The network breach that cancer-care provider 21st Century Oncology Holdings is investigating demonstrates a new trend in healthcare hacks: expanding beyond hospitals and insurance.
The threat now extends to skilled nursing facilities X-ray/MRI centers, surgical centers (surgi-centers), cancer treatment facilities like 21st Century, dialysis centers, diagnostic labs and large extended physician networks such as accountable care organizations, according to Carl Wright, executive vice president of TrapX Security.
“The attack on 21st Century Oncology Holdings shows that large healthcare networks remain under constant and sophisticated attack,” he told Infosecurity. “Beyond hospitals as the obvious targets of choice, the attack on 21st Century Oncology Holdings also shows the broad-scale emerging threat to many other types of healthcare institutions and providers. Our research has shown us that this threat extends to [many other types pf healthcare providers].”
The Fort Myers, Florida-based 21st Century Oncology operates 145 cancer treatment centers in the United States and 36 in Latin America. A database containing personal information of some 2.2 million patients, including their names, social security numbers, physicians, diagnoses and treatment, as well as insurance data, may have been compromised.
The Federal Bureau of Investigation had advised the company of the breach in November but had asked it to hold off on making an announcement so as to not impede the investigation, 21st Century Oncology said on Friday. The company said further investigation showed that the intruder may have gained access to its database in early October, according to Reuters.
Unfortunately, 21st Century and other facilities like it do not yet have the personnel or budgets in place to deploy the systems and infrastructure necessary to meet and defeat new cyber-threats.
“Sophisticated attackers continue to overwhelm legacy cybersecurity defenses and IT teams,” Wright said. “In response, new best practices are evolving rapidly and assume that attackers will breach your networks. The focus moves to targeting attackers already within your networks with deception using lures such as fake medical devices and access to fake patient databases.”
This strategy shift comes even as healthcare data continues to be a top target for hackers.
“Though the clinic has stated that healthcare records were not compromised, that data is likely what the hackers were after,” said Kunal Rupani director of product management at enterprise productivity provider Accellion, via email. “Unlike credit card numbers and other financial data, healthcare information doesn’t have an expiration date. As a result, a patient’s records can sell on the black market for upwards of fifty times the amount of their credit card number, making hospitals and other healthcare organizations extremely lucrative targets for cyber-criminals.”
Photo © SARYMSAKOV ANDREY