A significant data breach has occurred at UC San Diego Health. Although the incident has only just been reported, the health body has said the breach happened between Dec. 2, 2020, and April 8, 2021.
As a consequence of the incident patient information — including name, social security number, date of birth medical records and claims information — may have been compromised.
This incident comes shortly after the University of California notified thousands that many of its campuses were infiltrated through outdated file transfer software made by Accellion Inc.
Looking into the incident for Digital Journal is Casey Ellis, CTO, and founder, Bugcrowd.
According to Ellis, the origins of the attack lie with healthcare becoming an increasingly popular target for hackers due to the rich stream of personal and medicinal data that is their to be seized, and also as a consequence of the digital transformation of healthcare, making data thefts more lucrative.
Here Ellis finds: “In an effort to support patients and staff during the pandemic, the healthcare sector has had to quickly become more accessible and connected. This increased accessibility brings increased exposure to attackers, and any time new technologies are quickly implemented there will be exploitable vulnerabilities left behind. This, combined with the intense pressure on the healthcare sector, makes it a prime target for cybercriminals.”
With the specific incident, Ellis assesses the potential impacting, noting: “This breach is an example of the personal sensitive information that can be violated by outside attackers within healthcare organizations such as medical diagnosis and conditions, medical record numbers, prescription information, social security numbers, financial account information.”
In terms of lessons to be learned, Ellis recommends: “With such incredibly sensitive data at stake to cyber attackers, healthcare organizations should fortify their security posture with a crowdsourced cybersecurity approach. This empowers healthcare professionals to assess and mitigate the risks associated with disparate data sources and infrastructure so that patients do not have to worry about the privacy of their data.”
There are other measures to be taken as well, Ellis explains. In this context he recommends “As health needs continue to grow, healthcare providers need to continue to operate without security slowing them down, which is where I have seen great success engaging external security researchers via a bug bounty or vulnerability disclosure program (VDP) to help identify and disclose vulnerabilities before adversaries can exploit them.”
Such measures, Ellis concludes. Enable: “Healthcare networks to identify security issues before the adversary does, protect their users, and avoid a breach like this one.”