Month: April 2025

“The Connecticut-based Community Health (CHC) Center disclosed in February 2025 that it had become a cyberattack victim.” Today, the organization continues to face ongoing challenges with lawsuits, loss of confidence, and possible HIPAA violations.

“Cyberattacks have affected 78% of the U.S. healthcare sector, and each breach costs over 11 million dollars per incident.” Criminal hackers direct many of the attack vectors against U.S. and global healthcare providers because of the financial payoff, disruption of daily operations, and recognition within the dark web community.

Stealing electronic medical records (EMR) is worth far more on the dark web than stealing social security numbers, credit cards, and driver’s licenses. “The average medical record is worth more than $250.00, compared to a credit card worth less than $10.00.

Healthcare providers facing financial budget cuts, lawsuits, and competition still consider cybersecurity protection secondary to revenue-generating activities, including elective surgeries.

Background of the Cybersecurity Data Breach

The CHC’s healthcare data breach, like many other healthcare providers, involved medical record data theft.

The Connecticut healthcare provider reported suspicious activity from threat actors on their network in early January 2025. According to their filing with the Attorney General of the State of Maine, they believe close to 1,060,936 people were impacted by this event. Because of their investigation, the Attorney General determined that the breach began in October 2024. The hacker gained access to the medical record system and extracted several pieces of data. Once the hacker’s access became known in early 2025, it became blocked.

The healthcare provider reported to the Attorney General’s office that no PII had been deleted from their electronic medical record (EMR) system, and the hackers had not encrypted the information. “The stolen data included personally identifiable information (PII), including patients’ names, dates of birth, addresses, phone numbers, treatment information, test results, social security numbers, and health insurance.”

CHC’s Crisis Management Steps

Upon discovering the rogue connection into their healthcare network, CHC immediately blocked the hacker from further criminal activity. After the healthcare provider blocked the hacker, an external third-party cybersecurity expert team focused on determining whether any information had been stolen, deleted, or encrypted.

The external team then began assisting CHC in deploying advanced monitoring solutions, practicing endpoint security tools, and upgrading access control capabilities.

Notification to Affected Patients

CHC notified all affected patients of the cybersecurity breach as part of the reaction plan. CHC CEO Mark Masselli expressed regret over the incident to all the impacted parties and pledged his team would invest in updated cybersecurity tools to avoid this event from happening again.

Monitoring Credit Reports and Accounts

Another critical post-action step taken by the CHC leadership included 24 months of free credit reporting, scanning, and monitoring for all COVID-19 service recipients whose social security numbers were compromised.

“CHC also included access to a $1,000,000 insurance reimbursement bonus and help in identity recovery because of this cyber data breach.”

Understanding Healthcare Data Vulnerabilities

Like other regulated industries, healthcare providers face financial challenges in sustaining various regulatory compliances while remaining economically solvent. Patient lawsuits, cybersecurity attacks, medical supply chain attacks, while operations costs continue to rise.

Ultimately, each healthcare provider must decide how to protect their patient records, network and cloud architectures, and user community. Healthcare platforms, including EMRs, have several interconnections between doctors, pharmacies, internal and external labs, and insurance billing companies. Hackers know about the existence of these interconnections into the healthcare provider’s EMR systems. These interconnections also have several exposed vulnerabilities.

Vulnerabilities exist within the various API connectors, federated authentication, and data exchange protocols. A data breach within a medical insurance provider will cause several downstream attacks against several healthcare providers.

Even if health providers like CHC invested in additional cybersecurity defensive tools like firewalls, Zero-trust, and cloud security, cyberattacks and data breaches will happen because of the lack of focus in monitoring and incident response.

Common Weaknesses in Healthcare Cybersecurity

Attacks against healthcare providers happen across several vectors. Hackers continuously scan their latest targets, looking for exposed vulnerabilities, resulting in the most straightforward and least detected approach to breaching the providers’ various systems.

