Following reports from Bleeping Computer, “On April 11, 2020, Magellan discovered it was targeted by a ransomware attack. The unauthorised actor gained access to Magellan’s systems after sending a phishing email on April 6 that impersonated a Magellan client,” Magellan SVP & Chief Compliance Officer John J. DiBernardi Jr says in a breach notification notice filed with the office of the Attorney General of California. As the investigation unveiled, the threat actors behind the ransomware attack were able to steal and exfiltrate “a subset of data from a single Magellan corporate server,” including sensitive personal information.
“In limited instances, and only with respect to certain current employees, the unauthorized actor also used a piece of malware designed to steal login credentials and passwords,” DiBernardi Jr added.
This is another example of the one-two punch that modern ransomware is inflicting on organizations. The bigger story here was not the encryption of data and subsequent downtime, but the actual exfiltration of the data, which is becoming the norm in ransomware attacks. It\’s unfortunate this would happen during a time of a pandemic to a health care organization, however, cyber criminals generally have a strong, motivating factor that is quite simply, money.
The attack on Magellan serves as a reminder that organizations need to take a layered approach when defending against modern attacks. This ransomware infection and subsequent data exfiltration was once again caused by an email phishing attack. This is still the most prolific and successful type of cyber attack. For this reason, organizations need to have not only strong data loss prevention controls in place along with good backups, but also need to ensure that their staff is trained to spot and report phishing attacks quickly and efficiently.
As expected, the purported ceasefire on healthcare providers by ransomware operators has proven short-lived. Rather than being rooted in any sort of altruism, the attackers were simply waiting for the optimum time to strike: with Magellan under immense strain as it attempted to meet the demands onset by the COVID-19 pandemic. Following the high-profile attack on Fresenius, this should act as another lesson to healthcare providers and other industries.
In this climate of increased threat volume, it’s imperative healthcare organisations have a cybersecurity strategy in place, so they can continue to operate effectively and support and provide diagnoses for their patients. Hallmarks of resilient environments include redundant systems, rapid (or automated) response to changes in threat conditions, and organisation-wide awareness of this unpredictable and unprecedented threat landscape.
Between the news of increasing COVID-19 related deaths, stressful lock-down situations, furloughed workers, and rising unemployment, the last thing that businesses need to deal with is a cyberattack. There’s a law called the “Public Readiness and Preparedness Act” (aka PREP Act) which protects businesses from lawsuits and other product-liability claims when they step up to help make products that are in dire need, such as medical supplies or personal protective equipment (PPEs) during a pandemic.
In addition to the PREP Act, there needs to be a law that adds a legal protection layer for businesses and organizations from cyberattacks that happen during a pandemic. The law should increase and enforce the maximum penalty that a bad actor or hacker may receive if they engage in attacks that negatively impact an organization during such unprecedented events.
Of course, organizations can become more secure by deploying modern security technology to protect sensitive data. Anonymizing data (data tokenization), or minimizing sensitive data in its clear-text format (format-preserving encryption or data masking) are techniques in which organizations can help themselves be less of a target to unauthorized actors. Compliancy requirements for data privacy laws and data security standards – including GDPR, CCPA, PCI DSS, HIPAA – all require some form of sensitive data protection. Organizations need to prioritize data protection across the board.
The stakes are high, and as with the Magellan Ransomware Attack of April 2020, exfiltrated records included personal information such as name, address, Social Security numbers, or Taxpayer IDs. This level of personal detail exposed may have long term impacts on individuals, not to mention possible delays in medical service during the pandemic. If this data were anonymized, the unauthorized actor would have exfiltrated valueless data – nothing that would warrant a data breach notification to go out to hundreds of thousands (or millions) of individuals.
We are again seeing the detrimental impact that ransomware can have on the healthcare industry. Hospitals and healthcare providers are amongst the most frequently targeted organisations because of the highly valuable information that they process. For example, the personal health information (PHI) of military and government agencies, labour unions and employers will certainly fetch a pretty penny on the dark market. This means that the agencies that are most at risk of data exfiltration should take extra care when it comes to training their employees and securing all instances of personal information. The fact that this particular breach can be attributed to phishing and social engineering techniques suggests that there is substantial room for improvement when it comes to security-conscious decision making. Other enterprises within the healthcare vertical should certainly take note and introduce additional security parameters before it is too late. I know this may be easier said than done, especially considering the additional strain on healthcare providers, but security is not a corner that should be cut.