Healthcare data has been stolen from more than half of Norway's population by a hacker or hacker group. The attack happened on 8 January according to BleepingComputer and came to light this week after Health South-East RHF, a manager for hospitals in the southeast region of Norway, announced a security breach on its website.
An investigation by IT staff at Sykehuspartner HF - Health South-East's parent company, revealed that there had been evidence of a severe data breach.
Health South-East RHF characterised the attacker as "an advanced and professional player." Law enforcement has now been informed about the attack, and NorCERT, the country's CERT team has also been notified.
Health South-East RHF manages healthcare within 18 of Norway's counties, including the one that holds Oslo, the capital city. It is the largest of Norway's four healthcare regions and manages 2.9 million out of Norway's total 5.2 million inhabitants.
"A number of measures have been implemented to remove the threat, and further measures will be implemented in the future," said Norway's Ministry of Health and Care in a statement.
As for Health South-East RHF itsefl, Norwegian security researchers have been very critical because it has been telling users to relax and that their data is safe, even though the investigation by the company into the hack is not fully completed.
According to researchers, the leak, if it is confirmed, is still nowhere near the scale of what happened in Sweden, when a government contractor leaked the personal details of all the country's citizens yet was only charged half a month's salary.
Commenting on this issue, Andy Norton, director of threat intelligence at Lastline said in an email to SC Media UK: "This is another wake up call for organisations planning to be GDPR compliant. The health service was notified on the 8th of January that anomalies in traffic patterns were occurring. They have 72 hours to gauge the impact. Before notifying authorities and affected parties; the actual evidence gathering and notification has taken much longer than the GDPR requirement. Automated Breach prevention is the only appropriate security mechanism for GDPR notification requirements."
Many commentators, including Raj Samani, chief scientist and Fellow at McAfee drew comparisons with the recent hack on a US hospital, with Samani noting in an email to SC Media UK that: “Unlike the ransomware attack on Hancock Regional Hospital in Greenfield (USA) earlier this week that exploited hospitals' need to avoid disruption to services, this hack has exposed a massive amount of data that could have significant repercussions on the individuals - exposing them to fraud.”
Gary Cox, director of Western Europe at Infoblox concurred, commenting to SC Media UK: “The wealth of sensitive information held by healthcare organisations is immensely valuable to criminals and, as technology becomes more ingrained into core healthcare offerings, there is an increased threat of cyber-attacks stealing sensitive patient data, disrupting services, and putting lives at risk.
“It's little surprise, therefore, that 85 percent of healthcare providers have reported an increase in their cyber-security spending over the past year, with a third investing in DNS security solutions, which can actively disrupt attempts at data exfiltration.
He adds: “It's crucial that healthcare IT professionals plan strategically about how they can manage risk within their organisation and respond to active threats to ensure the security and safety of patients and their data.”
Paul Farrington manager, EMEA Solution Architects at CA Veracode also warned the health sector that: “With the vast amount of sensitive data that it holds, the healthcare industry is a prime target for cyber-attacks. While we've seen a shift recently towards targeting hospitals with ransomware to disrupt services, this case shows that the data itself is still of value to cyber-criminals.
“Despite the number of high profile cyber-attacks on healthcare organisations of the last 12 months, results from the State of Software Security report exemplified the clear investments that many healthcare organisations are taking to secure their digital assets. For example, the pass rate for applications from healthcare organisations against OWASP, which lists the most critical vulnerabilities categories in web applications, rose to 30 percent of applications, up from 27.6 the previous year.
“However, it is crucial that healthcare organisations continue to invest in their cyber-security defences. This is the second high profile attack on healthcare organisations of the week, following the ransomware attack on Hancock Regional Hospital in Indiana, making it clear that the healthcare industry is a prominent target. With the clocks ticking on GDPR, a breach like this in the private sector will have severe financial implications for a firm.”
Samani noted that although security breaches affecting hospital's around the globe now seem to be happening with an alarming regularity, “...despite how it seems, the criminals behind these attacks are not invincible. The cyber-security industry needs to work together to combat the growing rate of cyber-crime targeting public services by making threat intelligence sharing compulsory so that they are best equipped to defend against this threat. Once this is in place every attack will lead us a step closer to finding those responsible.”