Earlier this month, the U.S. Department of Justice indicted Vikas Singla, the former COO of an Atlanta-area cloud-based threat detection and analytics platform provider Securolytics for helping to launch a cyberattack on the Gwinnett Medical Center. Singla has been charged with 17 counts of intentional damage to a protected computer and one count of obtaining information from a protected computer – specifically, patient data. The case is now being investigated by the U.S. Federal Bureau of Investigation (FBI).
The Facts
In 2018, Singla executed a cyber attack on Gwinnett Medical Center in Atlanta which allegedly disrupted phone service and network printer service. He also exfiltrated patient data. According to the indictment, Singla aided and abetted others in a cyber attack that was conducted, in part, for financial gain. Singla was arraigned on June 10, 2021.
The 17 charges for intentional damage to a protected computer each carries a maximum sentence of 10 years imprisonment. The single count of obtaining information by a computer carries a maximum sentence of 5 years imprisonment.
According to the Protenus Breach Barometer, hacking incidents rose 42% in 2020. Forty million healthcare records were breached that year, 8 million by insiders. Driving the growth of attacks are overstressed healthcare systems responding to COVID-19 and the sales value of healthcare records sold on the black market.
The number of cyber attacks against U.S. interests is growing generally with healthcare networks and organizations as one of the primary targets. For example, cancer radiation treatment software by Stockholm-based Elektra was the target of an attach which disrupted radiation treatments at 42 healthcare sites across the U.S. Among them were Yale New Haven Health System, Emory St. Joseph's Hospital in Georgia, Southcoast Health in Massachusetts, Lifespan Cancer Institute in Rhode Island and Rhode Island Hospital.
In that case, a first-generation product was the issue, affecting 170 customers. Affected customers have since been moved over to the Azure-hosted product.
Lessons Learned
Enterprises need to consider third-party risks in greater depth. As both incidents show, consultants and partners can cause harm to the organization whether they intend to do so or not.
IT and security consultants are in privileged positions that get them access to a client company's systems. In addition to requiring background checks on individuals, enterprises should have behavioral monitoring software in place to detect anomalies. While arguably IT and cyber security consultants could turn off such controls, contract negotiation should anticipate such a scenario, such as requiring consultants to be monitored electronically as a matter of course. Zero trust is the best policy.
Also increasingly likely are equipment failures caused by cyber security incidents that can harm patients. As the Elekta hack shows, one compromised product can have ripple effects across many healthcare organizations.
Quick Tips
[inlinead-1]
- Assess the state of your company's third-party security practices to identify any remaining gaps.
- Work with legal to ensure potential third-party threats are covered adequately.
- Work with compliance to ensure third parties are complying with internal policies.
- Make sure incident response plans are up to date.
- Adopt a zero-trust cyber security culture.