By Pino Vallejo

Back in February, a hacker breached the network of Patterson Dental Supply Inc. (PDSI), the third-party software vendor that services Massachusetts General Hospital (MGH). The hacked files, which are housed by PDSI, store important and private MGH patient information such as names, birthdates, Social Security numbers and other sensitive medical details. 

Even though the breach was detected over five months ago, MGH just recently began alerting the 4,300 dental patients who were potentially affected, a delay due to investigative red tape. “Law enforcement investigators required that any notification to potentially affected individuals and any public announcement of the incident should be withheld while they were conducting their investigation,” MGH said in a statement.

It’s no secret that the healthcare industry has increasingly been buffeted by waves of attacks like this one, taking it straight to the top of the cyber-attack list. Joe Fantuzzi, CEO of RiskVision, relayed his thoughts on the MGH incident and as it relates to the overarching issue. “Unfortunately the breach at Massachusetts General Hospital is indicative of a much larger problem sourced to their third-party vendors,” stated Fantuzzi. “The healthcare industry is being aggressively targeted by attackers aiming to access and pilfer valuable patient medical data. For hospitals and medical organizations, the stakes are high — in addition to critical patient data that’s jeopardized, hospitals and medical organizations also have to be aware of loss of reputation and potential HIPAA/HITECH violations that could also result in costly penalties. Like other industries, healthcare organizations struggle to wrap their hands around copious risk associated with their numerous third-party vendors. But you can’t manage what you can’t see. Without clear visibility into their risk posture, it’s nearly impossible to develop an effective plan to identify suspicious activity coming from third parties and apply the appropriate risk controls in order to mitigate the threat.”

Fantuzzi went on to say that while no preventative solution for attacks is absolutely fool-proof, there are measures that healthcare organizations can put in place to beef up their security defenses. “Among other things, we recommend they apply risk-based classification, diligence and scoring, third-party benchmarking ongoing risk monitoring and renewal termination, which will give them a leg up in preventing and mitigating these kinds of ongoing attacks.”

Ransomware, another popular form of cyber-attack these days, reared its ugly head this week in the form of a new Locky ransomware strain dubbed “Zepto.” Locky, if you remember, was one of the biggest ransomware attacks in the first few months of 2016, infecting systems in over 114 countries.

Cisco’s Talos security intelligence and research group caught the Zepto bug about a month ago, but according to an article by Threatpost, reported a recent spike, with nearly 140,000 spam messages sent out within the last week. The emails are sneaky, using users’ first names in the messages and urging them to open an attachment that they had “requested.” The malware works using an attached .zip or .docm file which contains a malicious JavaScript file. This makes the attachment appear as a text document, but when opened, unleashes a nasty ransomware downloader.

Craig Williams, senior technical leader and global outreach manager at Cisco Talos, says that Zepto seems quite similar to Locky, but could be unique enough to pose a much more serious threat. “We are watching Zepto very carefully,” said Williams. “It’s closely tied to Locky, sharing many of the same attributes. There is still a lot to learn about Zepto. As far as we can tell, it’s either a new variant of Locky or an entirely new ransomware with many copycat Locky features. This one we are concerned about. It’s professionally built ransomware that is going to infect tens of thousands of users. It’s definitely on the top of radar.”

On a slightly lighter but still serious note, folks using a friend or family member’s login information and password to access computers, websites and other avenues could find themselves on the wrong side of the law, according to a federal court ruling that happened on Tuesday. According to an article by U.S. News & World Report, the 9th U.S. Circuit Court of Appeals ruled 2-1 to uphold the conviction of a man named David Nosal who had been sentenced to a year in prison for breaking into the network of his former employer using the login information of an old coworker. The court found that Nosal had acted “without authorization” and was in violation of the Computer Fraud and Abuse Act – a law in place for dealings with hackers.

Judge Margaret McKeown mentioned that the ruling doesn’t necessarily impact the millions of people who share their passwords, saying the case bears “little resemblance to asking a spouse to log in to an email account to print a boarding pass.” She made a point of stating that Nosal’s right to access his former employer’s network had been “categorically revoked.” “The reality is that facts and context matter in applying the term ‘without authorization,'” McKeown noted.

So does this mean the end of using your brother’s roommate’s cousin’s girlfriend’s HBO GO account information? Probably not, but even so, perhaps it’s time to get your own account.