Healthcare Breaches Spike 63% in 2016

The continued wave of cyberattacks impacting healthcare institutions in the United States increased by 63% year-over-year to a total of 93 major attacks.

A report from TrapX Labs also shows that sophisticated cyberattackers are now responsible for 31.42% of all major HIPAA data breaches reported in 2016, which is a 300% increase in the last three years.

To give some context as to how pervasive attacks on healthcare institutions have been, in 2014 cyber attackers were responsible for 9.77% of the total major HIPAA data breaches, and this increased in 2015 to 21.11%. These sophisticated and persistent cyber attackers are a huge threat to the protection of patient healthcare data and critical healthcare operations and ultimately present a direct physical risk to the patients themselves.

The five biggest healthcare cyberattacks of 2016, based on the number of protected health information (PHI) data records breached, begins with Banner Health, in an incident in which approximately 3,620,000 patient records were breached, making this the single largest healthcare data breach reported so far in 2016.

No. 2 is Newkirk Products, which was attacked and approximately 3,446,120 records were potentially compromised. In March, 21st Century Oncology was breached and approximately 2,213,597 former and current patients were affected. In August, Valley Anesthesiology Consultants announced they were potentially breached during an ongoing cyberattack that occurred between March 30 and June 13, 2016. 882,590 records were affected. No. 5 is Peachtree Orthopedic Clinic: In November, this provider of orthopedic services headquartered in Atlanta notified 531,000 patients of a cyberattack that had compromised their protected health information.

Central Ohio Urology Group (300,000 patients affected), Southeast Eye Institute (87,314 patients), Medical Colleagues of Texas (68,631 individuals), Urgent Care Clinic of Oxford (64,000 individuals) and Alliance Health Networks (42,372 patients) round out the top 10.

"Through our ongoing research, TrapX Labs continues to uncover hijacked medical devices (medjack) that attackers are using as back doors into hospital networks," said Moshe Ben-Simon, co-founder and vice president of services at TrapX Labs. "Once inside the network, these attackers move laterally in search of high-profile targets from which they can ultimately exfiltrate intellectual property and patient data. Unfortunately, hospitals do not seem to be able to detect medjack or remediate it. The great majority of existing cyber-defense suites do not seem able to detect attackers moving laterally from these compromised devices."

The list of devices vulnerable to a medjack attack is large and includes diagnostic equipment such as PET and CT scanners and MRI machines; therapeutic equipment such as infusion pumps, medical lasers and laser eye surgery machines; and life support equipment such as heart-lung machines, medical ventilators, extracorporeal membrane oxygenation machines and dialysis machines.

The data also shows that attackers have evolved and are now increasingly targeting medical devices that use legacy operating systems that contain known vulnerabilities. By camouflaging old malware with new techniques, the attackers are able to successfully bypass traditional security mechanisms to gain entry into hospital networks and ultimately to access sensitive data.

In addition to medjack attacks, cyber-criminals are increasingly turning to new strains of ransomware to extort money from healthcare institutions. In August, TrapX identified more than 2,000 variations of ransomware that employ different methods of attack on the network. Ransomware is easier to manufacture and deploy than other attack methods, and organized crime is investing significantly in improving tool sets.

To mitigate all of these attacks going forward, TrapX recommends that hospital staff review budgets and cyber-defense initiatives at the organizational board level and consider bringing in new technologies that can identify attackers that have already penetrated their networks. In addition, healthcare organizations need to implement strategies that review and remediate existing medical devices, better manage medical device end-of-life and carefully limit access to medical devices. It becomes essential to leverage technology and processes that can detect threats from within hospital networks.

 “Healthcare institutions are specifically targeted because they have the financial depth to afford the payments, and they have the incentive to make them because of the threat to critical patient care and ongoing operations,” the report noted. “In October 2016 several hospitals in the United Kingdom experienced a ransomware attack that forced them to cancel hospital operations, including scheduled surgical procedures, for a period of several days.”

"Lack of new technology and associated best practices make it very difficult for hospitals to detect and remediate ransomware attacks. We expect to see an increase in the number of incidents in 2017," Ben-Simon continued.

Photo © O M 17

What’s Hot on Infosecurity Magazine?