Major healthcare providers suffer a lot from breaches, both from a legal and financial standpoint. Aside from patient lawsuits, they also face severe penalties imposed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

So not surprisingly, the average cost per breached record in the healthcare sector in the U.S. this year has reached US$429—which could easily translate to millions of dollars, depending on how many customers a compromised entity has.

For InterMed, the said estimate shows that potential fines could reach US$12.87 million for the breach the company has suffered in September. Here are further details about the compromise:

• An email account owned by an InterMed staff was hacked on September 4, 2019.
• Internal investigations uncovered that threat actors accessed three more email accounts on September 7 and 10. These accounts revealed the personal information of around 30,000 patients.
• Personally identifiable information (PII) such as names, dates of birth, insurance details, and clinical data were stolen.
• The Social Security numbers of some patients were also compromised.
• InterMed maintained that the attack did not affect its entire patient database. Recently added electronic health records (EHRs) were also not put at risk.

As a result of the breach, InterMed warned patients that they should watch out for unauthorized payment card transactions and forged letters from insurance or healthcare companies in the coming days. It also offered free credit monitoring and identity theft protection to the clients whose records were impacted.

The healthcare firm is right to indicate that their clients are vulnerable to fraudulent activities following the attack. It’s also common to see a spike in spearphishing campaigns as a result of data breaches.

How the Threat Intelligence Platform Can Help Keep Domains Secure

Data loss due to email-related incidents is prevalent in the healthcare industry. In a recent industry survey, 95% of healthcare organizations claimed that they received emails from imposters in the past year.

Note that it’s relatively easy to conduct reconnaissance on a target host today, thanks to the ubiquity of online directories. For instance, a quick Google search for “InterMed email address” would lead users to a RocketReach listing for the healthcare firm. While the directory did not reveal the email addresses of many company employees, it did provide clues on the organization’s most used email formats (e.g., jdoe@intermed[.]com and janedoe@intermed[.]com).

The page also lists the names of the company’s employees and president. Pretty much all hackers need to do is send a message with a malicious attachment to a person on the list using the likely used email address formats. They can also attempt to brute-force their way into employee email accounts with weak passwords and use these for attacks or gain entry into confidential databases.

Email security software and strong password credentials are usually the first lines of defense against such threats. In addition, the use of threat intelligence insights can help ensure the integrity of an organization’s domain infrastructure, as leaving gaping vulnerabilities is like an open invitation for attackers to steal confidential information.

We analyzed InterMed’s domain, which revealed some interesting findings. Results from our Threat Intelligence Platform (TIP) showed multiple Secure Sockets Layer (SSL) vulnerabilities concerning data encryption and authentication.

One way of ensuring the security of an organization’s network is by disabling suboptimal cipher suites that include NULL, EXP(ort), and DES and RC4. In InterMed’s case, it may be a good idea to disable DES-CBC3-SHA, as this may be vulnerable to a CVE-2016-2183 exploit known as “SWEET32.” Setting its HTTP Public Key Pinning (HPKP) header is also recommended, as this could decrease risks of man-in-the-middle (MitM) attacks that use forged certificates.

* * *

All in all, organizations should continuously revisit their data management policies and train employees to improve their domain hygiene. They can rely on Threat Intelligence Platform to find weaknesses that attackers can take advantage of and strengthen their defenses.