Another healthcare organization has disclosed that the FBI has detected a cyberattack on its computer network exposing information about its patients. MaineGeneral Health, an Augusta-based integrated delivery system
, revealed its breach on Dec. 8. That disclosure comes on the heels of Kentucky-based Owensboro Health on Nov. 13 revealing a network cyberattack that was first detected by the FBI. The two reports illustrate why healthcare organizations need to ramp up their efforts to detect breaches on their own,
rather than rely on law enforcement authorities and others for detection, security experts say. But in the meantime, they predict the FBI will continue to alert organizations as network breaches persist in the months ahead.
MaineGeneral Breach Details
In a statement, MaineGeneral Health CEO Chuck Hays says that on Nov. 13, the provider organization was notified by the FBI "of the detection of certain MaineGeneral data on an external website, which is not accessible by the general public." The organization immediately hired a cybersecurity forensics firm and "launched an internal investigation by its IT team to confirm the security of its system and source of the data breach, and continues to cooperate with the FBI," Hays says. MaineGeneral has confirmed that the data identified by the FBI includes the dates of birth and emergency contact names, addresses and telephone numbers for certain patients referred by treating physicians to MaineGeneral Medical Center for radiology services since June 2009, a spokeswoman tells Information Security Media Group.
Additionally, the data includes the names, addresses, and telephone numbers of certain employees, as well as similar information for certain prospective donors. The forensic investigation hasn't yet determined how many individuals were affected by the incident, the MaineGeneral spokeswoman says, declining to discuss further details about how the breach occurred. The Augusta-based integrated delivery system serves a region of about 180,000 individuals through its medical center and rehabilitation, long-term care, retirement and community care offerings.
"With the assistance of the forensic investigators and in cooperation with the FBI, we continue to investigate precisely what happened and what information is at risk," Hays says in the statement. Although current information indicates that no credit or financial account information was taken, MaineGeneral is offering impacted individuals access to one year of free credit monitoring and identity restoration services. The MaineGeneral incident is not yet listed on the Department of Health and Human Services' "wall of shame" website of major health data breaches affecting 500 or more individuals.
More Alerts to Come?
As security experts say that as law enforcement and government agencies shine a brighter spotlight on cyberattacks affecting the healthcare sector - especially in the wake of the massive hacker breach affecting nearly 80 million members of health plan Anthem Inc. - more organizations - especially those with less mature security programs - could learn from third parties, including the FBI, that they've been breached, some security experts say.
"I believe we will see more notifications and information sharing from the government, and in particular the FBI, who has always had a focus on protecting U.S. businesses, as their capabilities to analyze the Web and detect these activities increases," says Mac McMillan, CEO of security consulting firm CynergisTek. "Both the FBI and Homeland Security will provide briefings for healthcare executive teams to help them understand just how serious the threat is." Daniel Nutkis, CEO of the Healthcare Information Trust Alliance, notes: "Many organizations were unaware of the cyber threats and attacks being perpetrated against their environment. This aligns with ongoing concerns about the level of maturity and available resources within organizations across the healthcare industry to effectively detect and defend against cyber threats."
At a recent security and privacy conference in Boston, an FBI official urged attendees to consider sharing cyber incident information with law enforcement, including the FBI. But the recent incidents at MaineGeneral and Owensboro Health detected by the FBI illustrate that cyber information sharing can be a two-way street. "Information sharing can provide significant benefit in mitigating cyber threats if the contributors can provide information that is timely and actionable," Nutkis notes. The FBI did not immediately respond to an ISMG request for comment.
Stepping Up Security
The FBI's recent breach detection efforts demonstrate why healthcare organizations need to step up their own breach detection efforts, McMillan stresses. The first thing that needs to happen is the industry needs to recognize it's in a real fight with a capable adversary, cyber criminals, and take the threat seriously," he says. "Second, they need to enhance their security posture, and, in particular, the ability to detect anomalous behaviors and known bad actors. "Third, they need to engage with the right partners and understand due diligence and objectivity in assessing their program and controls is not only smart, but necessary. Lastly, they need to gain a better appreciation for the threat and ensure their program is evolving with it."
Battling against health data breaches will only get more difficult as cyber threats evolve, McMillan says. "It's going to take some catching up because frankly our security posture is not where it needs to be in healthcare. Once we do catch up, it will still be a challenge as the threat continues to evolve and develop new ways to evade detection. But we'll have a much better chance of identifying and mitigating the impact of future cyber incidents and hopefully avoiding some of these breaches."