Engineer This

This was so much easier than hacking a system by harnessing software technology and using multiple computers and proxy servers. Still, it took a little bit of phone work.

A member of SubPrime OverKill, a group of financially motivated hackers going by the acronym SPOK, called the headquarters of Atlas Health Systems on the morning of Monday, July 1.

“Hi,” the hacker said in a friendly voice, when an operator answered the phone. “Can I please have the name of your head of Information Technology?”

“I’m not authorized to give that out,” the national hospital system operator said.

“OK,” the hacker said and hung up before the operator could ask him why he was calling.

It took him six more calls to get what he needed. He didn’t get the name of the head of IT, but he finally got the name of someone else in that department.

The hacker’s next call was to that office.

“Keith Duvall, please,” the hacker said in a much sterner voice when Duvall’s assistant answered.

“Who may I say is calling please?” Duvall’s assistant said.

Partner

“This is Special Agent Frank Dermont of the Federal Bureau of Investigation’s Cyber Security Bureau. We’ve confirmed that your computer system has been hacked and we need to access it immediately,” the hacker said.

The ruse was working so far. The assistant got flustered.

“Well, Keith’s not in right now, he’s…he’s in Kansas City,” she said.

“We need his username and password! Your system is under attack right now and crucial life-saving machinery in your hospitals’ neo-natal and intensive care units could be shut off within minutes,” the hacker said.

“Give me the username and password now or face obstruction of justice charges!” the hacker said.

“Wait, wait just a second, I have it here,” the assistant said, the thought of infants and the critically ill dying by the dozens overwhelming her.

The flustered assistant then gave the phony FBI agent a super administrator password and username.

And SPOK was in the hen house.

Over the next four months, unknown to hospital administrators, the hackers siphoned off hundreds of thousands of medical records from the large hospital system’s computer system.

At $80 per medical record, the thieves were making millions selling the records on the black market. And no one within the Atlas Health System administration had any notion of what they were up to.

Merging Blind

Two months after the hack, Dale Reed, director of risk management for a smaller hospital system, The Magnolia Group, received information that Atlas was planning to buy Magnolia and merge the two hospital systems.

There was already plenty on Reed’s plate. The demands of the Affordable Care Act and the escalating number of cyber attacks on not only health insurers, but health care providers, was causing him great concern.

“Now this,” Reed said as he looked over an email from the Magnolia Group CFO, outlining the ways in which the terms of the Atlas deal were projected to impact various departments.

The good news for Reed was that it appeared his job was safe.

The challenge for Reed was that he was going to have to work hand in hand with the IT professionals and risk management team at Atlas in building a secure information technology system.

The deal was set to close in November and the C-suites with both hospital groups were expecting the systems to be fully integrated and secure by the end of the year.

“Don’t expect to see much of me,” Reed told his wife. “I’ve got some long work days ahead of me.”

In mid-October, as the merger moved closer to becoming a reality, Reed sought clearance for and obtained permission from higher-ups to begin conversations with the IT and risk management departments at Atlas to discuss systems integration and security.

In conversations with Atlas officials, Reed took away two things that concerned him. One, it appeared Atlas did not use a two-factor authorization system to gain access to the hospital’s IT system.

If a hacker chose to target Atlas, Reed thought, all they’d have to do is get an IT administrator’s username and a password and they were in.

Two, in discussions with Atlas’ risk management department, it appeared that a cyber-attack incident response plan, while being developed, was not yet in place at Atlas.

Working late one night in the office, Reed deduced that he couldn’t be passive. He needed to take steps to make sure the combined hospital system’s IT system was not only integrated but secure.

The Atlas/Magnolia merger closed as expected Nov. 16. The Magnolia name would go away and the system would keep the name Atlas.

The following day Reed asked for and received permission to hire an IT audit firm that he’d worked with before to examine the Atlas system, which was now in the process of being integrated with the Magnolia system.

The audit team was two days into its three-month contract when Reed got a call from the audit team’s chief examiner.

“The Atlas Health System network was breached back in July,” the examiner said.

“What?” was all Reed could say.

“We estimate hundreds of thousands of medical records have been stolen by a group that goes by the acronym SPOK. They might have taken as many as a million records.”

“You’ve got to be kidding me,” Reed said.

“We’re not kidding you, Dale,” the examiner said. “And it looks like some former Magnolia Group records might already have been lifted,” the examiner said.

The news that Atlas was four months into a massive cyber attack and that close to a million records were pilfered was of course very painful for Keith Duvall and his superiors in the IT department and treasury.

When it became known that it was the IT department’s very own super administrator username and password that were used to breach the system, the head of Atlas IT resigned.

Dale Reed had taken the initiative and hired the IT audit team that found the breach. Now he would have the added responsibility of cleaning up the mess. Or trying to.

Pain. No Gain.

The next day, Reed was back on the phone, this time with the IT audit team’s chief examiner and his insurance broker.

“These aren’t like credit card numbers,” the broker was saying, as Reed felt sharp anxiety pains in his abdomen.

“It could take months to figure out what services, pharmaceutical, whatever, are being ordered with this stolen information. This medical information can go for $80 per record on the black market, it’s much more valuable than a credit card number and much harder to shut down,” the broker said.

The next morning’s newspaper told Reed and the rest of the Atlas executives a story they never thought they would read and would never want to read again.

SPOK sold information about the embarrassing medical conditions of a number of regional business, political and other public sector leaders to unscrupulous bloggers and those details were published online.

Examples included a local school superintendent with a sexually transmitted disease, the CEO of a local company who had bariatric surgery but didn’t want the information publicly disclosed, and the wife of a local pastor who was suffering from complications from breast implants.

“Did you see this?” came the panicked email from the Atlas CFO, including a link to the story.

“Saw it,” was Reed’s only response.

A class action lawsuit soon followed. The plaintiffs alleged that the combined company failed to conduct ample due diligence into the vulnerabilities of its IT system.

The reputational damage from the lost and sold medical records spurred Atlas executives to accelerate planned upgrades to their IT system. Millions in IT expenditures they’d expected to spread over 10 years were compressed to a two-year spend.

Add to that the notification costs and legal expenses connected to the breach and the defense of the class actions, and it became painfully clear that Magnolia and Atlas should never have merged at all.

Risk & Insurance® partnered with Swiss Re Corporate Solutions to produce this scenario. Below are Swiss Re Corporate Solutions’ recommendations on how to prevent the losses presented in the scenario. This perspective is not an editorial opinion of Risk & Insurance®.

Even the best-trained employees click on 2% of spam phishing emails. Once a hacker has access to your network, the ramifications are endless. The monetary costs of a breach can be in the billions of dollars, but losses aren’t just financial. After a cyber attack, companies face reputational and legal consequences, as well.

In our increasingly digitized world, computer hacks aren’t just the stuff of fiction. They’re a very real part of doing business. And almost all companies – large or small, public or private – are at risk. So when an attack does occur, you don’t want to be alone. You want a teammate you can depend on to mitigate your losses.

Swiss Re Corporate Solutions understands the threats you’re facing. That’s why we’ve enlisted the very best partners to help you protect your business after a breach. Our on-call vendors are elite forensics firms, law firms, breach notification firms, and call centers, so you can rest easy when the worst happens.

Swiss Re Corporate Solutions means knowledge, experience, financial and global reach. Let our experts create customized solutions that are right for your business. Visit www.swissre.com/cyber.