Security firm COO indicted for allegedly aiding hospital's attackers: What CSOs should know

A grand jury has indicted Securolytics COO Vikas Singla for allegedly helping attackers access Gwinnett Medical Center's phone system and printers. This breach of trust presents a dilemma for CISOs.

Insider threats  >  Employees suspiciously peering over cubicle walls
Thinkstock

No one expects trust to be broken when they engage trusted individuals and companies to safeguard that which requires security, such as protected health information (PHI) and personally identifiable information (PII). Yet that is what happened to Gwinnett Medical Center (GMC) and its Lawrenceville and Duluth, Georgia, hospitals when Vikas Singla, chief operating officer of Securolytics, allegedly broke the bond of trust. Singla, indicted by a grand jury on June 08, 2021, is the subject of an 18-count indictment surrounding his role in aiding and abetting unidentified criminals in their exploitation of Gwinnett’s Ascom phone system and several Lexmark printers used across the medical entity in 2018.

Vikas Singla assumed the role of COO at Securolytics in April 2016. In 2017 Securolytics discovered an exploit called the “Split Tunnel SMTP” exploit, and Singla was quoted as saying the firm tested the exploit against two organizations: a 400-employee hospital and an 11,500-employee healthcare system. Interestingly, Securolytics proffers a case study on how a “top 10 U.S. hospital trusts Securolytics to secure their connected medical and infrastructure devices and to be the ‘source of truth’ for automated IoT asset inventory.”

The "IT incident" at GMC

In October 2018, CSO reported that a possible data breach had occurred at GMC. At that time, a spokesperson for GMC said that there had not been a data breach, saying GMC was investigating an “IT incident.” The alleged attackers had accessed patient records and medical devices. Interestingly, the attackers took to taunting GMC via social network postings and made mention of “owning the Ascom system.”

The accusations Singla faces mesh nicely with GMC’s “IT Incident” in both timing and function (the exploitation of the Ascom phone systems). A review of the Department of Health and Human Services, Office for Civil Rights breach notification reports from 2018 make no reference to a HIPAA data breach involving more than 500 individuals.

To continue reading this article register now

AWS, Google Cloud, and Azure: How their security features compare