The former COO of a cybersecurity company is facing years of house arrest after he pled guilty to breaching the networks of two hospitals belonging to the Gwinnett Medical Center (GMC) system in Georgia.
He admitted committing the acts in June 2021 to "boost his company's business". The defendant worked for Securolytics, a network security company that provided services to the healthcare industry, including his victims, two GMC-associated hospitals in Duluth and Lawrenceville, Georgia.
During his attack on September 27, 2018, he disrupted the health provider's phone and network printer services and stole the personal information of more than 200 patients from a Hologic R2 Digitizer digitizing device connected to a mammogram machine in GMC's Lawrenceville hospital. On the same day, he took over 200 printers in the GMC hospital in Duluth and caused them to print stolen patient information and "WE OWN YOU" messages.
In his plea, the defendant stated he attempted "to create and use publicity about the attack, including by causing the publication of information obtained without authorizations from the Digitiaze, to generate business for Securolytics." He then "promoted" the GMC hack on Twitter, tweeting the names, dates of birth, and sexes of 43 patients whose data had been stolen in the breach. Securolytics also reached out to potential clients after the attack, highlighting the GMC incident in the emails.
The man faced 17 counts of intentional damage to a protected computer and one count of obtaining information from a protected computer. Prosecutors say that the defendant's attack on GMC's ASCOM phone system, printers, and digitizer resulted in more than $817,000 in financial losses, which he agreed to repay.
After he pled guilty, prosecutors stated they will recommend a sentence of 57 months' probation, including home detention, based on the defendant being diagnosed with "a rare and incurable form of cancer" and "a potentially dangerous vascular condition," which warrant "home detention as an alternative to incarceration" so that the defendant can receive appropriate medical care. Sergiu Gatlan "Cybersecurity firm executive pleads guilty to hacking hospitals" bleepingcomputer.com (Nov. 20, 2023).
This case is unusual in that the criminal who breached the two hospital networks was neither a disgruntled employee nor an anonymous cyberthief operating here or from abroad, but instead was a network security provider.
His easy access into the network, via networked printers and digital devices connected to medical equipment, serves as a reminder that there are many ways networks are breached.
Due diligence is important to minimize your cybersecurity risks, including performing background checks on your cyber vendor, which would include speaking to the vendor's other clients.
Another important due diligence step is to perform a background check, including online reviews, of potential vendors.
Another risk highlighted in the above matter is that the Internet of Things (IoT) was the chosen entry point in this case. Even small organizations may have many internet-connected devices on their network. Security cameras, printers, scanners, cell phones, thermostats, and specialized electronic devices may all use factory-issued default passwords which are easily found on the internet.
Protect web-enabled appliances from attack by taking a few simple steps. First, do not connect any device directly to the internet. Instead, use a router with a firewall to keep outsiders out of your network. Be sure to change the router's default credentials to a complex password.
Check the devices' default settings, and make sure things like UPnP are disabled. Avoid IoT devices that advertise built-in Peer-to-Peer (P2P) capabilities. P2P IoT devices are notoriously difficult to secure, and research repeatedly has shown that they can be reachable remotely over the internet, even going through a firewall