Dr. Christian Dameff, an emergency medicine specialist and cybersecurity researcher at UC San Diego Health, said last week that, though he is not familiar with the details of what exactly went down at Scripps, protecting oneself in those ways generally make sense even if an attack is not already underway.
He said that, in general, it is difficult for companies to immediately know whether and how much of their private information has left the building. It's not like there is some sort of electronic dashboard able to show what has gone where. Locked down systems are not easy to analyze, and outside experts generally must be brought in to conduct forensic examinations of impacted systems in order to determine just how deep the damage goes.
"I'm sure that work is ongoing at Scripps, but it's complicated, tedious work that requires very specialized expertise to figure out exactly what they took and when they took it, and then to give recommendations as to what patients should do moving forward," Dameff said.
Many, though, are surely wondering how this could have happened to an organization with a multibillion-dollar budget, one named one of the "most wired" organizations in American health care as recently as 2019.
The IBM X-Force report indicates that recent attacks, whether they deliver ransomware or facilitate record theft, have been exploiting a flaw in the software than runs servers made by Citrix Systems Inc. The company boasts that 100% of the nation's 10 largest health care organizations use its technology, especially to host electronic medical records systems such as the Epic software employed by Scripps and many others across the region.
In 2019, the company issued a security bulletin on a vulnerability in one of its products called an application delivery controller which it formerly called NetScaler. There is a case study posted on Citrix's website that specifically says the product was employed at Scripps.
Citrix provides instructions on how to fix the vulnerability, but it seems clear that many organizations aren't getting that critical maintenance work done before hackers uses it to gain access. IBM's X-Force report estimates that 8% of all incidents that its X-Force team handled last year had to do with the Citrix vulnerability.
Is this how hackers found their way onto the Scripps network? The company isn't saying.
"Because this is an ongoing investigation, we are limited in what we can say. We will share more information as we are able," said Scripps spokesman Keith Darce in an email Friday.
But scanning for and exploiting equipment vulnerabilities is only one way among many that hackers gain the access they need to unleash digital destruction.
Duping employees who already have access is among the most common methods. A process called phishing is often employed to get employees to share logins and passwords on dummy websites that look just like those run by their companies or to open email attachments said to be from trusted sources that turn out to be malicious programs. Once inside a company's digital defenses, it's easier for software to reach out to remote servers and download a more-damaging payload.
Sure, Dameff said, there are plenty of very good ways to make phishing attacks less likely to succeed. Two-factor authentication, a process that requires employees to verify their logins not just with passwords but also with a program that runs on their smartphones, can help a lot. But two factor can be cumbersome in situations where life and death is literally on the line day in and day out. Nobody wants to create a situation where a nurse responding to a dying patient can't access critical information in the electronic health record because they forgot their smartphone.
"Multi-factor authentication, password managers and good password practices like choosing complex passwords, email attachment scanning, endpoint security, I'm sure that they had all of that," Dameff said. "It just takes one person in the enterprise clicking a link to have something like this happen, regardless of all the great security controls you put in place."(c)2021 The San Diego Union-Tribune Distributed by Tribune Content Agency, LLC.