Healthcare providers have a wide range of vulnerabilities that expose them to cyberattacks. Many of these vulnerabilities exist in legacy platforms healthcare providers still have support until new systems become operational. Often, having to support two systems becomes a security on to itself.

Legacy Healthcare Systems

Healthcare providers continue to transform their services model, cut costs, and increase patient satisfaction through leveraging artificial intelligence (AI) chatbots for customer service. Migrating towards  cloud-based medical services applications and extending the use of secure online portals for patients to schedule appointments creates convenience and cybersecurity risk.

Migrating to new systems takes time, money, and extended resources to support both systems. Not all healthcare providers have access to the same level of funding to accomplish this. Some smaller providers have either closed their doors or been purchased by a large provider to avoid a costly compliance violation as a result of a cyberattack.

Insecure Data

Healthcare providers generate and access several data sources each day. Some of these data sources include pharmacist information, radiology hosted by a third party, EMR records, and medical transcribing from an outsourced writer. Depending on the host, these data sources have various levels of data security protection.

These inconsistencies in security protection lead to the following cybersecurity attacks:

• An independent writer transcribing notes from a doctor forgets to encrypt her final documentation before sending this out for review. The information embedded within the document often contains PII details on a specific patent receiving treatment from the doctor.
• The outsourced blood lab’s user accounts have been compromised, extending access to the healthcare providers’ portal for uploading test results.
• When doctors leave their laptops or phones unattended in a public place, this opens up the opportunity for some to take pictures of the screen with their camera phones.
• A security breach occurred at the medical insurance billing company, causing a downstream breach across all customers.

Insecure Medical Devices and Equipment

The limited cybersecurity risk posed by legacy medical device equipment, including operating room equipment, radiology, medicine-dispensing machines, and heart monitors, resulted from many of them lacking a connection to the hospital network. The more these pieces of equipment became medical Internet-of-things (IoT) devices, the higher the risk.

These medical IoT devices, including in-surgeon remote cameras, remote-monitoring-enabled heart monitoring, and robotic surgery equipment, now connect using IP addressing and routing. While this additional connectivity benefits healthcare providers, it exposes patients to hackers.

Any IP-enabled device is subject to a cyberattack. Denial-of-service (DoS) against the device is shared is a good example.

Healthcare providers investing in next-generation medical devices must also invest equally in advanced cybersecurity protection capabilities, including advanced network firewalling, intrusion prevention, and multi-factor authentication. Without these advanced security tools, next-generation healthcare devices will become compromised.

Out-of-data Email Security Solutions

Email phishing attacks against doctors, medical practitioners, nurses, and medical supply personnel have become a common attack vector. Hackers use email phishing to lure healthcare professionals into clicking on malicious links that encourage them to change their passwords or accept a malicious attachment loaded with ransomware.

Upgrading to a next-generation email security platform powered by AI and machine learning, data loss prevention (DLP), and email encryption helps healthcare providers protect their patient information and IP-enabled medical devices from attacks from upstream-connected medical partners.

Lack of Monitoring and Incident Response Capabilities

Healthcare providers investing in next-generation cybersecurity capabilities must also ensure they staff the security operations team with experienced engineers who can monitor and respond to cyberattacks 24/7.

Healthcare providers that invest very little in monitoring and incident response will face data breaches similar to CHC’s.

Another critical factor facing healthcare providers continues to be the rising cost of cyber insurance. Security breaches similar to the one CHC faced happen because of a lack of proactive security controls, reactionary monitoring and incident response, or little to no investment in cybersecurity awareness training.

Cyber insurance companies require continuous security awareness training for all end users. They also mandate that all clients show their incident response capabilities, especially if an organization filed a claim during the previous policy term.

Healthcare providers will face increases in their cyber insurance premiums if they cannot monitor their most critical assets to help proactively detect the early signs of cyberattacks.

What is the Role of MDR for Healthcare?

Managed detection and response (MDR) for healthcare helps resolve several issues exposed during the CHC data breach. MDR provides 24×7 monitoring, automated incident response, and compliance reporting. Most MDR providers also provide endpoint security monitoring and log management, especially from Microsoft M365 and Azure cloud-based applications.

