Lessons learned from the CMS and WPS MOVEit cyberattack

In May 2023, a vulnerability was discovered in the MOVEit software, a third-party file transfer application developed by Progress Software. This software, used by WPS for transferring files related to Medicare services, allowed unauthorized access to sensitive information over a period of several days. Despite the quick release of a patch by Progress Software to address the flaw, unauthorized third parties had already copied files before the patch was applied. By July 2023, WPS notified CMS of the breach, initiating a process to notify affected individuals and provide resources like credit monitoring and new Medicare cards in September.

Read more: HHS issues alert about vulnerability in MOVEit file transfer platform

Lessons

This breach compromised the data of Medicare beneficiaries and raised concerns about the general security posture within healthcare organizations. Here are the key lessons we can draw from this incident:

Lesson 1: Timely patching of vulnerabilities is critical

One of the major contributing factors in the MOVEit breach was the delay in applying the security patch. Once the vulnerability was discovered, Progress Software acted quickly, issuing a patch to prevent further exploitation. However, the time gap between the vulnerability’s discovery and WPS’s response allowed attackers to gain unauthorized access.

Prevention tip: Implement automated patch management

According to IBM, “It takes 277 days on average to identify and contain a breach: 207 days to identify and 70 days to contain.” Organizations could, therefore, invest in automated patch management systems that ensure patches are applied as soon as they are released. By setting up real-time alerts for vulnerability disclosures and automating the update process, healthcare institutions can minimize the window of opportunity for cyberattacks.

Lesson 2: Third-party risks are inevitable

Many healthcare organizations rely on third-party vendors and contractors to handle important services, from software development to data management. In the case of the CMS and WPS breach, the vulnerability existed within third-party software (MOVEit). While the healthcare industry may rely heavily on external partners, third-party risks remain challenging.

Prevention tip: Strengthen vendor risk management

Healthcare organizations should conduct regular risk assessments for their third-party vendors. This includes demanding robust security standards, requiring proof of cybersecurity certifications, and ensuring that vendors implement best practices such as data encryption, regular audits, and incident response protocols.

Read more: Who is responsible for a data breach? 

Lesson 3: Proactive monitoring and incident detection

In the months leading up to the breach notification, the unauthorized access had gone undetected for several days. This suggests that more proactive monitoring and faster incident detection measures could have prevented the breach or reduced its impact.

Prevention tip: Invest in advanced threat detection

Implementing security information and event management (SIEM) systems that monitor and analyze network activity can help detect potential threats before they escalate. Additionally, deploying endpoint detection and response (EDR) tools can give healthcare organizations real-time visibility into security incidents and reduce the time it takes to respond to an attack.

Lesson 4: Prepare for the worst with incident response plans

WPS and CMS took several steps to notify affected individuals and mitigate the impact of the breach, such as offering credit monitoring services and issuing new Medicare cards. These actions controlled the damage caused by the breach, but the response could have been faster had a more streamlined incident response plan been in place.

Prevention tip: Develop and test incident response plans regularly

Every healthcare organization should have a clear and well-documented incident response plan that outlines the steps to take in the event of a breach. This includes identifying roles and responsibilities, communicating with affected stakeholders, and working with law enforcement and cybersecurity experts. Regularly testing and updating this plan is essential to ensuring a swift response during an actual attack.

Lesson 5: Data encryption is a non-negotiable safeguard

The breach involved the exposure of sensitive data, including Medicare beneficiary information, Social Security numbers, and medical history. Encrypting data both at rest and in transit could have further reduced the severity of the incident, as even if unauthorized parties gained access, they would not be able to easily decipher the data.

Prevention tip: Encrypt all sensitive data

Healthcare organizations must enforce strict encryption policies for any sensitive data. This includes PHI and PII, whether it is stored within internal systems, transferred between parties, or shared via third-party vendors. Encryption ensures that even in the event of a breach, attackers cannot make use of the data.

See also: What happens to your data when it is encrypted?

Lesson 6: Educate and empower employees

Even the most secure systems are vulnerable to human error, leading to 95% of data breaches. Employees and contractors are involved in maintaining the security of healthcare data, and they must be trained to recognize security threats and follow best practices for cybersecurity.

Prevention tip: Conduct regular cybersecurity training

Healthcare organizations should implement regular training sessions for employees to educate them about phishing, social engineering, and security hygiene. Empowering staff to recognize potential threats will reduce the likelihood of incidents resulting from human error.

See also: HIPAA Compliant Email: The Definitive Guide

FAQs

How does this breach impact the healthcare industry as a whole?

This breach reminds the healthcare industry of the growing threats posed by cyberattacks, particularly due to the highly sensitive nature of patient data. It emphasizes the need for a united, proactive approach to cybersecurity across all healthcare organizations.

What can individuals affected by the breach do to protect themselves?

Affected individuals should take advantage of the free credit monitoring services, regularly check their credit reports for unusual activity, and be cautious of phishing scams. They should also follow the guidance provided in their notification letters and report any suspicious activity to the appropriate authorities.