No one expects trust to be broken when they engage trusted individuals and companies to safeguard that which requires security, such as protected health information (PHI) and personally identifiable information (PII). Yet that is what happened to Gwinnett Medical Center (GMC) and its Lawrenceville and Duluth, Georgia, hospitals when Vikas Singla, chief operating officer of Securolytics, allegedly broke the bond of trust. Singla, indicted by a grand jury on June 08, 2021, is the subject of an 18-count indictment surrounding his role in aiding and abetting unidentified criminals in their exploitation of Gwinnett’s Ascom phone system and several Lexmark printers used across the medical entity in 2018.
Vikas Singla assumed the role of COO at Securolytics in April 2016. In 2017 Securolytics discovered an exploit called the “Split Tunnel SMTP” exploit, and Singla was quoted as saying the firm tested the exploit against two organizations: a 400-employee hospital and an 11,500-employee healthcare system. Interestingly, Securolytics proffers a case study on how a “top 10 U.S. hospital trusts Securolytics to secure their connected medical and infrastructure devices and to be the ‘source of truth’ for automated IoT asset inventory.”
The “IT incident” at GMC
In October 2018, CSO reported that a possible data breach had occurred at GMC. At that time, a spokesperson for GMC said that there had not been a data breach, saying GMC was investigating an “IT incident.” The alleged attackers had accessed patient records and medical devices. Interestingly, the attackers took to taunting GMC via social network postings and made mention of “owning the Ascom system.”
The accusations Singla faces mesh nicely with GMC’s “IT Incident” in both timing and function (the exploitation of the Ascom phone systems). A review of the Department of Health and Human Services, Office for Civil Rights breach notification reports from 2018 make no reference to a HIPAA data breach involving more than 500 individuals.
These two categories of devices have broad usage across a wide spectrum of every organization. Patient information, including test results, device output, and billing and accounting data, transits both systems with regularity—all information that in the hands of an adroit criminal entity can be monetarily exploited. The US Department of Justice (DoJ) accuses Singla of participating in this criminal scheme, “in part, for financial gain.”
When trust is broken
The DOJ’s Acting Assistant Attorney General Nicholas L. McQuaid said about Singla’s actions, “Criminal disruptions of hospital computer networks can have tragic consequences. The department is committed to holding accountable those who endanger the lives of patients by damaging computers that are essential in the operation of our healthcare system.”
Chris Hacker, special agent in charge of the FBI’s Atlanta field office, noted, “This cyberattack on a hospital not only could have had disastrous consequences, but patients’ personal information was also compromised. The FBI and our law enforcement partners are determined to hold accountable those who allegedly put people’s health and safety at risk while driven by greed.”
While we lack visibility into the post-incident review and forensics following the 2018 incident, it is not a stretch to connect the indictment handed down by the grand jury concerning events taking place on September 27, 2018, for which Singla is alleged to be responsible, and the late-September GMC IT incident.
Following the IT incident, we know the FBI was contacted by GMC. The ensuing three-plus years of investigation is demonstrative of the level of difficulty in putting together the supra case. Singla, by virtue of his firm being a network security service provider to GMC, had privileged insider access. This level of access was more than sufficient to allow unencumbered and unauthorized access to devices that his firm had been hired to protect.
Many entities make core/context decisions involving the use of contractors or third-party vendors. In this instance GMC’s core competency is the provision of medical services, therefore contracting out to a trusted-third party, Securolytics, can be seen as both practical and prudent.
Which begs the question of every CIO/CISO: If your entity lacks the expertise to test and audit services provided by a trusted cybersecurity contractor, how are you to avoid having a similar incident to that which Singla is accused of perpetrating? The answer lays along a variety of paths. The use of a separate, unrelated entity to perform an operational audit that reaches out and touches all devices and their dependencies will check the ‘trust but verify’ box. Furthermore, audit trails involving access to sensitive PHI or PII must be the norm and not the exception.
Copyright © 2021 IDG Communications, Inc.