CHC’s go-forward cybersecurity strategy needs to encompass MDR capabilities. Healthcare providers struggling with in-house SecOps resources should consider an outsourced partnership with MDR providers.

Nor Should They Be!

Traditional IT personnel come from various backgrounds, including server administration, desktop support, telecommunications, and network engineering. Each domain has some element of cybersecurity defensive layers embedded in some form.

Becoming a cybersecurity expert extends beyond placing a host-based intrusion prevention agent on a server or configuring private VLANs for network segmentation. The same holds for cybersecurity experts who do not have the same level of knowledge in managing servers, configuring routers and switches, or auto-provisioning a desktop image.

Cybersecurity expertise transcends how attacks happen and what the organization can do to detect and prevent attacks and continues to be gatekeepers for defensive tools.

Organizations with traditional IT staff looking to ramp up their cybersecurity knowledge and expertise must hire managed detection and response (MDR) like ForeNova. Forenova, a global provider of MDR services, helps organizations ramp up resources with an extensive cybersecurity detection and prevention background.

Interested in learning more about Forenova and its resource augmentation and MDR services? Click here to schedule a demonstration of their NovaMDR platform today!

Typical IT Responsibilities vs. Cybersecurity Demands

Classic IT responsibilities include purchasing laptops and servers, creating virtual machines, and installing software, just to name a few. IT departments cover many daily technology functions, including local network and internet access, wireless connectivity, and management of various data sources.

Cybersecurity personnel focus on improving the organization’s security posture. However, because compliance mandates require the separation of duties, the cybersecurity team, including the security operations center (SecOps), reports to a different organizational structure. Classic IT reports to the Chief Information Officer (CIO), and the cybersecurity team reports to the Chief Information Security Officer (CISO). In some organizations, the CISO reports to the CIO or the Chief Financial Officer (CFO).

Most cybersecurity departments consider classic IT their internal customer. Their role involves managing all cybersecurity defensive tools, including firewalls, remote access, intrusion protection, endpoint security, application security, and physical security controls.

Another critical component of the cybersecurity workforce is staffing and supporting all SecOps functions with the proper security skills. These functions include 24×7 monitoring of all cybersecurity protocols and defensive tools looking for cyberattacks. These attacks include email phishing, ransomware attacks, data exfiltration, or identity theft. Qualified cybersecurity professionals, including engineers, architects, and threat modeling experts, have unique and critical skills to combat these threats.

The skills required to join cybersecurity and SecOps teams differ greatly from those needed by classic IT resources.

Skills Gap Between IT and Cybersecurity

The skills gap continues to widen as more organizations face an increasing number of cybersecurity attacks that impact all elements of their enterprise networks, cloud instances, and applications. The more IT resources deployed across an organization, the greater the security threats against the ever-growing attack surface.

IT personnel, especially network engineers, cloud architects, and mobility engineers, learn elements of cybersecurity protection specific to their domain. SecOps teams and security architects collaborate with classic IT engineers to create a new cloud environment, perform internal audits, or enable broader cybersecurity defensive controls to help protect various IT platforms.

IT engineers invest equally in ongoing training and knowledge specific to their domains. Cybersecurity teams also stay current on the latest cyberattacks and new technology, including artificial intelligence and machine learning tools, and continuously improve their ability to leverage automation to help stop attacks without human intervention.

CIOs and CISOs leverage continuous education and automation to help address their various service needs. These leaders also leverage automation to help address the constant challenge of hiring and keeping talent. Some organizations attempt to cross-train IT and cybersecurity engineers to help address staffing and budget shortfalls.

While leveraging cross-training as a temporary stopgap, CISOs and CIOs recognize that this strategy creates a longer-term risk to the organization.

 The Risks of Dual Roles

While creating dual roles to address staffing shortages may provide temporary relief and coverage, IT and cybersecurity teams will ultimately fall behind in staying current with their respective technology disciplines.

