In a letter to affected patients (linked below), Planned Parenthood Los Angeles advised affected patients that it “identified suspicious activity on our computer network. We immediately took our systems offline, notified law enforcement, and a third-party cybersecurity firm was engaged to assist in our investigation. The investigation determined that an unauthorized person gained access to our network between October 9, 2021 and October 17, 2021, and exfiltrated some files from our systems during that time.
<p>Planned Parenthood is an institution that sparks a lot of emotions on each side of the aisle. With this emotion comes personal and political investments. This investment from all sides paints a giant target on the organization\’s back. It is a prime opportunity for those seeking to further their political parties\’ agenda, sow seeds of mistrust in the ranks of supporters, and discredit the integrity and safety of the clinics.</p>
<p>If the organization cannot secure its most precious data (patient information), how can individuals trust medical services received will be kept between them and the medical professionals? This is precisely why medical facilities are held to a high standard of information security (HIPAA). Suppose the Planned Parenthood of Los Angeles is shown to have been negligent in its application of the required HIPAA security and privacy rules. In that case, they may be liable for civil and possible criminal charges.</p>
<p>Just because an organization is compliant with their sector\’s mandatory law/standard(HIPAA/NIST/CMMC/<wbr />etc.) does not mean that they are secure. Having the right people, process, and technology in place while utilizing these frameworks will ensure that you have done your due diligence in providing a safe place for business, client, and other sensitive information.</p>
<p><span lang=\"EN-US\">Planned Parenthood and their patients appear to have become victims to yet another ransomware incident. Although details have not been provided about this breach, there is a consistent theme that we see in almost all ransomware attacks. The consistent denominator lies in attackers gaining control of a business’s directory services, most commonly known as Active directory. An exploitation of Active Directory (AD) will reward attackers with the ability to gain domain control, widely distribute malware, and hide their tracks. Compromising AD is not as difficult as one may think because it is intrinsically insecure, tends to have an abundance of vulnerabilities, and often has organizational gaps related to its security. And, although incident responders repeatedly cite that AD was the weakest link, not enough attention is being given to visibility into when privileged accounts are used, putting tighter controls in place for privileged credentials, and limiting what accounts have these privileges. Additionally, adding visibility into credentials that are exposed at the endpoint will remove attack paths and the attack surface that needs to be protected. Adopting AD specific live attack detection tools will also prove invaluable in quickly finding and derailing exploits, which are now averaging under 5 days.</span></p>
<p>This is devastating news at a time when political tensions are raging as the Supreme Court actively debates a direct challenge to 1973 Roe v. Wade. Women\’s personal procedures and diagnosis are just that: personal. Having them stolen for potential exposure puts women in the political cross hairs. Securing medical records has never been more important. We can only hope that this information stays out of the public eye.</p>
<p>There is not honor amongst thieves. This has been shown by Tardigrade malware released upon the vaccine manufacturers or by the DeepBlueMagic hackers that shutdown the computer system in a major Israeli hospital – all IT resources are open to the attack. The PII/PHI that has been stolen from Planned Parenthood go beyond the usual threat actor’s desire for identity data to resell on the dark web. Given that not only was standard identity information stolen, but the theft was coupled with medical background and procedure data, the ramifications of malicious use of this data are easy to imagine. The mechanism has not been revealed but previous hacks on medical institutions have shown a proclivity to both social and technical hacking methods, given the amount of personnel involved and the difficulty of enacting safe security conduct by all team members. This is why the principle of least privilege (PR.AC-6) must be practiced by all medical institutions – to ensure that personnel, and so those who would seek to exploit their credentials, do not have access to data and resources beyond the scope of their work requirements.</p>