The potential impact of the breach of Oracle Health’s Cerner Legacy servers has CISOs and CIOs from the health care arena planning how to respond.
The health IT company has not publicly acknowledged the breach but it has been communicating with impacted customers, BleepingComputer reports. The company is also dealing with another incident involving its cloud servers.
With patient data at risk, what should health care CIOs and CISOs think about these breaches and the ever-present cloud of third-party risk?
Legacy System Breaches
Oracle did not respond to InformationWeek’s request for comment on the Oracle Health breach. Thus far, the company is remaining tight-lipped about both breaches. This lack of transparency is engendering significant criticism.
Hackers gained access to legacy Cerner servers with data that had not yet been moved to Oracle’s cloud storage, Reuters reports. Some health care customers were notified in January.
The scope of the breach is not yet clear. As of April 3, the breach impacting Oracle’s health care customers has not been posted on the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) breach portal.
Oracle acquired the electronic health records company Cerner back in 2022. As of January 2024, Oracle Cerner had a 21.7% share of the inpatient hospital EHR market, second only to Epic, according to Definitive Healthcare.
“That’s a significant amount of potentially impacted clients,” says Scott Mattila, CISO and COO of Intraprise Health, a health care compliance and cybersecurity company.
Already, there are reports of hospitals being extorted by a threat actor using the name “Andrew,” according to BleepingComputer. The actor is threatening to leak data if hospitals do not cough up millions in cryptocurrency.
Scott Mattila
The second incident, involving Oracle Cloud’s federated SSO login servers, involves the alleged theft of 6 million records, BleepingComputer reports. The company initially denied the breach despite analysis from security researchers. It has since acknowledged the breach, informing some of its customers that old client credentials had been stolen from a legacy environment, Bloomberg reports.
Legacy system risk is not new in the health care industry. It is typical for data migration, like the moving of data from old Cerner servers to Oracle’s cloud, to be a slow process, according to Mattila.
“We anticipate that with any type of data migration. You’ve got some clients that are obviously really small, and they’re going to be easy because it’s very linear,” Mattila says. “But then you’re going to have these more complex organizations that are not going to be moving off of that on-prem infrastructure, and it’s taking them time.”
Those legacy systems represent a juicy target for threat actors looking for valuable data with a lower barrier to entry.
“A lot of these older legacy systems, they just get sort of stuffed in the corner a bit and get forgotten about as most of our energy is focusing on building the latest and greatest and the new thing,” Jim Ducharme, CTO of ClearDATA, a multi-cloud security company for the health care industry, tells InformationWeek.
Taking Action
Sifting through the details of the two incidents and the limited information being shared is likely frustrating for potentially impacted organizations.
“The longer we wait and the less information we share as a community — good, bad or indifferent — is putting further harm and risk to even of the most critical organizations that are already running on thin margins and overly stressed teams,” says Mattila.
It is time for health care CIOs and CISOs that work with Oracle Health to break out their incident response plans.
Has Oracle sent a notification to your organization? Are there any signs of data exfiltration or suspicious movement in your network?
“Especially if you’re going to do something that disrupts production in your organization, you’ve got to have a good reason to do it,” Devin Shirley, CISO for Arkansas Blue Cross and Blue Shield, points out. “So, you really need to dig in and [get] as much information you can.”
Devin Shirley
Access management is essential. Look for identities that you don’t recognize. Reset passwords and credentials. How many passwords need to be reset likely depends on how embedded an organization is with Oracle, according to Shirley. It may just be a small team, or it may be hundreds of people. An organization may need to rollout password resets in phases.
“There’s a way to appropriately balance, and I think that’s where the CISO and CEO can come to terms and agree on: How do we make sure we’re not impacted by this, but how do we also keep people working and productive?” says Shirley.
Following any incident, security teams need to maintain continuous monitoring to ensure threat actors do not have any lingering access.
“Continue to monitor and stay as close to what’s going on,” Mattila recommends. “I would at least anticipate that my security team would be giving me a daily update on any progress that’s being made, anything that was identified, that we’re addressing accordingly any risks or potential suspicious activity that has transpired over the course of the last 60 to even 90 days.”
The ongoing Oracle incident is a reminder for all health care leaders to think about their enterprises’ reliance on legacy systems. Upgrading this technology is often an expensive, multi-year project, and not every organization can afford to shoulder that right now. But that doesn’t mean that risk should go unexamined.
“If you’ve got some really legacy infrastructure out there you may not be able to upgrade it immediately — these may be big, longer term projects — but you better think about compensating controls to keep it secure,” says Ducharme.
Third-Party Risk, Again
Last year, the health care industry was rocked by the ransomware attack on Change Healthcare. While that incident was an abject lesson in third-party risk, the industry is still learning.
“I can tell you that despite Change Healthcare, despite the Anthem breach before that, we still see the same patterns of attack that took down Anthem [and] that took down Change prevalent today in some of the largest health care organizations in the country,” says Ducharme.
A lack of multi-factor authentication on critical systems facilitated the attack on Change Healthcare, and the 2015 Anthem breach involved stolen login credentials.
“The two biggest ways that we see attackers trying to infiltrate these health care organizations: one is identity theft and two is infrastructure compromise on older systems,” Ducharme stresses.
Health care systems are so complex that it can be difficult to identify and mitigate all of the potential risks. “There are so many broken windows in health care organizations that make them susceptible to breach, that sometimes it’s tough to know which window to fix first,” Ducharme explains.
Despite the knowledge that these risks do exist, with the potential for devastating consequences, health care organizations may not be prioritizing their security posture.
“We’re in a downturned economy. The natural instinct is to start cutting…everything. And I think that’s where CIOs, CISOs, CEOs, CFOs really have to think and look at things through a risk lens. Yes, we can cut any and everything: technology, security, but what’s the risk potential?” asks Shirley. “You save $1 million or $2 million now and then you get breached six months later. Now, you might be paying out $200 million in class action lawsuits. Was it worth it?”
Third-party risk isn’t going anywhere. What does that mean for the health care industry?
“We’re going to [need] demonstrable change in the industry. There has to be. It is no longer acceptable to consider these types of events as business as usual,” says Mattila.