Paubox Weekly Fully Automated - A HIPAA compliant email security Podcast

Brockton Hospital hit by cyberattack, incident disrupts patient care

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 4:21
This episode examines recent ransomware attacks affecting Brockton Hospital, Stockton Cardiology, and Rocky Mountain Care, alongside a Dutch supply chain breach impacting eleven hospitals. The hosts discuss the EvilTokens phishing kit that bypasses MFA through Microsoft 365 device code flow exploitation, and share practical defenses including conditional access policies, improved logging, and incident response planning. Key insights from the April Zoom social mixer cover monthly penetration testing, effective security awareness training, and AI adoption guardrails.
SPEAKER_01

You're listening to Pow Box Weekly, fully automated.

SPEAKER_00

Another week, another hospital diverting ambulances. You love to see it.

SPEAKER_01

I do not love to see it. Brockton got hit hard. We're talking ambulance diversions, chemo treatments canceled, pharmacies unable to dispense meds. The trifecta of terrible. Surgeries continued, but with delays. Which, I mean, at least they kept going.

SPEAKER_00

Silver linings in healthcare IT are really something. Good news, we only sort of couldn't do surgery.

SPEAKER_01

The takeaway here is the same one we keep coming back to. Incident response planning. Downtime procedures. If your backup plan is hope it doesn't happen, you don't have a backup plan.

SPEAKER_00

Speaking of attackers getting creative, there's a new phishing kit making the rounds. Evil tokens. Sold on Telegram like it's a side hustle.

SPEAKER_01

And this one's nasty because it doesn't need your password.

SPEAKER_00

Nope. It hijacks the device code flow in Microsoft 365. Attacker starts a legit auth request, tricks you into entering the code on the real Microsoft login page. And now they have your access tokens. Persistent access. No password stolen. MFA bypassed entirely.

SPEAKER_01

So what's the defense?

SPEAKER_00

Conditional access policies. Disable device code flow if you don't need it. And train your users. If someone asks you to enter a code you didn't request, that's a red flag the size of Texas.

SPEAKER_01

On a lighter note, our April Zoom Social Mixer had some great conversations.

SPEAKER_00

Remedium Security made a solid case for monthly pen testing cycles. Not annual, monthly.

SPEAKER_01

Which sounds aggressive until you remember how fast threat landscapes change.

SPEAKER_00

Also, security awareness training. The consensus was it lands better when you make it personal. Show people how they could get scammed, not just here's a policy document.

SPEAKER_01

And we heard some good feedback on PowBox forms for secure document submission. Plus, those sender tags helping users spot pre-vetted emails.

SPEAKER_00

Little things that add up to fewer, did I just click something bad moments?

SPEAKER_01

AI adoption came up too. It's accelerating across healthcare orgs.

SPEAKER_00

Which is great until someone feeds PHI into Chat GPT.

SPEAKER_01

Hence the conversations about guardrails. Always guardrails. Alright. Stockton Cardiology disclosed a ransomware breach. This one traces back to December 2025. Phishing emails to employees, which were then deleted. Deleted, but not before Genesis claimed responsibility.

SPEAKER_00

Here's the thing: deleting the phishing email doesn't undo the damage. If someone clicked, the attackers are already in. Takeaway? Log everything, investigate before you delete, and assume the worst until you can prove otherwise.

SPEAKER_01

Rocky Mountain Care, skilled nursing and home health in Utah, also confirmed a ransomware attack. Keelin posted them to their leak site in February.

SPEAKER_00

Ransom demand, threats to publish, the usual playbook.

SPEAKER_01

They're still reviewing what data was affected.

SPEAKER_00

Which means patients are in limbo. That's the part that gets me. The human cost of we're still figuring it out.

SPEAKER_01

And then there's Chipsoft, Dutch healthcare software company.

SPEAKER_00

This one's supply chain. They got hit, and at least 11 hospitals had to shut down their Chipsoft systems as a precaution.

SPEAKER_01

Most kept functioning, but still.

SPEAKER_00

One vendor goes down, and suddenly a dozen facilities are scrambling. That's the risk nobody budgets for until it's too late.

SPEAKER_01

Third-party risk assessments aren't optional anymore.

SPEAKER_00

They never were. People just treated them that way.

SPEAKER_01

So, big picture. What ties all this together?

SPEAKER_00

It's not bad luck. It's bad configurations, blind spots, device code flows nobody turned off, phishing emails that got deleted instead of investigated, vendors that weren't stress tested.

SPEAKER_01

And most of it?

SPEAKER_00

Not easy, but fixable. Conditional access, better logging, incident response plans that actually get practiced.

SPEAKER_01

The boring stuff that saves you at 2 a.m. Exactly. That's our show. Stay safe out there.

SPEAKER_00

And maybe check your Microsoft 365 auth settings this week. Couldn't hurt. See you next time.