.

What’s the Motivation?

While attacks aimed at tampering with data integrity are reason for concern, fortunately, such attacks in the healthcare sector appear to be rare, Johnson says.

“At this point it’s hard to imagine an attack that’s sole motivation is to change the data,” he says. “Ransomware ‘changes’ the data by encrypting it, but it is blackmail or ‘kidnapping’ of your data. Attackers in ransomware assaults want to get paid – that’s their motivation – so they tell you that the data is safe – unchanged – just taken ‘away’ from you until you pay.”

Still, many attack victims in the healthcare sector “are looking to see if they can tell if the data was viewed or left the building, he adds “Few, if any, think about what the attacker did to the integrity of the data.”

Johnson says healthcare organizations need to be on guard for potential attacks that impact data integrity. “Don’t assume that the attacker’s only motivation was to take your data,” he says. “Assume that all of the data that they could have accessed has been altered.”

Read full article