August 2016
Dark Overlord Terrorizes Data Security
By Lee DeOrio
For The Record
Vol. 28 No. 8 P. 3
Over the past few years, the health care industry has faced a lion's share of data breaches. Many involved stolen laptops containing unencrypted data and negligent practices that exposed patient information unnecessarily. For some reason, they all seemed correctable. "It's the encryption, stupid," became a mantra of sorts as many observers scratched their heads over how such a fairly simple practice could be so overlooked.
This year, things have changed. First, there was the ransomware phenomenon in which patient information was kidnapped and held hostage until the perpetrator's demands were met or the victim figured out a way to rescue its property. Now, a hacker going by the name of The Dark Overlord has taken the ransomware model to new heights. The mastermind, who has gone about the crimes with an arrogance that would make OJ Simpson nod in approval, has expanded the ransomware concept beyond health care organizations.
In the latest attack, the hacker targeted a software developer (believed to be PilotFish Technology). What's most troubling is that The Dark Overlord claims to have accessed all of the vendor's clients' EHR data. Among PilotFish's clients is the Utah Health Information Network. The hacker claims to be in possession of the source code, software signing keys, and customer license database for Health Level Seven standards, a development that has alarmed many experts.
"The Dark Overlord appears to be taking the next logical step for cyber threat actors to continue to have successful ransomware and protected health information breaches," says Jeff Schilling, CISM, chief security officer at Armor Defense.
The vulnerability of a growing range of health care entities creates appealing targets for hackers looking to expand their attacks beyond what the industry has been accustomed to thus far. "Many of these health care [software as a service] vendors are small start-up companies with brilliant ideas but no ability or staff to protect their development processes and labs," Schilling says. "These companies should know they are at risk as soon as they stand up a server in the cloud, and they cannot put off thinking about security until after their next funding round."
The battle to secure patient data appears to be only widening, with health care's defenses becoming stretched thin as hackers broaden their scope. Throwing money at the problem can work to a degree, but it's going to take ingenuity and cooperation among different industry players to prevent medical records from falling into the wrong hands.