Cybersecurity engineers continue to be in high demand. While many are open to learning skills, especially outside of their current domain, many prefer to stay within the cybersecurity field.

Classic IT engineers investing in cybersecurity training also value learning new skills. However, by spending time away from the traditional domain, most engineers risk falling behind the latest innovations and capabilities within their current IT tools and solutions.

Combining Cybersecurity Professionals with IT Staff

Nurturing competent IT and cybersecurity engineers who focus on continuously improving their skills within their most substantial domain helps the organization maximize use of their talents. This ensures that IT resources are deployed correctly and that the proper level of cybersecurity tools are enabled and sustained.

This strategy also helps reduce organizational risk. The challenge of retaining IT and cybersecurity talent compels the senior leadership teams to merge or consider subcontracting with external resources.

Leveraging contracting resources helps organizations inject expert resources into their various IT and cybersecurity teams almost immediately. Staff augmentations help organizations fill necessary roles instead of hiring a full-time employee. These external resources often come with years of experience in IT and cybersecurity.

Developing a blended internal and external IT and cybersecurity resources model into one team, especially for small-to-medium (SMB) and mid-enterprise organizations, helps reduce costs and promotes better collaboration. The risk of too much cross-training is far less compared to a larger organization.

Within these smaller organizations, IT and cybersecurity personnel cover several roles. This overlapping coverage often becomes a reality, especially if the organization struggles with funding. This overlapping of teams allows for developing a coverage model in case one resource departs the organization or goes on vacation.

Burnout and Workforce Shortages

Merging IT and cybersecurity teams brings considerable benefits to organizations. However, employees becoming burnt out from supporting several roles remains a problem for all organizations. CIOs and CISOs looking to lower their overall IT and cybersecurity costs place a huge burden on their people, ultimately with the result that employees leave the firm and seek employment elsewhere.

Even with investments in security automation, extended detection and response, and staff augmentation from an outside resource, senior leaders who choose to pressure employees still face job burnout realities.

Replacing valuable internal talent becomes an even more significant challenge, especially if these resources have been with the firm for several years and possess valuable tribal knowledge of corporate networks, applications, and cybersecurity controls.

The risk of losing high-value resources and their tribal knowledge poses severe risks to the organization. Replacing talent with years of internal experience is nearly impossible.

Organizations look towards developing longer-term relationships with managed service providers to outsource all or most IT and cybersecurity functions. Organizations wanting to create a fixed-cost model for their IT and cybersecurity functions often make this decision and reduce overall organizational risk relating to workforce shortages.

The Role of Managed Detection and Response (MDR)

Managed detection and response (MDR) providers continue to become strategic and tactical resources for CISOs and CIOs. MDR providers like Forenova specialize in a specific cybersecurity skill set and have experience in incident response automation, endpoint security, and compliance reporting.

ForeNova’s premier platform, NovaMDR, is built to accept log files from several sources, including Microsoft M365 and other security architectures. NovaMDR helps organizations reduce SecOps operations costs by providing 24×7 monitoring, rapid incident response, and log management while becoming a valued partner to your IT and cybersecurity teams.

MDR providers help create a lower-cost, highly flexible support model as staff augmentation or a fully outsourced engagement. CIOs and CISOs favor MDR providers like Forenova to help meet various compliance and privacy regulations.

NIS2, DORA, KRITIS, and others require 24×7 monitoring of critical hosts, applications, and portals. Forenova’s NovaMDR platform helps meet compliance mandates through its various service offerings.

Why ForeNova?

Are you considering leveraging an MDR provider as a staff augmentation or outsourced partner? ForeNova continues to set the gold standard in MDR service engagements. Their various service offerings are priced to help SMBs and mid-enterprise firms with a much-needed cybersecurity defensive strategy at an affordable price.

ForeNova’s unique ability to craft its MDR service offerings to align with various industries, including healthcare, automotive, education, and retail, makes it a preferred partner with my CISOs and CISOs.